70 lines
2.0 KiB
Nix
70 lines
2.0 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
|
|
# Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container
|
|
# This is useful for providing a real Nix/OS builder to gitea.
|
|
# Warning, NixOS containers are not secure. For example, the container shares the /nix/store
|
|
# Therefore, this should not be used to run untrusted code.
|
|
# To enable, assign a machine the 'gitea-actions-runner' system role
|
|
|
|
let
|
|
runnerRole = "gitea-actions-runner";
|
|
runners = config.machines.roles.${runnerRole};
|
|
thisMachineIsARunner = builtins.elem config.networking.hostName runners;
|
|
in
|
|
{
|
|
config = lib.mkIf thisMachineIsARunner {
|
|
containers.gitea-runner = {
|
|
ephemeral = true;
|
|
autoStart = true;
|
|
|
|
bindMounts =
|
|
{
|
|
"/run/agenix/gitea-actions-runner-token" = {
|
|
hostPath = "/run/agenix/gitea-actions-runner-token";
|
|
isReadOnly = true;
|
|
};
|
|
"/var/lib/private/gitea-runner" = {
|
|
hostPath = "/var/lib/private/gitea-runner";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
extraFlags = [
|
|
# Allow podman
|
|
"--system-call-filter=@keyring"
|
|
];
|
|
|
|
config = {
|
|
# TODO: figure out why importing 'allModules' fails
|
|
# imports = allModules;
|
|
|
|
# speeds up evaluation
|
|
nixpkgs.pkgs = pkgs;
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
nodejs
|
|
git
|
|
];
|
|
|
|
services.gitea-actions-runner.instances.inst = {
|
|
enable = true;
|
|
name = config.networking.hostName;
|
|
url = "https://git.neet.dev/";
|
|
tokenFile = "/run/agenix/gitea-actions-runner-token";
|
|
labels = [
|
|
"ubuntu-latest:docker://node:18-bullseye"
|
|
"nixos:host"
|
|
];
|
|
};
|
|
|
|
virtualisation.podman.enable = true;
|
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
|
|
|
system.stateVersion = "23.05";
|
|
};
|
|
};
|
|
|
|
age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
|
|
};
|
|
}
|