Compare commits
7 Commits
3992f2f6a6
...
1aa373b459
Author | SHA1 | Date |
---|---|---|
Astrobot | 1aa373b459 | |
Astro | 8e2718f443 | |
Astro | 4ee5bb830f | |
Astro | 41783676ca | |
Astro | 2062679a91 | |
Astro | 416c19b109 | |
Dennis - | 837c41a2ae |
70
flake.lock
70
flake.lock
|
@ -116,11 +116,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711590216,
|
||||
"narHash": "sha256-NFMtHyFG/moEZP/Vaa+Dyhd19ohOp7g8+r+J4UWLjAE=",
|
||||
"lastModified": 1712958621,
|
||||
"narHash": "sha256-lJ9pn7RWE9W4CAMv+8UKFJNzM6MmUqWmSKywRTbQN6I=",
|
||||
"owner": "astro",
|
||||
"repo": "buzzrelay",
|
||||
"rev": "c541d83620dc237648ce1d9204f938fc80b416d1",
|
||||
"rev": "8c314c7c202c88b1ec7cef0e970f9206ee233596",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -209,11 +209,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712356478,
|
||||
"narHash": "sha256-kTcEtrQIRnexu5lAbLsmUcfR2CrmsACF1s3ZFw1NEVA=",
|
||||
"lastModified": 1712947906,
|
||||
"narHash": "sha256-T0eT2lMbcK7RLelkx0qx4SiFpOS/0dt0aSfLB+WsGV8=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "0a17298c0d96190ef3be729d594ba202b9c53beb",
|
||||
"rev": "8d4ae698eaac8bd717e23507da2ca8b345bec4b5",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -278,11 +278,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1695426234,
|
||||
"narHash": "sha256-fPLVqhGt9G72MrKrnal31ovp2NXpy4PT6uGV9+BYxtk=",
|
||||
"lastModified": 1712974579,
|
||||
"narHash": "sha256-nEGN+onff81EuGmscFOBQDkmThujvKn3MlJKpJ6p5us=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "bb82574d4a36b743b8678e23a0cd3c8b0eaf1821",
|
||||
"revCount": 68,
|
||||
"rev": "ade76b343fce28dedd3973a44f4e4eff5b16bc57",
|
||||
"revCount": 71,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/astro/heliwatch.git"
|
||||
},
|
||||
|
@ -302,11 +302,11 @@
|
|||
"spectrum": "spectrum"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712366957,
|
||||
"narHash": "sha256-7W3D1Gk6mGlwtV07n6YB/7s3tThcBYknlvDPcoJJSe4=",
|
||||
"lastModified": 1712654305,
|
||||
"narHash": "sha256-CNdpLnGOUZfIhBanAFVF7t1xstaQGL4w6sQPrVeLlus=",
|
||||
"owner": "astro",
|
||||
"repo": "microvm.nix",
|
||||
"rev": "1e746a8987eb893adc8dd317b84e73d72803b650",
|
||||
"rev": "ee0068ca87bdabbde3cc39b7af807c0302d0304c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -363,11 +363,11 @@
|
|||
},
|
||||
"nixos": {
|
||||
"locked": {
|
||||
"lastModified": 1712510303,
|
||||
"narHash": "sha256-IZvFSWgMM+TiVGpi7Z9rUxcVSKG+NoyL5oP6WOUp1lk=",
|
||||
"lastModified": 1712849954,
|
||||
"narHash": "sha256-W+aYdfYOb0xYVJfgYxhJL7UhI0N3UoUe+/j4pwDj6pE=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "1bb6d38faeece5f7e0bf01519289a5f7fa0a56f9",
|
||||
"rev": "3bf15624c7754b6ec55a49e851dd27d2d372e680",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -379,11 +379,11 @@
|
|||
},
|
||||
"nixos-hardware": {
|
||||
"locked": {
|
||||
"lastModified": 1712566108,
|
||||
"narHash": "sha256-c9nT2ZODGqobISP41kUwCQ84Srwg7a/1TmPFQuol2/8=",
|
||||
"lastModified": 1712909959,
|
||||
"narHash": "sha256-7/5ubuwdEbQ7Z+Vqd4u0mM5L2VMNDsBh54visp27CtQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixos-hardware",
|
||||
"rev": "1e3b3a35b7083f4152f5a516798cf9b21e686465",
|
||||
"rev": "f58b25254be441cd2a9b4b444ed83f1e51244f1f",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -417,11 +417,11 @@
|
|||
},
|
||||
"nixos-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1712510252,
|
||||
"narHash": "sha256-tD8hJALj3bKDeuiusiKh5kwMH+JdauErLro4hEePVZE=",
|
||||
"lastModified": 1712918292,
|
||||
"narHash": "sha256-O/Hg8V4Lqy1Z+enSVcNaoiveqeW9TxzyuMvNmh10b7c=",
|
||||
"owner": "SuperSandro2000",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "de0499eb0849d85bf04f7b3cc3a48bf00941a867",
|
||||
"rev": "14ee1c2e6f49f69abf7c6a192efb26787675ba28",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -472,11 +472,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712571708,
|
||||
"narHash": "sha256-IZ1EwUM0fPNGOlB3KGENTwE+q6YyZ+aRghXudE86Yco=",
|
||||
"lastModified": 1712919847,
|
||||
"narHash": "sha256-lbHHVc5PRS2NpB5FBrFzrQCICd1ufztL+950vPUswqg=",
|
||||
"owner": "astro",
|
||||
"repo": "nix-openwrt-imagebuilder",
|
||||
"rev": "fde22e2a669d3262a23753a2e4c7eec3cf7f566d",
|
||||
"rev": "0422470802c48a48dac0aec7ba3004e6c13c4226",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -550,11 +550,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1711678273,
|
||||
"narHash": "sha256-7lIB0hMRnfzx/9oSIwTnwXmVnbvVGRoadOCW+1HI5zY=",
|
||||
"lastModified": 1712715149,
|
||||
"narHash": "sha256-uOx7GaLV+5hekAYtm/CBr627Pi7+d1Yh70hwKmVjYYo=",
|
||||
"owner": "oxalica",
|
||||
"repo": "rust-overlay",
|
||||
"rev": "42a168449605950935f15ea546f6f770e5f7f629",
|
||||
"rev": "9ef1eca23bee5fb8080863909af3802130b2ee57",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -631,11 +631,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712458908,
|
||||
"narHash": "sha256-DMgBS+jNHDg8z3g9GkwqL8xTKXCRQ/0FGsAyrniVonc=",
|
||||
"lastModified": 1712617241,
|
||||
"narHash": "sha256-a4hbls4vlLRMciv62YrYT/Xs/3Cubce8WFHPUDWwzf8=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "39191e8e6265b106c9a2ba0cfd3a4dafe98a31c6",
|
||||
"rev": "538c114cfdf1f0458f507087b1dcf018ce1c0c4c",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
@ -825,11 +825,11 @@
|
|||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1712576876,
|
||||
"narHash": "sha256-kTkQffyPgnteBzj4xx2zYdegcamTyGLKHW7VhKeameQ=",
|
||||
"lastModified": 1712938876,
|
||||
"narHash": "sha256-KviQe26kSascy3BfaMtyVpEYXuntOE8FYLgzRWe9QhI=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "cb616b8b8891d320058526982d47fbd903eeb79b",
|
||||
"revCount": 1970,
|
||||
"rev": "8c03619c0d595b78ecc93137ab97b0bc82aa7cbb",
|
||||
"revCount": 1977,
|
||||
"type": "git",
|
||||
"url": "https://gitea.c3d2.de/zentralwerk/network.git"
|
||||
},
|
||||
|
|
|
@ -369,6 +369,8 @@
|
|||
gitea = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.microvm
|
||||
self.nixosModules.gitea-actions-registrar
|
||||
self.nixosModules.gitea-actions-runner
|
||||
./hosts/gitea
|
||||
];
|
||||
};
|
||||
|
@ -413,6 +415,7 @@
|
|||
hydra = nixosSystem' {
|
||||
modules = [
|
||||
self.nixosModules.cluster
|
||||
self.nixosModules.gitea-actions-runner
|
||||
# skyflake.nixosModules.default
|
||||
./hosts/hydra
|
||||
];
|
||||
|
@ -759,6 +762,8 @@
|
|||
./modules/microvm-host.nix
|
||||
];
|
||||
rpi-netboot = ./modules/rpi-netboot.nix;
|
||||
gitea-actions-registrar = ./modules/gitea-actions-registrar.nix;
|
||||
gitea-actions-runner = ./modules/gitea-actions-runner.nix;
|
||||
};
|
||||
|
||||
# `nix develop`
|
||||
|
|
|
@ -46,7 +46,7 @@
|
|||
|
||||
settings = {
|
||||
# we use drone for internal tasks and don't want people to execute code on our infrastructure
|
||||
actions.ENABLED = false;
|
||||
actions.ENABLED = true;
|
||||
"cron.delete_generated_repository_avatars".ENABLED = true;
|
||||
"cron.repo_health_check".TIMEOUT = "300s";
|
||||
database.LOG_SQL = false;
|
||||
|
@ -108,6 +108,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
gitea-actions.enableRegistrar = true;
|
||||
|
||||
nginx = {
|
||||
enable = true;
|
||||
virtualHosts."gitea.c3d2.de" = {
|
||||
|
|
|
@ -124,6 +124,13 @@
|
|||
];
|
||||
};
|
||||
|
||||
gitea-actions = {
|
||||
enableRunner = true;
|
||||
kvm = true;
|
||||
zfsDataset = "hydra/data/podman";
|
||||
giteaUrl = "https://gitea.c3d2.de";
|
||||
};
|
||||
|
||||
hydra = {
|
||||
enable = true;
|
||||
buildMachinesFiles = [
|
||||
|
|
|
@ -1,5 +1,9 @@
|
|||
{ hostRegistry, pkgs, ... }:
|
||||
{ hostRegistry, config, pkgs, ... }:
|
||||
{
|
||||
microvm = {
|
||||
mem = 2048;
|
||||
vcpu = 8;
|
||||
};
|
||||
c3d2 = {
|
||||
deployment.server = "server10";
|
||||
hq.statistics.enable = true;
|
||||
|
@ -56,7 +60,7 @@
|
|||
heliwatch = {
|
||||
enable = true;
|
||||
jid = "astrobot@jabber.c3d2.de";
|
||||
inherit (pkgs.mucbot) password;
|
||||
passwordFile = config.sops.secrets."heliwatch/passwordFile".path;
|
||||
muc = "luftraum@chat.c3d2.de/Hubschraubereinsatz";
|
||||
};
|
||||
|
||||
|
@ -91,5 +95,8 @@
|
|||
openwebrx.enable = true;
|
||||
};
|
||||
|
||||
sops.defaultSopsFile = ./secrets.yaml;
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets."heliwatch/passwordFile".owner = "heliwatch";
|
||||
};
|
||||
}
|
||||
|
|
|
@ -2,6 +2,8 @@ restic:
|
|||
password: ENC[AES256_GCM,data:rF82Jo3uXFuTGfMNEkrWmJKTg4W0tSEp4RhWU91Us8E=,iv:6lNjPlSZoRhVNwhkiUUOyi9PyxsFCNeA6syNUPaJIa8=,tag:UTX8Vve6Zj3Un+A0uTihpg==,type:str]
|
||||
repositories:
|
||||
server9: ENC[AES256_GCM,data:ok/fhJJ7ABH6YfnP1o2DWpH8vbPwST8/7RwsASiQrWdkvyaC4jC4fAie1XofN8GcoC/55b56UbdnH8htdq2ulUVuIfsWHTUeVHbgIB60cum4+QfK/IxNBeV7J7A/7xjlubU=,iv:FAIZ+bhCojiQLVq8WTb/5NFkcV+kqcg6cxiv0wu1Dng=,tag:YB7OzI8jdYx0odqkTXGfFw==,type:str]
|
||||
heliwatch:
|
||||
passwordFile: ENC[AES256_GCM,data:RovkihQU9uq1Iw==,iv:GZ/NBBsEi4KUydyMDC8TrktWKa/nDUP4JU5M78v6Y5c=,tag:FySsAVsocDer0X5znGrF/A==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -26,8 +28,8 @@ sops:
|
|||
T01GdFR0MWxwQkpuSjB3R21xdDZXR0UKGHXjDM1KiL8O+MV/TR0ZDTi14Aovklws
|
||||
qMIUH/4Sc8+HaMKGrwQYOzdUzLT+n4bsmYsz9H149y8MIpSxADsHJQ==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-12-11T23:44:29Z"
|
||||
mac: ENC[AES256_GCM,data:i+aEE8xV3C4KaIVcTSW/Ynfebe/3XMnJRBQsHqw6vp3mb/bIoZOTu+CeRzdnRJR7gp8sR5wbNnqlKLzp0HNE3voBEf9oGdDZPdQuW2brAWsTiw9z271CAM+SKj/5K83xm6u8Qv7c1U67G/1Fn085lmr7FaFIZrto37j9p6d+v2w=,iv:W0wWlLOo1Ym2wqk7EJItWL4KRrJ/jmaynmzsxPraRL8=,tag:qrFOcgSIiXIbFp5uSY6AAg==,type:str]
|
||||
lastmodified: "2024-04-13T02:21:09Z"
|
||||
mac: ENC[AES256_GCM,data:m0BfbJbOQG5odFNxEQcnNFqbvcoGRi1QWZSl0AomFK0efP2JgDQrOEcsp1+LsBbuO1e+zndSEekGhqCpdJf3ZEXitPJYLjHUdVpSnONAh5LIQpe4QqmbLsGq7KxP1iWm9IscUplQxiJy5xRkA1AbmqDnh1e8NS/5Fk0YBz3b++M=,iv:hoMP3yruykzI6WpmMu6sF6oamKM/bftJALd9+LD3ZUM=,tag:rJnYnIN5J1UoHBZyPHgW9g==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-12-11T23:40:37Z"
|
||||
enc: |-
|
||||
|
|
|
@ -0,0 +1,30 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.gitea-actions;
|
||||
in {
|
||||
options.services.gitea-actions.enableRegistrar = lib.mkEnableOption "gitea";
|
||||
|
||||
config.systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after =lib.optional config.services.gitea.enable "gitea.service";
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
token=$(${lib.getExe config.services.gitea.package} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
||||
'';
|
||||
|
||||
environment = {
|
||||
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
||||
GITEA_WORK_DIR = "/var/lib/gitea";
|
||||
};
|
||||
|
||||
serviceConfig = {
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "gitea-registration";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
});
|
||||
}
|
|
@ -0,0 +1,219 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.gitea-actions;
|
||||
storeDeps = pkgs.buildEnv {
|
||||
name = "store-deps";
|
||||
paths = ((with pkgs; [
|
||||
bash
|
||||
cacert
|
||||
coreutils
|
||||
curl
|
||||
findutils
|
||||
gawk
|
||||
git
|
||||
gnugrep
|
||||
jq
|
||||
nix
|
||||
nodejs
|
||||
openssh
|
||||
]) ++ cfg.storeDependencies);
|
||||
};
|
||||
in {
|
||||
options = {
|
||||
services.gitea-actions = {
|
||||
enableRunner = lib.mkEnableOption "gitea-actions-runner";
|
||||
|
||||
giteaUrl = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = config.services.gitea.settings.server.ROOT_URL;
|
||||
};
|
||||
|
||||
numInstances = lib.mkOption {
|
||||
type = lib.types.ints.unsigned;
|
||||
default = 2;
|
||||
description = "Number of instances of the gitea-actions-runner service to create";
|
||||
};
|
||||
|
||||
storeDependencies = lib.mkOption {
|
||||
type = lib.types.listOf lib.types.package;
|
||||
default = [];
|
||||
description = "List of packages to symlink into the container";
|
||||
};
|
||||
|
||||
additionalFlakeConfig = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
example = "accept-flake-config = true";
|
||||
description = "Additional configuration to add to the nix.conf file";
|
||||
};
|
||||
|
||||
kvm = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = false;
|
||||
description = "Enable KVM passthrough for the container";
|
||||
};
|
||||
|
||||
zfsDataset = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "zroot/root/podman";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enableRunner (lib.mkMerge [
|
||||
{
|
||||
systemd.services.gitea-runner-nix-image = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "podman.service" ];
|
||||
requires = [ "podman.service" ];
|
||||
script = ''
|
||||
set -eu -o pipefail
|
||||
mkdir -p etc/nix
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch etc/passwd etc/group
|
||||
groupid=$(cut -d: -f3 < <(getent group gitea-actions))
|
||||
userid=$(cut -d: -f3 < <(getent passwd gitea-actions))
|
||||
groupadd --prefix $(pwd) --gid "$groupid" gitea-actions
|
||||
emptypassword='$y$j9T$dLJlazrLCVKcOQ/zmu60E1$bAkbdgDaiz7niknOCasvKW3Tjxeca6WA/1fNe4UpeeC'
|
||||
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G gitea-actions gitea-actions
|
||||
|
||||
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||
experimental-features = nix-command flakes
|
||||
${cfg.additionalFlakeConfig}
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > etc/nsswitch.conf
|
||||
passwd: files mymachines systemd
|
||||
group: files mymachines systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines dns myhostname
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
services: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
NSSWITCH
|
||||
|
||||
# list the content as it will be imported into the container
|
||||
tar -cv . | tar -tvf -
|
||||
tar -cv . | podman import - gitea-runner-nix
|
||||
'';
|
||||
|
||||
path = [
|
||||
config.virtualisation.podman.package
|
||||
pkgs.getent
|
||||
pkgs.gnutar
|
||||
pkgs.shadow
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
RuntimeDirectory = "gitea-runner-nix-image";
|
||||
WorkingDirectory = "/run/gitea-runner-nix-image";
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
users = {
|
||||
groups.gitea-actions = { };
|
||||
users.gitea-actions = {
|
||||
group = "gitea-actions";
|
||||
description = "Used for running nix ci jobs";
|
||||
home = "/run/gitea-runner-nix-image";
|
||||
isSystemUser = true;
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
virtualisation = {
|
||||
podman.enable = true;
|
||||
containers = {
|
||||
containersConf.settings.containers.dns_servers = config.networking.nameservers;
|
||||
storage.settings.storage.options.zfs.fsname = lib.mkIf config.boot.zfs.enabled "${cfg.zfsDataset}";
|
||||
};
|
||||
};
|
||||
}
|
||||
{
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") cfg.numInstances) (name: {
|
||||
after = [
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
|
||||
requires = [
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
|
||||
serviceConfig = {
|
||||
AmbientCapabilities = "";
|
||||
CapabilityBoundingSet = "";
|
||||
DeviceAllow = "";
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectControlGroups = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectSystem = "strict";
|
||||
RemoveIPC = true;
|
||||
RestrictNamespaces = true;
|
||||
RestrictRealtime = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0066";
|
||||
ProtectProc = "invisible";
|
||||
PrivateNetwork = false;
|
||||
MemoryDenyWriteExecute = false;
|
||||
ProcSubset = "all";
|
||||
LockPersonality = false;
|
||||
DynamicUser = true;
|
||||
SystemCallFilter = [
|
||||
"~@clock"
|
||||
"~@cpu-emulation"
|
||||
"~@module"
|
||||
"~@mount"
|
||||
"~@obsolete"
|
||||
"~@privileged"
|
||||
"~@raw-io"
|
||||
"~@reboot"
|
||||
"~@swap"
|
||||
"~capset"
|
||||
"~setdomainname"
|
||||
"~sethostname"
|
||||
];
|
||||
|
||||
RestrictAddressFamilies = [
|
||||
"AF_INET"
|
||||
"AF_INET6"
|
||||
"AF_UNIX"
|
||||
"AF_NETLINK"
|
||||
];
|
||||
};
|
||||
});
|
||||
|
||||
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") cfg.numInstances) (iname: {
|
||||
enable = true;
|
||||
name = config.networking.hostName;
|
||||
url = cfg.giteaUrl;
|
||||
tokenFile = "/var/lib/gitea-runner/${iname}/token";
|
||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||
settings.container = {
|
||||
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt${lib.optionalString cfg.kvm " --device /dev/kvm"} -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user gitea-actions";
|
||||
network = "host";
|
||||
valid_volumes = [
|
||||
"/nix"
|
||||
"${storeDeps}/bin"
|
||||
"${storeDeps}/etc/ssl"
|
||||
];
|
||||
};
|
||||
});
|
||||
}
|
||||
]);
|
||||
}
|
|
@ -46,8 +46,9 @@ in
|
|||
sensors = "";
|
||||
cpufreq = "";
|
||||
irq = "";
|
||||
ipmi = "";
|
||||
thermal = "";
|
||||
} // lib.optionalAttrs (isMetal && config.nixpkgs.system == "x86_64-linux") {
|
||||
ipmi = "";
|
||||
} // lib.optionalAttrs config.services.nginx.enable {
|
||||
nginx = ''
|
||||
URL "http://localhost:${toString nginxStatusPort}/nginx_status"
|
||||
|
|
Loading…
Reference in New Issue