build

common/server/gitea-actions-runner.nix

@@ -6,45 +6,100 @@
 # Therefore, this should not be used to run untrusted code.
 # To enable, assign a machine the 'gitea-actions-runner' system role
 
+# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
+
 let
   runnerRole = "gitea-actions-runner";
   runners = config.machines.roles.${runnerRole};
   thisMachineIsARunner = builtins.elem config.networking.hostName runners;
+
+  containerName = "gitea-runner";
 in
 {
   config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
-    containers.gitea-runner = {
+    # containers.${containerName} = {
-      ephemeral = true;
+    #   ephemeral = true;
-      autoStart = true;
+    #   autoStart = true;
 
-      bindMounts =
+    #   # for podman
-        {
+    #   enableTun = true;
-          "/run/agenix/gitea-actions-runner-token" = {
-            hostPath = "/run/agenix/gitea-actions-runner-token";
-            isReadOnly = true;
-          };
-          "/var/lib/private/gitea-runner" = {
-            hostPath = "/var/lib/private/gitea-runner";
-            isReadOnly = false;
-          };
-        };
 
-      extraFlags = [
+    #   # privateNetwork = true;
-        # Allow podman
+    #   # hostAddress = "172.16.101.1";
-        "--system-call-filter=@keyring"
+    #   # localAddress = "172.16.101.2";
-      ];
 
-      config = {
+    #   bindMounts =
-        imports = allModules;
+    #     {
+    #       "/run/agenix/gitea-actions-runner-token" = {
+    #         hostPath = "/run/agenix/gitea-actions-runner-token";
+    #         isReadOnly = true;
+    #       };
+    #       "/var/lib/gitea-runner" = {
+    #         hostPath = "/var/lib/gitea-runner";
+    #         isReadOnly = false;
+    #       };
+    #     };
 
-        # speeds up evaluation
+    #   extraFlags = [
-        nixpkgs.pkgs = pkgs;
+    #     # Allow podman
+    #     ''--system-call-filter=thisystemcalldoesnotexistforsure''
+    #   ];
 
-        environment.systemPackages = with pkgs; [
+    #   additionalCapabilities = [
-          git
+    #     "CAP_SYS_ADMIN"
-          # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
+    #   ];
-          nodejs
+
-        ];
+    #   config = {
+    #     imports = allModules;
+
+    #     # speeds up evaluation
+    #     nixpkgs.pkgs = pkgs;
+
+    #     networking.hostName = lib.mkForce containerName;
+
+    #     # don't use remote builders
+    #     nix.distributedBuilds = lib.mkForce false;
+
+    #     environment.systemPackages = with pkgs; [
+    #       git
+    #       # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
+    #       nodejs
+    #     ];
+
+    #     services.gitea-actions-runner.instances.inst = {
+    #       enable = true;
+    #       name = config.networking.hostName;
+    #       url = "https://git.neet.dev/";
+    #       tokenFile = "/run/agenix/gitea-actions-runner-token";
+    #       labels = [
+    #         "ubuntu-latest:docker://node:18-bullseye"
+    #         "nixos:host"
+    #       ];
+    #     };
+
+    #     # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+    #     systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
+    #     users.users.gitea-runner = {
+    #       home = "/var/lib/gitea-runner";
+    #       group = "gitea-runner";
+    #       isSystemUser = true;
+    #       createHome = true;
+    #     };
+    #     users.groups.gitea-runner = { };
+
+    #     virtualisation.podman.enable = true;
+    #     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+    #   };
+    # };
+
+    # networking.nat.enable = true;
+    # networking.nat.internalInterfaces = [
+    #   "ve-${containerName}"
+    # ];
+    # networking.ip_forward = true;
+
+    # don't use remote builders
+    nix.distributedBuilds = lib.mkForce false;
 
     services.gitea-actions-runner.instances.inst = {
       enable = true;
@@ -57,10 +112,24 @@ in
       ];
     };
 
+    environment.systemPackages = with pkgs; [
+      git
+      # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
+      nodejs
+    ];
+
+    # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
+    systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
+    users.users.gitea-runner = {
+      home = "/var/lib/gitea-runner";
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-runner = { };
+
     virtualisation.podman.enable = true;
     boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-      };
-    };
 
     age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
   };

machines/phil/default.nix

@@ -6,17 +6,4 @@
   ];
 
   networking.hostName = "phil";
-
-  services.gitea-actions-runner.instances.inst = {
-    enable = true;
-    name = config.networking.hostName;
-    url = "https://git.neet.dev/";
-    tokenFile = "/run/agenix/gitea-actions-runner-token";
-    labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-    ];
-  };
-  virtualisation.docker.enable = true;
-  age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
 }