diff --git a/common/server/gitea-actions-runner.nix b/common/server/gitea-actions-runner.nix index 2a63cf7..0dd1595 100644 --- a/common/server/gitea-actions-runner.nix +++ b/common/server/gitea-actions-runner.nix @@ -6,62 +6,131 @@ # Therefore, this should not be used to run untrusted code. # To enable, assign a machine the 'gitea-actions-runner' system role +# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running + let runnerRole = "gitea-actions-runner"; runners = config.machines.roles.${runnerRole}; thisMachineIsARunner = builtins.elem config.networking.hostName runners; + + containerName = "gitea-runner"; in { config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) { - containers.gitea-runner = { - ephemeral = true; - autoStart = true; + # containers.${containerName} = { + # ephemeral = true; + # autoStart = true; - bindMounts = - { - "/run/agenix/gitea-actions-runner-token" = { - hostPath = "/run/agenix/gitea-actions-runner-token"; - isReadOnly = true; - }; - "/var/lib/private/gitea-runner" = { - hostPath = "/var/lib/private/gitea-runner"; - isReadOnly = false; - }; - }; + # # for podman + # enableTun = true; - extraFlags = [ - # Allow podman - "--system-call-filter=@keyring" + # # privateNetwork = true; + # # hostAddress = "172.16.101.1"; + # # localAddress = "172.16.101.2"; + + # bindMounts = + # { + # "/run/agenix/gitea-actions-runner-token" = { + # hostPath = "/run/agenix/gitea-actions-runner-token"; + # isReadOnly = true; + # }; + # "/var/lib/gitea-runner" = { + # hostPath = "/var/lib/gitea-runner"; + # isReadOnly = false; + # }; + # }; + + # extraFlags = [ + # # Allow podman + # ''--system-call-filter=thisystemcalldoesnotexistforsure'' + # ]; + + # additionalCapabilities = [ + # "CAP_SYS_ADMIN" + # ]; + + # config = { + # imports = allModules; + + # # speeds up evaluation + # nixpkgs.pkgs = pkgs; + + # networking.hostName = lib.mkForce containerName; + + # # don't use remote builders + # nix.distributedBuilds = lib.mkForce false; + + # environment.systemPackages = with pkgs; [ + # git + # # Gitea Actions rely heavily on node. Include it because it would be installed anyway. + # nodejs + # ]; + + # services.gitea-actions-runner.instances.inst = { + # enable = true; + # name = config.networking.hostName; + # url = "https://git.neet.dev/"; + # tokenFile = "/run/agenix/gitea-actions-runner-token"; + # labels = [ + # "ubuntu-latest:docker://node:18-bullseye" + # "nixos:host" + # ]; + # }; + + # # To allow building on the host, must override the the service's config so it doesn't use a dynamic user + # systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; + # users.users.gitea-runner = { + # home = "/var/lib/gitea-runner"; + # group = "gitea-runner"; + # isSystemUser = true; + # createHome = true; + # }; + # users.groups.gitea-runner = { }; + + # virtualisation.podman.enable = true; + # boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # }; + # }; + + # networking.nat.enable = true; + # networking.nat.internalInterfaces = [ + # "ve-${containerName}" + # ]; + # networking.ip_forward = true; + + # don't use remote builders + nix.distributedBuilds = lib.mkForce false; + + services.gitea-actions-runner.instances.inst = { + enable = true; + name = config.networking.hostName; + url = "https://git.neet.dev/"; + tokenFile = "/run/agenix/gitea-actions-runner-token"; + labels = [ + "ubuntu-latest:docker://node:18-bullseye" + "nixos:host" ]; - - config = { - imports = allModules; - - # speeds up evaluation - nixpkgs.pkgs = pkgs; - - environment.systemPackages = with pkgs; [ - git - # Gitea Actions rely heavily on node. Include it because it would be installed anyway. - nodejs - ]; - - services.gitea-actions-runner.instances.inst = { - enable = true; - name = config.networking.hostName; - url = "https://git.neet.dev/"; - tokenFile = "/run/agenix/gitea-actions-runner-token"; - labels = [ - "ubuntu-latest:docker://node:18-bullseye" - "nixos:host" - ]; - }; - - virtualisation.podman.enable = true; - boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; - }; }; + environment.systemPackages = with pkgs; [ + git + # Gitea Actions rely heavily on node. Include it because it would be installed anyway. + nodejs + ]; + + # To allow building on the host, must override the the service's config so it doesn't use a dynamic user + systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; + users.users.gitea-runner = { + home = "/var/lib/gitea-runner"; + group = "gitea-runner"; + isSystemUser = true; + createHome = true; + }; + users.groups.gitea-runner = { }; + + virtualisation.podman.enable = true; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; }; } diff --git a/machines/phil/default.nix b/machines/phil/default.nix index 4e5320d..8dac03c 100644 --- a/machines/phil/default.nix +++ b/machines/phil/default.nix @@ -6,17 +6,4 @@ ]; networking.hostName = "phil"; - - services.gitea-actions-runner.instances.inst = { - enable = true; - name = config.networking.hostName; - url = "https://git.neet.dev/"; - tokenFile = "/run/agenix/gitea-actions-runner-token"; - labels = [ - "debian-latest:docker://catthehacker/ubuntu:act-latest" - "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" - ]; - }; - virtualisation.docker.enable = true; - age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; }