c3d2/nix-config
c3d2
/
nix-config
23
7
Fork 3
Code Issues 12 Pull Requests 2 Releases Wiki Activity

Compare commits

base: c3d2:3333c96b6d479195bd6600bb4fc7defec299e668
Branches Tags
c3d2:master
c3d2:flake-update
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius
..
compare: c3d2:fa6d9b4fe2baaf96f535c6162388abbc5a29a470
Branches Tags
c3d2:flake-update
c3d2:master
c3d2:gitea-actions-runner
c3d2:nixos-23.11
c3d2:ds-future
c3d2:container/radius

1 Commits
3333c96b6d ... fa6d9b4fe2

Author SHA1 Message Date
Dennis - fa6d9b4fe2 add gitea-actions-runner module 2024-04-10 21:12:34 +02:00
1 changed files with 39 additions and 51 deletions
Show Stats Expand all files Collapse all files

90
modules/gitea-actions-runner.nix
View File

@ -1,38 +1,29 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
storeDeps = pkgs.runCommand "store-deps" { } ''
mkdir -p $out/bin
for dir in ${toString ((with pkgs; [
bash
coreutils
curl
findutils
gawk
git
gnugrep
jq
nix
nodejs
openssh
]) ++ cfg.storeDependencies)}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
storeDeps = pkgs.buildEnv {
name = "store-deps";
paths = ((with pkgs; [
bash
cacert
coreutils
curl
findutils
gawk
git
gnugrep
jq
nix
nodejs
openssh
]) ++ cfg.storeDependencies);
};
in {
options = {
services.gitea-actions = {
enable = lib.mkEnableOption "gitea-actions";
numInstances = lib.mkOption {
type = lib.types.int;
type = lib.types.ints.unsigned;
default = 2;
description = "Number of instances of the gitea-actions-runner service to create";
};
@ -43,10 +34,11 @@ in {
description = "List of packages to symlink into the container";
};
extraPodmanPackages = lib.mkOption {
type = lib.types.listOf lib.types.package;
default = [];
description = "Extra packages to install in the podman container";
additionalFlakeConfig = lib.mkOption {
type = lib.types.str;
default = "";
example = "accept-flake-config = true";
description = "Additional configuration to add to the nix.conf file";
};
};
};
@ -58,20 +50,20 @@ in {
after = [ "podman.service" ];
requires = [ "podman.service" ];
script = ''
set -eux -o pipefail
set -eu -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
groupid=$(cut -d: -f3 < <(getent group gitea-actions))
userid=$(cut -d: -f3 < <(getent passwd gitea-actions))
groupadd --prefix $(pwd) --gid "$groupid" gitea-actions
emptypassword='$y$j9T$dLJlazrLCVKcOQ/zmu60E1$bAkbdgDaiz7niknOCasvKW3Tjxeca6WA/1fNe4UpeeC'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G gitea-actions gitea-actions
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
${cfg.additionalFlakeConfig}
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
@ -109,11 +101,11 @@ in {
};
users = {
groups.nixuser = { };
users.nixuser = {
group = "nixuser";
groups.gitea-actions = { };
users.gitea-actions = {
group = "gitea-actions";
description = "Used for running nix ci jobs";
home = "/var/empty";
home = "/run/gitea-runner-nix-image";
isSystemUser = true;
};
};
@ -121,7 +113,7 @@ in {
{
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
after =lib.optional config.services.gitea.enable [ "gitea.service" ];
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
script = ''
set -euo pipefail
@ -145,12 +137,11 @@ in {
virtualisation = {
podman.enable = true;
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
containers = {
containersConf.settings.containers.dns_servers = [ "1.1.1.1" "5.5.5.5" ];
containersConf.settings.containers.dns_servers = config.networking.nameservers;
storage.settings = {
storage.driver = if useZfs then "zfs" else "overlay";
storage.options.zfs.fsname = lib.mkIf useZfs "zroot/root/podman";
storage.driver = if config.boot.zfs.enabled then "zfs" else "overlay";
storage.options.zfs.fsname = lib.mkIf config.boot.zfs.enabled "zroot/root/podman";
storage.graphroot = "/var/lib/containers/storage";
storage.runroot = "/run/containers/storage";
};
@ -228,10 +219,7 @@ in {
tokenFile = "/var/lib/gitea-registration/gitea-runner-${iname}-token";
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = if useKvm then
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser"
else
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser";
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user gitea-actions";
network = "host";
valid_volumes = [
"/nix"