.gitea/workflows/check-flake.yaml

@@ -4,45 +4,35 @@ on: [push]
 
 env:
   DEBIAN_FRONTEND: noninteractive
-  SSH_AUTH_SOCK: /tmp/ssh_agent.sock
+  PATH: /run/current-system/sw/bin/:/nix/var/nix/profiles/per-user/gitea-runner/profile/bin
+
+# defaults:
+#   run:
+#     shell: nix shell nixpkgs#nodejs-18_x
 
 jobs:
   check-flake:
-    runs-on: ubuntu-latest
+    runs-on: nixos
     steps:
-      - name: Install Nix
+      # - run: node --version
-        uses: https://github.com/cachix/install-nix-action@v23
+      # - name: Install basic dependencies
-        with:
+      #   run: apt-get update && apt-get install -y --no-install-recommends sudo curl ca-certificates xz-utils
-          github_access_token: ${{ secrets.__GITHUB_TOKEN }}
+
-          extra_nix_config: |
+      # - name: Install Nix
-            trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
+      #   uses: https://github.com/cachix/install-nix-action@v20
-            substituters = https://cache.nixos.org/ http://s0.koi-bebop.ts.net:5000
+      #   with:
+      #     github_access_token: ${{ secrets.__GITHUB_TOKEN }}
+
+      - name: Install dependencies
+        run: nix profile install nixpkgs#nodejs-18_x
 
       - name: Checkout the repository
         uses: actions/checkout@v3
         with:
           fetch-depth: 0
 
+      # - name: Get ENV var names
+      #   run: printenv | cut -d'=' -f1
+
       - name: Check Flake
-        run: |
+        run: nix flake check --show-trace
-          # Can only build x84_64 for now, so pick out those specifically
-          # nix flake check --show-trace
-
-          nix build .#nixosConfigurations."ray".config.system.build.toplevel
-          nix build .#nixosConfigurations."s0".config.system.build.toplevel
-          nix build .#nixosConfigurations."ponyo".config.system.build.toplevel
-          nix build .#nixosConfigurations."zoidberg".config.system.build.toplevel
-
-      - name: Setup SSH For Pushing to Binary Cache
-        run: |
-          # Set up push key with ssh-agent
-          echo "${{ secrets.BINARY_CACHE_PUSH_SSH_KEY }}" | base64 -d > ./.id_ed25519
-          chmod 600 ./.id_ed25519
-          eval $(ssh-agent -a $SSH_AUTH_SOCK)
-          ssh-add ./.id_ed25519
-          # Add Binary Cache as known host
-          mkdir -p ~/.ssh
-          echo "s0.koi-bebop.ts.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q" | tee -a ~/.ssh/known_hosts
-
-      - name: Copy all built derivations to remote cache
-        run: nix copy --to ssh://cache-push@s0.koi-bebop.ts.net /nix/store/*

common/server/default.nix

@@ -10,6 +10,7 @@
     ./matrix.nix
     ./zerobin.nix
     ./gitea.nix
+    ./gitea-runner.nix
     ./privatebin/privatebin.nix
     ./radio.nix
     ./samba.nix

common/server/gitea-runner.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, lib, ... }:
+
+let
+  cfg = config.services.gitea-runner;
+in
+{
+  options.services.gitea-runner = {
+    enable = lib.mkEnableOption "Enables gitea runner";
+    dataDir = lib.mkOption {
+      default = "/var/lib/gitea-runner";
+      type = lib.types.str;
+      description = lib.mdDoc "gitea runner data directory.";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+
+    users.users.gitea-runner = {
+      description = "Gitea Runner Service";
+      home = cfg.dataDir;
+      useDefaultShell = true;
+      group = "gitea-runner";
+      isSystemUser = true;
+      createHome = true;
+      extraGroups = [
+        "docker" # allow creating docker containers
+      ];
+    };
+    users.groups.gitea-runner = { };
+
+    systemd.services.gitea-runner = {
+      description = "Gitea Runner";
+
+      serviceConfig = {
+        WorkingDirectory = cfg.dataDir;
+        User = "gitea-runner";
+        Group = "gitea-runner";
+      };
+
+      requires = [ "network-online.target" ];
+      after = [ "network.target" "network-online.target" ];
+      wantedBy = [ "multi-user.target" ];
+
+      path = with pkgs; [ gitea-actions-runner ];
+
+      script = ''
+        exec act_runner daemon
+      '';
+    };
+  };
+}

flake.lock

@@ -185,16 +185,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1695825837,
+        "lastModified": 1691888369,
-        "narHash": "sha256-4Ne11kNRnQsmSJCRSSNkFRSnHC4Y5gPDBIQGjjPfJiU=",
+        "narHash": "sha256-fBS5YOyiziv7tmR+yCJHr1Tm15Ve4PO1syyJwE9Xnuc=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5cfafa12d57374f48bcc36fda3274ada276cf69e",
+        "rev": "a4d0fe7270cc03eeb1aba4e8b343fe47bfd7c4d5",
         "type": "github"
       },
       "original": {
         "owner": "NixOS",
-        "ref": "nixos-23.05",
+        "ref": "master",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -1,6 +1,6 @@
 {
   inputs = {
-    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
 
     flake-utils.url = "github:numtide/flake-utils";
 

machines/phil/default.nix

@@ -6,17 +6,5 @@
   ];
 
   networking.hostName = "phil";
-
+  services.gitea-runner.enable = true;
-  services.gitea-actions-runner.instances.inst = {
-    enable = true;
-    name = config.networking.hostName;
-    url = "https://git.neet.dev/";
-    tokenFile = "/run/agenix/gitea-actions-runner-token";
-    labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-    ];
-  };
-  virtualisation.docker.enable = true;
-  age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
 }

machines/phil/properties.nix

@@ -8,8 +8,8 @@
 
   systemRoles = [
     "server"
+    "gitea-runner"
     "nix-builder"
-    "gitea-actions-runner"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlgRPpuUkZqe8/lHugRPm/m2vcN9psYhh5tENHZt9I2";

machines/storage/s0/default.nix

@@ -9,20 +9,9 @@
 
   # system.autoUpgrade.enable = true;
 
-  # gitea runner and allow it to build ARM derivationsFV
+  # gitea runner and allow it to build ARM derivations
-  services.gitea-actions-runner.instances.inst = {
+  services.gitea-runner.enable = true;
-    enable = true;
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
-    name = config.networking.hostName;
-    url = "https://git.neet.dev/";
-    tokenFile = "/run/agenix/gitea-actions-runner-token";
-    labels = [
-      "debian-latest:docker://catthehacker/ubuntu:act-latest"
-      "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
-    ];
-  };
-  virtualisation.podman.enable = true;
-  age.secrets.gitea-actions-runner-token.file = ../../../secrets/gitea-actions-runner-token.age;
-  boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; # todo: still needed?
   nix.gc.automatic = lib.mkForce false; # allow the nix store to serve as a build cache
 
   # binary cache
@@ -32,13 +21,6 @@
     secretKeyFile = "/run/agenix/binary-cache-private-key";
   };
   age.secrets.binary-cache-private-key.file = ../../../secrets/binary-cache-private-key.age;
-  users.users.cache-push = {
-    isNormalUser = true;
-    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB" ];
-  };
-  nix.settings = {
-    trusted-users = [ "cache-push" ];
-  };
 
   services.iperf3.enable = true;
   services.iperf3.openFirewall = true;

machines/storage/s0/properties.nix

@@ -10,7 +10,6 @@
     "server"
     "pia"
     "binary-cache"
-    "gitea-actions-runner"
   ];
 
   hostKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAwiXcUFtAvZCayhu4+AIcF+Ktrdgv9ee/mXSIhJbp4q";

machines/zoidberg/default.nix

@@ -32,7 +32,6 @@
   hardware.enableRedistributableFirmware = true;
   hardware.enableAllFirmware = true;
 
-  # ROCm
   hardware.opengl.extraPackages = with pkgs; [
     rocm-opencl-icd
     rocm-opencl-runtime
@@ -41,7 +40,6 @@
     "L+    /opt/rocm/hip   -    -    -     -    ${pkgs.hip}"
   ];
 
-  # System wide barrier instance
   systemd.services.barrier-sddm = {
     description = "Barrier mouse/keyboard share";
     requires = [ "display-manager.service" ];
@@ -62,9 +60,6 @@
     '';
   };
 
-  # Login into X11 plasma so barrier works well
-  services.xserver.displayManager.defaultSession = "Plasma (X11)";
-
   users.users.cris = {
     isNormalUser = true;
     hashedPassword = "$y$j9T$LMGwHVauFWAcAyWSSmcuS/$BQpDyjDHZZbvj54.ijvNb03tr7IgX9wcjYCuCxjSqf6";
@@ -78,20 +73,7 @@
   # Dr. John A. Zoidberg
   users.users.john = {
     isNormalUser = true;
-    inherit (config.users.users.googlebot) hashedPassword packages;
+    hashedPassword = "";
     uid = 1002;
   };
-
-  # Auto login into Plasma in john zoidberg account
-  # services.xserver.displayManager.sddm.settings = {
-  #   Autologin = {
-  #     Session = "Plasma (X11)";
-  #     User = "john";
-  #   };
-  # };
-
-  environment.systemPackages = with pkgs; [
-    jellyfin-media-player
-    config.services.xserver.desktopManager.kodi.package
-  ];
 }

machines/zoidberg/hardware-configuration.nix

@@ -25,7 +25,7 @@
 
     # Fetch key from USB drive
     keyFileSize = 4096;
-    keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0-part2";
+    keyFile = "/dev/disk/by-id/usb-Mass_Storage_Device_121220160204-0:0";
     fallbackToPassword = true;
   };
   fileSystems."/" =
@@ -35,7 +35,7 @@
     };
   fileSystems."/boot" =
     {
-      device = "/dev/disk/by-uuid/8074-B04D";
+      device = "/dev/disk/by-uuid/954B-AB3E";
       fsType = "vfat";
     };
   swapDevices =

secrets/gitea-actions-runner-token.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 WBT1Hw ucC+p6pRevUWJIVqG5DfXSO4W0PjR2lUW7tY924FVHA
-te6rrH/nsn/Pn4mySjQ0mv2M3ZTCOwbglCcnH2ZiUJQ
--> ssh-ed25519 hPp1nw 1nmzowG+nzD8ixyqTU+duUxV3g4yWo7RqKJ+dDlf0g8
-ln3CyhUYuZ71EdyqIPBdeRP98dun4cs9uZnxAGadDG0
--> ssh-ed25519 dMQYog pHRtIaJr39QqD7xqX2ovUf8QfUPwDl58TmqHa1xhSDQ
-dr8tYQ3oFrQehq2326jimOCRDX6Zrsq/epQbVA8+UPw
--> I)m(V&-grease i5{
-lYnHQc5cQahDoah2rPlIlGOLc49nTDp+aHPB
---- AdMW2y8Z9XmbxzmvSAP9NKqgj2JGgkimXJqcXIFPdtI
-]°m]pmòžY.ؽ¢âÞzÀhÑ<68>Sß!fI~Åpô³ˆ]¦KÅ‹Còü\KHgÎí_ÇÌ»§6ÌÑðÜ–Üj”)ü«@á‹[¿

secrets/secrets.nix

@@ -22,8 +22,6 @@ with roles;
   # nix binary cache
   # public key: s0.koi-bebop.ts.net:OjbzD86YjyJZpCp9RWaQKANaflcpKhtzBMNP8I2aPUU=
   "binary-cache-private-key.age".publicKeys = binary-cache;
-  # public key: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINpUZFFL9BpBVqeeU63sFPhR9ewuhEZerTCDIGW1NPSB
-  "binary-cache-push-sshkey.age".publicKeys = nobody; # this value is directly given to gitea
 
   # vpn
   "iodine.age".publicKeys = iodine;
@@ -45,7 +43,4 @@ with roles;
   # backups
   "backblaze-s3-backups.age".publicKeys = personal ++ server;
   "restic-password.age".publicKeys = personal ++ server;
-
-  # gitea actions runner
-  "gitea-actions-runner-token.age".publicKeys = gitea-actions-runner;
 }