add gitea-actions-runner module #135
Loading…
Reference in New Issue
No description provided.
Delete Branch "gitea-actions-runner"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Where is the network separation done?
@ -0,0 +1,245 @@{ config, pkgs, lib, ... }:letcfg = config.services.gitea-actions;useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;can be removed and replaced by config.boot.zfs.enabled
@ -0,0 +2,4 @@letcfg = config.services.gitea-actions;useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;use: lib.any (x: x == kvm-amd" || x == "kvm-intel") config.boot.kernelParams
@ -0,0 +3,4 @@cfg = config.services.gitea-actions;useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;storeDeps = pkgs.runCommand "store-deps" { } ''Why not use buildEnv or buildFHS?
@ -0,0 +32,4 @@services.gitea-actions = {enable = lib.mkEnableOption "gitea-actions";numInstances = lib.mkOption {type = lib.types.int;use types.ints.unsigned
@ -0,0 +43,4 @@description = "List of packages to symlink into the container";};extraPodmanPackages = lib.mkOption {We don't need that option, we can just set virtualisation.podman.extraPackages
@ -0,0 +58,4 @@after = [ "podman.service" ];requires = [ "podman.service" ];script = ''set -eux -o pipefailWe don't want set -x here
@ -0,0 +66,4 @@groupid=$(cut -d: -f3 < <(getent group nixuser))userid=$(cut -d: -f3 < <(getent passwd nixuser))groupadd --prefix $(pwd) --gid "$groupid" nixuseremptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'We should use yescrypt here
$y$@ -0,0 +70,4 @@useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixusercat <<NIX_CONFIG > etc/nix/nix.confaccept-flake-config = trueWe don't really want to accept any substituter
@ -0,0 +109,4 @@};users = {groups.nixuser = { };That name is confusingly named, we should use something that contains actions
@ -0,0 +113,4 @@users.nixuser = {group = "nixuser";description = "Used for running nix ci jobs";home = "/var/empty";We should use something in /run/something/or/so instead otherwise some tools will loudly complain when debugging things
@ -0,0 +121,4 @@{systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {wantedBy = [ "multi-user.target" ];after = [ "gitea.service" ];That will only work when the same microvm will be used, which I think we shouldn't do to reduce attack surface
@ -0,0 +145,4 @@virtualisation = {podman.enable = true;podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;That is already done https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/podman/default.nix#L12
@ -0,0 +147,4 @@podman.enable = true;podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;containers = {containersConf.settings.containers.dns_servers = [ "1.1.1.1" "5.5.5.5" ];5.5.5.5 is a valid dns server? Why not use networking.nameservers?
@ -0,0 +228,4 @@tokenFile = "/var/lib/gitea-registration/gitea-runner-${iname}-token";labels = [ "nix:docker://gitea-runner-nix" ];settings.container = {options = if useKvm thenWe should deduplicate the code here
@ -0,0 +229,4 @@labels = [ "nix:docker://gitea-runner-nix" ];settings.container = {options = if useKvm then"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser"As long as we have https://gitea.c3d2.de/c3d2-admins/secrets we can't mount the nix store
3333c96b6dtofa6d9b4fe2WIP: add gitea-actions-runner moduleto add gitea-actions-runner modulefa6d9b4fe2toe05e695bd8e05e695bd8to837c41a2aeStep 1:
From your project repository, check out a new branch and test the changes.Step 2:
Merge the changes and update on Gitea.