flake.lock: Update

Flake lock file updates: • Updated input 'buzzrelay': 'github:astro/buzzrelay/c541d83620dc237648ce1d9204f938fc80b416d1' (2024-03-28) → 'github:astro/buzzrelay/8c314c7c202c88b1ec7cef0e970f9206ee233596' (2024-04-12) • Updated input 'disko': 'github:nix-community/disko/0a17298c0d96190ef3be729d594ba202b9c53beb' (2024-04-05) → 'github:nix-community/disko/8d4ae698eaac8bd717e23507da2ca8b345bec4b5' (2024-04-12) • Updated input 'microvm': 'github:astro/microvm.nix/1e746a8987eb893adc8dd317b84e73d72803b650' (2024-04-06) → 'github:astro/microvm.nix/ee0068ca87bdabbde3cc39b7af807c0302d0304c' (2024-04-09) • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/1bb6d38faeece5f7e0bf01519289a5f7fa0a56f9' (2024-04-07) → 'github:SuperSandro2000/nixpkgs/3bf15624c7754b6ec55a49e851dd27d2d372e680' (2024-04-11) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/1e3b3a35b7083f4152f5a516798cf9b21e686465' (2024-04-08) → 'github:nixos/nixos-hardware/f58b25254be441cd2a9b4b444ed83f1e51244f1f' (2024-04-12) • Updated input 'nixos-unstable': 'github:SuperSandro2000/nixpkgs/de0499eb0849d85bf04f7b3cc3a48bf00941a867' (2024-04-07) → 'github:SuperSandro2000/nixpkgs/14ee1c2e6f49f69abf7c6a192efb26787675ba28' (2024-04-12) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/fde22e2a669d3262a23753a2e4c7eec3cf7f566d' (2024-04-08) → 'github:astro/nix-openwrt-imagebuilder/0422470802c48a48dac0aec7ba3004e6c13c4226' (2024-04-12) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/42a168449605950935f15ea546f6f770e5f7f629' (2024-03-29) → 'github:oxalica/rust-overlay/9ef1eca23bee5fb8080863909af3802130b2ee57' (2024-04-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6' (2024-04-07) → 'github:Mic92/sops-nix/538c114cfdf1f0458f507087b1dcf018ce1c0c4c' (2024-04-08) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs/heads/master&rev=cb616b8b8891d320058526982d47fbd903eeb79b' (2024-04-08) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs/heads/master&rev=8c03619c0d595b78ecc93137ab97b0bc82aa7cbb' (2024-04-12)
modules/stats: enable collectd plugin ipmi only on x86_64
2024-04-13 10:00:43 +02:00 · 2024-04-13 04:29:08 +02:00 · 2024-04-13 04:28:42 +02:00 · 2024-04-13 03:46:33 +02:00 · 2024-04-12 23:40:39 +02:00 · 2024-04-12 22:03:51 +02:00
9 changed files with 315 additions and 42 deletions
--- a/flake.lock
+++ b/flake.lock
@ -116,11 +116,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711590216,
-        "narHash": "sha256-NFMtHyFG/moEZP/Vaa+Dyhd19ohOp7g8+r+J4UWLjAE=",
+        "lastModified": 1712958621,
+        "narHash": "sha256-lJ9pn7RWE9W4CAMv+8UKFJNzM6MmUqWmSKywRTbQN6I=",
        "owner": "astro",
        "repo": "buzzrelay",
-        "rev": "c541d83620dc237648ce1d9204f938fc80b416d1",
+        "rev": "8c314c7c202c88b1ec7cef0e970f9206ee233596",
        "type": "github"
      },
      "original": {
@ -209,11 +209,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712356478,
-        "narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
+        "lastModified": 1712947906,
+        "narHash": "sha256-T0eT2lMbcK7RLelkx0qx4SiFpOS/0dt0aSfLB+WsGV8=",
        "owner": "nix-community",
        "repo": "disko",
-        "rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
+        "rev": "8d4ae698eaac8bd717e23507da2ca8b345bec4b5",
        "type": "github"
      },
      "original": {
@ -278,11 +278,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1695426234,
-        "narHash": "sha256-fPLVqhGt9G72MrKrnal31ovp2NXpy4PT6uGV9+BYxtk=",
+        "lastModified": 1712974579,
+        "narHash": "sha256-nEGN+onff81EuGmscFOBQDkmThujvKn3MlJKpJ6p5us=",
        "ref": "refs/heads/master",
-        "rev": "bb82574d4a36b743b8678e23a0cd3c8b0eaf1821",
-        "revCount": 68,
+        "rev": "ade76b343fce28dedd3973a44f4e4eff5b16bc57",
+        "revCount": 71,
        "type": "git",
        "url": "https://gitea.c3d2.de/astro/heliwatch.git"
      },
@ -302,11 +302,11 @@
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1712366957,
-        "narHash": "sha256-7W3D1Gk6mGlwtV07n6YB/7s3tThcBYknlvDPcoJJSe4=",
+        "lastModified": 1712654305,
+        "narHash": "sha256-CNdpLnGOUZfIhBanAFVF7t1xstaQGL4w6sQPrVeLlus=",
        "owner": "astro",
        "repo": "microvm.nix",
-        "rev": "1e746a8987eb893adc8dd317b84e73d72803b650",
+        "rev": "ee0068ca87bdabbde3cc39b7af807c0302d0304c",
        "type": "github"
      },
      "original": {
@ -363,11 +363,11 @@
    },
    "nixos": {
      "locked": {
-        "lastModified": 1712510303,
-        "narHash": "sha256-IZvFSWgMM+TiVGpi7Z9rUxcVSKG+NoyL5oP6WOUp1lk=",
+        "lastModified": 1712849954,
+        "narHash": "sha256-W+aYdfYOb0xYVJfgYxhJL7UhI0N3UoUe+/j4pwDj6pE=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "1bb6d38faeece5f7e0bf01519289a5f7fa0a56f9",
+        "rev": "3bf15624c7754b6ec55a49e851dd27d2d372e680",
        "type": "github"
      },
      "original": {
@ -379,11 +379,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1712566108,
-        "narHash": "sha256-c9nT2ZODGqobISP41kUwCQ84Srwg7a/1TmPFQuol2/8=",
+        "lastModified": 1712909959,
+        "narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "1e3b3a35b7083f4152f5a516798cf9b21e686465",
+        "rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
        "type": "github"
      },
      "original": {
@ -417,11 +417,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1712510252,
-        "narHash": "sha256-tD8hJALj3bKDeuiusiKh5kwMH+JdauErLro4hEePVZE=",
+        "lastModified": 1712918292,
+        "narHash": "sha256-O/Hg8V4Lqy1Z+enSVcNaoiveqeW9TxzyuMvNmh10b7c=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "de0499eb0849d85bf04f7b3cc3a48bf00941a867",
+        "rev": "14ee1c2e6f49f69abf7c6a192efb26787675ba28",
        "type": "github"
      },
      "original": {
@ -472,11 +472,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712571708,
-        "narHash": "sha256-IZ1EwUM0fPNGOlB3KGENTwE+q6YyZ+aRghXudE86Yco=",
+        "lastModified": 1712919847,
+        "narHash": "sha256-lbHHVc5PRS2NpB5FBrFzrQCICd1ufztL+950vPUswqg=",
        "owner": "astro",
        "repo": "nix-openwrt-imagebuilder",
-        "rev": "fde22e2a669d3262a23753a2e4c7eec3cf7f566d",
+        "rev": "0422470802c48a48dac0aec7ba3004e6c13c4226",
        "type": "github"
      },
      "original": {
@ -550,11 +550,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1711678273,
-        "narHash": "sha256-7lIB0hMRnfzx/9oSIwTnwXmVnbvVGRoadOCW+1HI5zY=",
+        "lastModified": 1712715149,
+        "narHash": "sha256-uOx7GaLV+5hekAYtm/CBr627Pi7+d1Yh70hwKmVjYYo=",
        "owner": "oxalica",
        "repo": "rust-overlay",
-        "rev": "42a168449605950935f15ea546f6f770e5f7f629",
+        "rev": "9ef1eca23bee5fb8080863909af3802130b2ee57",
        "type": "github"
      },
      "original": {
@ -631,11 +631,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712458908,
-        "narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=",
+        "lastModified": 1712617241,
+        "narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6",
+        "rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
        "type": "github"
      },
      "original": {
@ -825,11 +825,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1712576876,
-        "narHash": "sha256-kTkQffyPgnteBzj4xx2zYdegcamTyGLKHW7VhKeameQ=",
+        "lastModified": 1712938876,
+        "narHash": "sha256-KviQe26kSascy3BfaMtyVpEYXuntOE8FYLgzRWe9QhI=",
        "ref": "refs/heads/master",
-        "rev": "cb616b8b8891d320058526982d47fbd903eeb79b",
-        "revCount": 1970,
+        "rev": "8c03619c0d595b78ecc93137ab97b0bc82aa7cbb",
+        "revCount": 1977,
        "type": "git",
        "url": "https://gitea.c3d2.de/zentralwerk/network.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -369,6 +369,8 @@
        gitea = nixosSystem' {
          modules = [
            self.nixosModules.microvm
+            self.nixosModules.gitea-actions-registrar
+            self.nixosModules.gitea-actions-runner
            ./hosts/gitea
          ];
        };
@ -413,6 +415,7 @@
        hydra = nixosSystem' {
          modules = [
            self.nixosModules.cluster
+            self.nixosModules.gitea-actions-runner
            # skyflake.nixosModules.default
            ./hosts/hydra
          ];
@ -759,6 +762,8 @@
          ./modules/microvm-host.nix
        ];
        rpi-netboot = ./modules/rpi-netboot.nix;
+        gitea-actions-registrar = ./modules/gitea-actions-registrar.nix;
+        gitea-actions-runner = ./modules/gitea-actions-runner.nix;
      };

      # `nix develop`
--- a/hosts/gitea/default.nix
+++ b/hosts/gitea/default.nix
@ -46,7 +46,7 @@

      settings = {
        # we use drone for internal tasks and don't want people to execute code on our infrastructure
-        actions.ENABLED = false;
+        actions.ENABLED = true;
        "cron.delete_generated_repository_avatars".ENABLED = true;
        "cron.repo_health_check".TIMEOUT = "300s";
        database.LOG_SQL = false;
@ -108,6 +108,8 @@
      };
    };

+    gitea-actions.enableRegistrar = true;
+
    nginx = {
      enable = true;
      virtualHosts."gitea.c3d2.de" = {
--- a/hosts/hydra/default.nix
+++ b/hosts/hydra/default.nix
@ -124,6 +124,13 @@
      ];
    };

+    gitea-actions = {
+      enableRunner = true;
+      kvm = true;
+      zfsDataset = "hydra/data/podman";
+      giteaUrl = "https://gitea.c3d2.de";
+    };
+
    hydra = {
      enable = true;
      buildMachinesFiles = [
--- a/hosts/sdrweb/default.nix
+++ b/hosts/sdrweb/default.nix
@ -1,5 +1,9 @@
-{ hostRegistry, pkgs, ... }:
+{ hostRegistry, config, pkgs, ... }:
 {
+  microvm = {
+    mem = 2048;
+    vcpu = 8;
+  };
  c3d2 = {
    deployment.server = "server10";
    hq.statistics.enable = true;
@ -56,7 +60,7 @@
    heliwatch = {
      enable = true;
      jid = "astrobot@jabber.c3d2.de";
-      inherit (pkgs.mucbot) password;
+      passwordFile = config.sops.secrets."heliwatch/passwordFile".path;
      muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz";
    };

@ -91,5 +95,8 @@
    openwebrx.enable = true;
  };

-  sops.defaultSopsFile = ./secrets.yaml;
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets."heliwatch/passwordFile".owner = "heliwatch";
+  };
 }
--- a/hosts/sdrweb/secrets.yaml
+++ b/hosts/sdrweb/secrets.yaml
@ -2,6 +2,8 @@ restic:
    password: ENC[AES256_GCM,data:rF82Jo3uXFuTGfMNEkrWmJKTg4W0tSEp4RhWU91Us8E=,iv:6lNjPlSZoRhVNwhkiUUOyi9PyxsFCNeA6syNUPaJIa8=,tag:UTX8Vve6Zj3Un+A0uTihpg==,type:str]
    repositories:
        server9: ENC[AES256_GCM,data:ok/fhJJ7ABH6YfnP1o2DWpH8vbPwST8/7RwsASiQrWdkvyaC4jC4fAie1XofN8GcoC/55b56UbdnH8htdq2ulUVuIfsWHTUeVHbgIB60cum4+QfK/IxNBeV7J7A/7xjlubU=,iv:FAIZ+bhCojiQLVq8WTb/5NFkcV+kqcg6cxiv0wu1Dng=,tag:YB7OzI8jdYx0odqkTXGfFw==,type:str]
+heliwatch:
+    passwordFile: ENC[AES256_GCM,data:RovkihQU9uq1Iw==,iv:GZ/NBBsEi4KUydyMDC8TrktWKa/nDUP4JU5M78v6Y5c=,tag:FySsAVsocDer0X5znGrF/A==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -26,8 +28,8 @@ sops:
            T01GdFR0MWxwQkpuSjB3R21xdDZXR0UKGHXjDM1KiL8O+MV/TR0ZDTi14Aovklws
            qMIUH/4Sc8+HaMKGrwQYOzdUzLT+n4bsmYsz9H149y8MIpSxADsHJQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-11T23:44:29Z"
-    mac: ENC[AES256_GCM,data:i+aEE8xV3C4KaIVcTSW/Ynfebe/3XMnJRBQsHqw6vp3mb/bIoZOTu+CeRzdnRJR7gp8sR5wbNnqlKLzp0HNE3voBEf9oGdDZPdQuW2brAWsTiw9z271CAM+SKj/5K83xm6u8Qv7c1U67G/1Fn085lmr7FaFIZrto37j9p6d+v2w=,iv:W0wWlLOo1Ym2wqk7EJItWL4KRrJ/jmaynmzsxPraRL8=,tag:qrFOcgSIiXIbFp5uSY6AAg==,type:str]
+    lastmodified: "2024-04-13T02:21:09Z"
+    mac: ENC[AES256_GCM,data:m0BfbJbOQG5odFNxEQcnNFqbvcoGRi1QWZSl0AomFK0efP2JgDQrOEcsp1+LsBbuO1e+zndSEekGhqCpdJf3ZEXitPJYLjHUdVpSnONAh5LIQpe4QqmbLsGq7KxP1iWm9IscUplQxiJy5xRkA1AbmqDnh1e8NS/5Fk0YBz3b++M=,iv:hoMP3yruykzI6WpmMu6sF6oamKM/bftJALd9+LD3ZUM=,tag:rJnYnIN5J1UoHBZyPHgW9g==,type:str]
    pgp:
        - created_at: "2023-12-11T23:40:37Z"
          enc: |-
--- a/modules/gitea-actions-registrar.nix
+++ b/modules/gitea-actions-registrar.nix
@ -0,0 +1,30 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea-actions;
+in {
+  options.services.gitea-actions.enableRegistrar = lib.mkEnableOption "gitea";
+
+  config.systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
+    wantedBy = [ "multi-user.target" ];
+    after =lib.optional config.services.gitea.enable "gitea.service";
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
+    script = ''
+      set -euo pipefail
+      token=$(${lib.getExe config.services.gitea.package} actions generate-runner-token)
+      echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
+    '';
+
+    environment = {
+      GITEA_CUSTOM = "/var/lib/gitea/custom";
+      GITEA_WORK_DIR = "/var/lib/gitea";
+    };
+
+    serviceConfig = {
+      User = "gitea";
+      Group = "gitea";
+      StateDirectory = "gitea-registration";
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  });
+}
--- a/modules/gitea-actions-runner.nix
+++ b/modules/gitea-actions-runner.nix
@ -0,0 +1,219 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.gitea-actions;
+  storeDeps = pkgs.buildEnv {
+    name = "store-deps";
+    paths = ((with pkgs; [
+      bash
+      cacert
+      coreutils
+      curl
+      findutils
+      gawk
+      git
+      gnugrep
+      jq
+      nix
+      nodejs
+      openssh
+    ]) ++ cfg.storeDependencies);
+  };
+in {
+  options = {
+    services.gitea-actions = {
+      enableRunner = lib.mkEnableOption "gitea-actions-runner";
+
+      giteaUrl = lib.mkOption {
+        type = lib.types.str;
+        default = config.services.gitea.settings.server.ROOT_URL;
+      };
+
+      numInstances = lib.mkOption {
+        type = lib.types.ints.unsigned;
+        default = 2;
+        description = "Number of instances of the gitea-actions-runner service to create";
+      };
+
+      storeDependencies = lib.mkOption {
+        type = lib.types.listOf lib.types.package;
+        default = [];
+        description = "List of packages to symlink into the container";
+      };
+
+      additionalFlakeConfig = lib.mkOption {
+        type = lib.types.str;
+        default = "";
+        example = "accept-flake-config = true";
+        description = "Additional configuration to add to the nix.conf file";
+      };
+
+      kvm = lib.mkOption {
+        type = lib.types.bool;
+        default = false;
+        description = "Enable KVM passthrough for the container";
+      };
+
+      zfsDataset = lib.mkOption {
+        type = lib.types.str;
+        default = "zroot/root/podman";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enableRunner (lib.mkMerge [
+    {
+      systemd.services.gitea-runner-nix-image = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "podman.service" ];
+        requires = [ "podman.service" ];
+        script = ''
+          set -eu -o pipefail
+          mkdir -p etc/nix
+    
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group gitea-actions))
+          userid=$(cut -d: -f3 < <(getent passwd gitea-actions))
+          groupadd --prefix $(pwd) --gid "$groupid" gitea-actions
+          emptypassword='$y$j9T$dLJlazrLCVKcOQ/zmu60E1$bAkbdgDaiz7niknOCasvKW3Tjxeca6WA/1fNe4UpeeC'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G gitea-actions gitea-actions
+    
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          experimental-features = nix-command flakes
+          ${cfg.additionalFlakeConfig}
+          NIX_CONFIG
+    
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+    
+          hosts:     files mymachines dns myhostname
+          networks:  files
+    
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+    
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | podman import - gitea-runner-nix
+        '';
+
+        path = [
+          config.virtualisation.podman.package
+          pkgs.getent
+          pkgs.gnutar
+          pkgs.shadow
+        ];
+
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+    
+      users = {
+        groups.gitea-actions = { };
+        users.gitea-actions = {
+          group = "gitea-actions";
+          description = "Used for running nix ci jobs";
+          home = "/run/gitea-runner-nix-image";
+          isSystemUser = true;
+        };
+      };
+    }
+    {
+      virtualisation = {
+        podman.enable = true;
+        containers = {
+          containersConf.settings.containers.dns_servers = config.networking.nameservers;
+          storage.settings.storage.options.zfs.fsname = lib.mkIf config.boot.zfs.enabled "${cfg.zfsDataset}";
+        };
+      };
+    }
+    {
+      systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") cfg.numInstances) (name: {
+        after = [
+          "gitea-runner-nix-image.service"
+        ];
+
+        requires = [
+          "gitea-runner-nix-image.service"
+        ];
+
+        serviceConfig = {
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          PrivateNetwork = false;
+          MemoryDenyWriteExecute = false;
+          ProcSubset = "all";
+          LockPersonality = false;
+          DynamicUser = true;
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@privileged"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+            "AF_NETLINK"
+          ];
+        };
+      });
+
+      services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") cfg.numInstances) (iname: {
+        enable = true;
+        name = config.networking.hostName;
+        url = cfg.giteaUrl;
+        tokenFile = "/var/lib/gitea-runner/${iname}/token";
+        labels = [ "nix:docker://gitea-runner-nix" ];
+        settings.container = {
+          options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt${lib.optionalString cfg.kvm " --device /dev/kvm"} -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user gitea-actions";
+          network = "host";
+          valid_volumes = [
+            "/nix"
+            "${storeDeps}/bin"
+            "${storeDeps}/etc/ssl"
+          ];
+        };
+      });
+    }
+  ]);
+}
--- a/modules/stats.nix
+++ b/modules/stats.nix
@ -46,8 +46,9 @@ in
          sensors = "";
          cpufreq = "";
          irq = "";
-          ipmi = "";
          thermal = "";
+        } // lib.optionalAttrs (isMetal && config.nixpkgs.system == "x86_64-linux") {
+          ipmi = "";
        } // lib.optionalAttrs config.services.nginx.enable {
          nginx = ''
            URL "http://localhost:${toString nginxStatusPort}/nginx_status"
Author	SHA1	Message	Date
Astrobot	1aa373b459	flake.lock: Update Flake lock file updates: • Updated input 'buzzrelay': 'github:astro/buzzrelay/c541d83620dc237648ce1d9204f938fc80b416d1' (2024-03-28) → 'github:astro/buzzrelay/8c314c7c202c88b1ec7cef0e970f9206ee233596' (2024-04-12) • Updated input 'disko': 'github:nix-community/disko/0a17298c0d96190ef3be729d594ba202b9c53beb' (2024-04-05) → 'github:nix-community/disko/8d4ae698eaac8bd717e23507da2ca8b345bec4b5' (2024-04-12) • Updated input 'microvm': 'github:astro/microvm.nix/1e746a8987eb893adc8dd317b84e73d72803b650' (2024-04-06) → 'github:astro/microvm.nix/ee0068ca87bdabbde3cc39b7af807c0302d0304c' (2024-04-09) • Updated input 'nixos': 'github:SuperSandro2000/nixpkgs/1bb6d38faeece5f7e0bf01519289a5f7fa0a56f9' (2024-04-07) → 'github:SuperSandro2000/nixpkgs/3bf15624c7754b6ec55a49e851dd27d2d372e680' (2024-04-11) • Updated input 'nixos-hardware': 'github:nixos/nixos-hardware/1e3b3a35b7083f4152f5a516798cf9b21e686465' (2024-04-08) → 'github:nixos/nixos-hardware/f58b25254be441cd2a9b4b444ed83f1e51244f1f' (2024-04-12) • Updated input 'nixos-unstable': 'github:SuperSandro2000/nixpkgs/de0499eb0849d85bf04f7b3cc3a48bf00941a867' (2024-04-07) → 'github:SuperSandro2000/nixpkgs/14ee1c2e6f49f69abf7c6a192efb26787675ba28' (2024-04-12) • Updated input 'openwrt-imagebuilder': 'github:astro/nix-openwrt-imagebuilder/fde22e2a669d3262a23753a2e4c7eec3cf7f566d' (2024-04-08) → 'github:astro/nix-openwrt-imagebuilder/0422470802c48a48dac0aec7ba3004e6c13c4226' (2024-04-12) • Updated input 'rust-overlay': 'github:oxalica/rust-overlay/42a168449605950935f15ea546f6f770e5f7f629' (2024-03-29) → 'github:oxalica/rust-overlay/9ef1eca23bee5fb8080863909af3802130b2ee57' (2024-04-10) • Updated input 'sops-nix': 'github:Mic92/sops-nix/39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6' (2024-04-07) → 'github:Mic92/sops-nix/538c114cfdf1f0458f507087b1dcf018ce1c0c4c' (2024-04-08) • Updated input 'zentralwerk': 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs/heads/master&rev=cb616b8b8891d320058526982d47fbd903eeb79b' (2024-04-08) → 'git+https://gitea.c3d2.de/zentralwerk/network.git?ref=refs/heads/master&rev=8c03619c0d595b78ecc93137ab97b0bc82aa7cbb' (2024-04-12)	2024-04-13 10:00:43 +02:00
Astro	8e2718f443	modules/stats: enable collectd plugin ipmi only on x86_64	2024-04-13 04:29:08 +02:00
Astro	4ee5bb830f	sdrweb: use a sops passwordFile for heliwatch	2024-04-13 04:28:42 +02:00
Astro	41783676ca	sdrweb: bump mem heliwatch was running into OOM	2024-04-13 03:46:33 +02:00
Astro	2062679a91	hydra: fix and deploy gitea-actions-runner	2024-04-12 23:40:39 +02:00
Astro	416c19b109	Merge 'gitea-actions-runner'	2024-04-12 22:03:51 +02:00
Dennis -	837c41a2ae	add gitea-actions-runner module	2024-04-12 21:59:04 +02:00