wip

.gitea/workflows/check-flake.yaml

@@ -4,38 +4,39 @@ on: [push]
 
 env:
   DEBIAN_FRONTEND: noninteractive
-  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
+
+# defaults:
+#   run:
+#     shell: nix shell nixpkgs#nodejs-18_x
 
 jobs:
   check-flake:
     runs-on: ubuntu-latest
     steps:
+      # - run: node --version
+      - name: Install basic dependencies
+        run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
+
       - name: Install Nix
-        uses: https://github.com/cachix/install-nix-action@v23
+        uses: https://github.com/cachix/install-nix-action@v20
         with:
           github_access_token: ${{ secrets.__GITHUB_TOKEN }}
-          extra_nix_config: |
+
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+      # - name: Install dependencies
-            substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
+      #   run: nix profile install nixpkgs#nodejs-18_x
 
       - name: Checkout the repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      - name: Get ENV var names
+        run: printenv | cut -d'=' -f1
+
+      - name: List files in the repository
+        run: |
+          ls ${{ gitea.workspace }}
+
       - name: Check Flake
         run: nix flake check --show-trace
-
-      - name: Setup SSH For Pushing to Binary Cache
-        run: |
-          # Set up push key with ssh-agent
-          echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
-          chmod 600 ./.id_ed25519
-          eval $(ssh-agent -a $SSH_AUTH_SOCK)
-          ssh-add ./.id_ed25519
-          # Add Binary Cache as known host
-          mkdir -p ~/.ssh
-          echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
-
-      - name: Copy all built derivations to remote cache
-        run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*

machines/phil/default.nix

@@ -13,8 +13,12 @@
     url = "https://git.neet.dev/";
     tokenFile = "/run/agenix/gitea-actions-runner-token";
     labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
+      # provide a debian base with nodejs for actions
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # provide native execution on the host
+      #"native:host"
     ];
   };
   virtualisation.docker.enable = true;

machines/storage/s0/default.nix

@@ -16,11 +16,15 @@
     url = "https://git.neet.dev/";
     tokenFile = "/run/agenix/gitea-actions-runner-token";
     labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
+      # provide a debian base with nodejs for actions
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+      "debian-latest:docker://node:18-bullseye"
+      # fake the ubuntu name, because node provides no ubuntu builds
+      "ubuntu-latest:docker://node:18-bullseye"
+      # provide native execution on the host
+      #"native:host"
     ];
   };
-  virtualisation.podman.enable = true;
+  virtualisation.docker.enable = true;
   age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
   boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
   nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
@@ -32,13 +36,6 @@
     secretKeyFile = "/run/agenix/binary-cache-private-key";
   };
   age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
-  users.users.cache-push = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
-  };
-  nix.settings = {
-    trusted-users = [ "cache-push" ];
-  };
 
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;

secrets/gitea-actions-runner-token.age

@@ -1,11 +1,10 @@
 age-encryption.org/v1
--> ssh-ed25519 WBT1Hw ucC+p6pRevUWJIVqG5DfXSO4W0PjR2lUW7tY924FVHA
+-> ssh-ed25519 hPp1nw H88561/4YspJuLV0lOA7mfeHjwL291W/N3HWmiq8E0M
-te6rrH/nsn/Pn4mySjQ0mv2M3ZTCOwbglCcnH2ZiUJQ
+mqLeaNk2B2OUZo4NEDLicpSN9Qw1NAsLOSCb3Ar+iXA
--> ssh-ed25519 hPp1nw 1nmzowG+nzD8ixyqTU+duUxV3g4yWo7RqKJ+dDlf0g8
+-> ssh-ed25519 dMQYog CUuZSrofDHbBLtxgc4kg2h3Qgs99c3oudBGGV0iP/24
-ln3CyhUYuZ71EdyqIPBdeRP98dun4cs9uZnxAGadDG0
+9D/ZjZqJh8XeUo/UFA6ojcJIlwUqYSg+Itx2vREXdas
--> ssh-ed25519 dMQYog pHRtIaJr39QqD7xqX2ovUf8QfUPwDl58TmqHa1xhSDQ
+-> p-grease #!rAT w\]efbQ
-dr8tYQ3oFrQehq2326jimOCRDX6Zrsq/epQbVA8+UPw
+/WNOqhMfFrl1holyeok7pf/joMso1LtjbB00BeUGecVdkDhj71TxLgc+5tor/3D/
--> I)m(V&-grease i5{
+FC65ymMPL2t1j/G+qcow19X6bjWkytY
-lYnHQc5cQahDoah2rPlIlGOLc49nTDp+aHPB
+--- XDThYXsCIJLrOEBXbKwpnRSzvcBuVp+NiQ2Uung74fk
---- AdMW2y8Z9XmbxzmvSAP9NKqgj2JGgkimXJqcXIFPdtI
+—L93%g\šqcÃÂZÏ÷ÆH\ 7ß—Ü<E28094>€Liµ¹W u¶â]¶ÇT=ÒHjl%—HÁfW=ðjþí£³Î“Ë­ÂáJ’–1a<31>Kéþ
-]°m]pmòžY.ؽ¢âÞzÀhÑ<68>Sß!fI~Åpô³ˆ]¦KÅ‹Còü\KHgÎí_ÇÌ»§6ÌÑðÜ–Üj”)ü«@á‹[¿

secrets/secrets.nix

@@ -22,8 +22,6 @@ with roles;
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
   "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
 
   # vpn
   "iodine.age".publicKeys = iodine;