Compare commits
1 Commits
3333c96b6d
...
fa6d9b4fe2
Author | SHA1 | Date |
---|---|---|
Dennis - | fa6d9b4fe2 |
|
@ -1,38 +1,29 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.gitea-actions;
|
||||
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
|
||||
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
|
||||
storeDeps = pkgs.runCommand "store-deps" { } ''
|
||||
mkdir -p $out/bin
|
||||
for dir in ${toString ((with pkgs; [
|
||||
bash
|
||||
coreutils
|
||||
curl
|
||||
findutils
|
||||
gawk
|
||||
git
|
||||
gnugrep
|
||||
jq
|
||||
nix
|
||||
nodejs
|
||||
openssh
|
||||
]) ++ cfg.storeDependencies)}; do
|
||||
for bin in "$dir"/bin/*; do
|
||||
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
||||
done
|
||||
done
|
||||
|
||||
# Add SSL CA certs
|
||||
mkdir -p $out/etc/ssl/certs
|
||||
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
||||
'';
|
||||
storeDeps = pkgs.buildEnv {
|
||||
name = "store-deps";
|
||||
paths = ((with pkgs; [
|
||||
bash
|
||||
cacert
|
||||
coreutils
|
||||
curl
|
||||
findutils
|
||||
gawk
|
||||
git
|
||||
gnugrep
|
||||
jq
|
||||
nix
|
||||
nodejs
|
||||
openssh
|
||||
]) ++ cfg.storeDependencies);
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
services.gitea-actions = {
|
||||
enable = lib.mkEnableOption "gitea-actions";
|
||||
numInstances = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
type = lib.types.ints.unsigned;
|
||||
default = 2;
|
||||
description = "Number of instances of the gitea-actions-runner service to create";
|
||||
};
|
||||
|
@ -43,10 +34,11 @@ in {
|
|||
description = "List of packages to symlink into the container";
|
||||
};
|
||||
|
||||
extraPodmanPackages = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.package;
|
||||
default = [];
|
||||
description = "Extra packages to install in the podman container";
|
||||
additionalFlakeConfig = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
example = "accept-flake-config = true";
|
||||
description = "Additional configuration to add to the nix.conf file";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -58,20 +50,20 @@ in {
|
|||
after = [ "podman.service" ];
|
||||
requires = [ "podman.service" ];
|
||||
script = ''
|
||||
set -eux -o pipefail
|
||||
set -eu -o pipefail
|
||||
mkdir -p etc/nix
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch etc/passwd etc/group
|
||||
groupid=$(cut -d: -f3 < <(getent group nixuser))
|
||||
userid=$(cut -d: -f3 < <(getent passwd nixuser))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" nixuser
|
||||
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
|
||||
groupid=$(cut -d: -f3 < <(getent group gitea-actions))
|
||||
userid=$(cut -d: -f3 < <(getent passwd gitea-actions))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" gitea-actions
|
||||
emptypassword='$y$j9T$dLJlazrLCVKcOQ/zmu60E1$bAkbdgDaiz7niknOCasvKW3Tjxeca6WA/1fNe4UpeeC'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G gitea-actions gitea-actions
|
||||
|
||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||
accept-flake-config = true
|
||||
experimental-features = nix-command flakes
|
||||
${cfg.additionalFlakeConfig}
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > etc/nsswitch.conf
|
||||
|
@ -109,11 +101,11 @@ in {
|
|||
};
|
||||
|
||||
users = {
|
||||
groups.nixuser = { };
|
||||
users.nixuser = {
|
||||
group = "nixuser";
|
||||
groups.gitea-actions = { };
|
||||
users.gitea-actions = {
|
||||
group = "gitea-actions";
|
||||
description = "Used for running nix ci jobs";
|
||||
home = "/var/empty";
|
||||
home = "/run/gitea-runner-nix-image";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
|
@ -121,7 +113,7 @@ in {
|
|||
{
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "gitea.service" ];
|
||||
after =lib.optional config.services.gitea.enable [ "gitea.service" ];
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
|
@ -145,12 +137,11 @@ in {
|
|||
|
||||
virtualisation = {
|
||||
podman.enable = true;
|
||||
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
|
||||
containers = {
|
||||
containersConf.settings.containers.dns_servers = [ "1.1.1.1" "5.5.5.5" ];
|
||||
containersConf.settings.containers.dns_servers = config.networking.nameservers;
|
||||
storage.settings = {
|
||||
storage.driver = if useZfs then "zfs" else "overlay";
|
||||
storage.options.zfs.fsname = lib.mkIf useZfs "zroot/root/podman";
|
||||
storage.driver = if config.boot.zfs.enabled then "zfs" else "overlay";
|
||||
storage.options.zfs.fsname = lib.mkIf config.boot.zfs.enabled "zroot/root/podman";
|
||||
storage.graphroot = "/var/lib/containers/storage";
|
||||
storage.runroot = "/run/containers/storage";
|
||||
};
|
||||
|
@ -228,10 +219,7 @@ in {
|
|||
tokenFile = "/var/lib/gitea-registration/gitea-runner-${iname}-token";
|
||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||
settings.container = {
|
||||
options = if useKvm then
|
||||
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser"
|
||||
else
|
||||
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser";
|
||||
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user gitea-actions";
|
||||
network = "host";
|
||||
valid_volumes = [
|
||||
"/nix"
|
||||
|
|
Loading…
Reference in New Issue