add gitea-actions-runner module #135
No reviewers
Labels
No Label
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No Milestone
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: c3d2/nix-config#135
Loading…
Reference in New Issue
Block a user
No description provided.
Delete Branch "gitea-actions-runner"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Where is the network separation done?
@ -0,0 +1,245 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
can be removed and replaced by config.boot.zfs.enabled
@ -0,0 +2,4 @@
let
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
use: lib.any (x: x == kvm-amd" || x == "kvm-intel") config.boot.kernelParams
@ -0,0 +3,4 @@
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
storeDeps = pkgs.runCommand "store-deps" { } ''
Why not use buildEnv or buildFHS?
@ -0,0 +32,4 @@
services.gitea-actions = {
enable = lib.mkEnableOption "gitea-actions";
numInstances = lib.mkOption {
type = lib.types.int;
use types.ints.unsigned
@ -0,0 +43,4 @@
description = "List of packages to symlink into the container";
};
extraPodmanPackages = lib.mkOption {
We don't need that option, we can just set virtualisation.podman.extraPackages
@ -0,0 +58,4 @@
after = [ "podman.service" ];
requires = [ "podman.service" ];
script = ''
set -eux -o pipefail
We don't want set -x here
@ -0,0 +66,4 @@
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
We should use yescrypt here
$y$
@ -0,0 +70,4 @@
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
We don't really want to accept any substituter
@ -0,0 +109,4 @@
};
users = {
groups.nixuser = { };
That name is confusingly named, we should use something that contains actions
@ -0,0 +113,4 @@
users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
We should use something in /run/something/or/so instead otherwise some tools will loudly complain when debugging things
@ -0,0 +121,4 @@
{
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
That will only work when the same microvm will be used, which I think we shouldn't do to reduce attack surface
@ -0,0 +145,4 @@
virtualisation = {
podman.enable = true;
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
That is already done https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/podman/default.nix#L12
@ -0,0 +147,4 @@
podman.enable = true;
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
containers = {
containersConf.settings.containers.dns_servers = [ "1.1.1.1" "5.5.5.5" ];
5.5.5.5 is a valid dns server? Why not use networking.nameservers?
@ -0,0 +228,4 @@
tokenFile = "/var/lib/gitea-registration/gitea-runner-${iname}-token";
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = if useKvm then
We should deduplicate the code here
@ -0,0 +229,4 @@
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = if useKvm then
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser"
As long as we have https://gitea.c3d2.de/c3d2-admins/secrets we can't mount the nix store
3333c96b6d
tofa6d9b4fe2
WIP: add gitea-actions-runner moduleto add gitea-actions-runner modulefa6d9b4fe2
toe05e695bd8
e05e695bd8
to837c41a2ae
Pull request closed