zuckerberg/nix-config
zuckerberg/nix-config
1
0
Fork 0
Code Issues Pull Requests Actions Activity

build
All checks were successful
Check Flake / check-flake (push) Successful in 15m28s
Details

Browse Source
This commit is contained in:
Zuckerberg 2023-10-20 18:46:33 -06:00
parent 9d61ffc9f7
commit d6e91d28c1
2 changed files with 113 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

157
common/server/gitea-actions-runner.nix
View File

@ -6,62 +6,131 @@
# Therefore, this should not be used to run untrusted code. # Therefore, this should not be used to run untrusted code.
# To enable, assign a machine the 'gitea-actions-runner' system role # To enable, assign a machine the 'gitea-actions-runner' system role
# TODO: skipping running inside of nixos container for now because of issues getting docker/podman running
let let
runnerRole = "gitea-actions-runner"; runnerRole = "gitea-actions-runner";
runners = config.machines.roles.${runnerRole}; runners = config.machines.roles.${runnerRole};
thisMachineIsARunner = builtins.elem config.networking.hostName runners; thisMachineIsARunner = builtins.elem config.networking.hostName runners;
containerName = "gitea-runner";
in in
{ {
config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) { config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
containers.gitea-runner = { # containers.${containerName} = {
ephemeral = true; # ephemeral = true;
autoStart = true; # autoStart = true;
bindMounts = # # for podman
{ # enableTun = true;
"/run/agenix/gitea-actions-runner-token" = {
hostPath = "/run/agenix/gitea-actions-runner-token";
isReadOnly = true;
};
"/var/lib/private/gitea-runner" = {
hostPath = "/var/lib/private/gitea-runner";
isReadOnly = false;
};
};
extraFlags = [ # # privateNetwork = true;
# Allow podman # # hostAddress = "172.16.101.1";
"--system-call-filter=@keyring" # # localAddress = "172.16.101.2";
# bindMounts =
# {
# "/run/agenix/gitea-actions-runner-token" = {
# hostPath = "/run/agenix/gitea-actions-runner-token";
# isReadOnly = true;
# };
# "/var/lib/gitea-runner" = {
# hostPath = "/var/lib/gitea-runner";
# isReadOnly = false;
# };
# };
# extraFlags = [
# # Allow podman
# ''--system-call-filter=thisystemcalldoesnotexistforsure''
# ];
# additionalCapabilities = [
# "CAP_SYS_ADMIN"
# ];
# config = {
# imports = allModules;
# # speeds up evaluation
# nixpkgs.pkgs = pkgs;
# networking.hostName = lib.mkForce containerName;
# # don't use remote builders
# nix.distributedBuilds = lib.mkForce false;
# environment.systemPackages = with pkgs; [
# git
# # Gitea Actions rely heavily on node. Include it because it would be installed anyway.
# nodejs
# ];
# services.gitea-actions-runner.instances.inst = {
# enable = true;
# name = config.networking.hostName;
# url = "https://git.neet.dev/";
# tokenFile = "/run/agenix/gitea-actions-runner-token";
# labels = [
# "ubuntu-latest:docker://node:18-bullseye"
# "nixos:host"
# ];
# };
# # To allow building on the host, must override the the service's config so it doesn't use a dynamic user
# systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
# users.users.gitea-runner = {
# home = "/var/lib/gitea-runner";
# group = "gitea-runner";
# isSystemUser = true;
# createHome = true;
# };
# users.groups.gitea-runner = { };
# virtualisation.podman.enable = true;
# boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
# };
# };
# networking.nat.enable = true;
# networking.nat.internalInterfaces = [
# "ve-${containerName}"
# ];
# networking.ip_forward = true;
# don't use remote builders
nix.distributedBuilds = lib.mkForce false;
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"ubuntu-latest:docker://node:18-bullseye"
"nixos:host"
]; ];
config = {
imports = allModules;
# speeds up evaluation
nixpkgs.pkgs = pkgs;
environment.systemPackages = with pkgs; [
git
# Gitea Actions rely heavily on node. Include it because it would be installed anyway.
nodejs
];
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"ubuntu-latest:docker://node:18-bullseye"
"nixos:host"
];
};
virtualisation.podman.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
};
}; };
environment.systemPackages = with pkgs; [
git
# Gitea Actions rely heavily on node. Include it because it would be installed anyway.
nodejs
];
# To allow building on the host, must override the the service's config so it doesn't use a dynamic user
systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = { };
virtualisation.podman.enable = true;
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
}; };
} }

13
machines/phil/default.nix
View File

@ -6,17 +6,4 @@
]; ];
networking.hostName = "phil"; networking.hostName = "phil";
services.gitea-actions-runner.instances.inst = {
enable = true;
name = config.networking.hostName;
url = "https://git.neet.dev/";
tokenFile = "/run/agenix/gitea-actions-runner-token";
labels = [
"debian-latest:docker://catthehacker/ubuntu:act-latest"
"ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
];
};
virtualisation.docker.enable = true;
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
} }