add gitea-actions-runner module #135

Closed
dennis wants to merge 0 commits from gitea-actions-runner into master
Owner
No description provided.
sandro reviewed 2024-04-10 20:30:33 +02:00
sandro left a comment
Member

Where is the network separation done?

Where is the network separation done?
@ -0,0 +1,245 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
Member

can be removed and replaced by config.boot.zfs.enabled

can be removed and replaced by config.boot.zfs.enabled
dennis marked this conversation as resolved
@ -0,0 +2,4 @@
let
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
Member

use: lib.any (x: x == kvm-amd" || x == "kvm-intel") config.boot.kernelParams

use: lib.any (x: x == kvm-amd" || x == "kvm-intel") config.boot.kernelParams
dennis marked this conversation as resolved
@ -0,0 +3,4 @@
cfg = config.services.gitea-actions;
useZfs = builtins.hasAttr "zfs" config.boot.supportedFilesystems && config.boot.supportedFilesystems.zfs;
useKvm = builtins.elem "kvm-amd" config.boot.kernelParams || builtins.elem "kvm-intel" config.boot.kernelParams;
storeDeps = pkgs.runCommand "store-deps" { } ''
Member

Why not use buildEnv or buildFHS?

Why not use buildEnv or buildFHS?
dennis marked this conversation as resolved
@ -0,0 +32,4 @@
services.gitea-actions = {
enable = lib.mkEnableOption "gitea-actions";
numInstances = lib.mkOption {
type = lib.types.int;
Member

use types.ints.unsigned

use types.ints.unsigned
dennis marked this conversation as resolved
@ -0,0 +43,4 @@
description = "List of packages to symlink into the container";
};
extraPodmanPackages = lib.mkOption {
Member

We don't need that option, we can just set virtualisation.podman.extraPackages

We don't need that option, we can just set virtualisation.podman.extraPackages
dennis marked this conversation as resolved
@ -0,0 +58,4 @@
after = [ "podman.service" ];
requires = [ "podman.service" ];
script = ''
set -eux -o pipefail
Member

We don't want set -x here

We don't want set -x here
dennis marked this conversation as resolved
@ -0,0 +66,4 @@
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
Member

We should use yescrypt here $y$

We should use yescrypt here `$y$`
dennis marked this conversation as resolved
@ -0,0 +70,4 @@
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
Member

We don't really want to accept any substituter

We don't really want to accept any substituter
dennis marked this conversation as resolved
@ -0,0 +109,4 @@
};
users = {
groups.nixuser = { };
Member

That name is confusingly named, we should use something that contains actions

That name is confusingly named, we should use something that contains actions
dennis marked this conversation as resolved
@ -0,0 +113,4 @@
users.nixuser = {
group = "nixuser";
description = "Used for running nix ci jobs";
home = "/var/empty";
Member

We should use something in /run/something/or/so instead otherwise some tools will loudly complain when debugging things

We should use something in /run/something/or/so instead otherwise some tools will loudly complain when debugging things
dennis marked this conversation as resolved
@ -0,0 +121,4 @@
{
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") cfg.numInstances) (name: {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
Member

That will only work when the same microvm will be used, which I think we shouldn't do to reduce attack surface

That will only work when the same microvm will be used, which I think we shouldn't do to reduce attack surface
dennis marked this conversation as resolved
@ -0,0 +145,4 @@
virtualisation = {
podman.enable = true;
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
Member
That is already done https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/podman/default.nix#L12
dennis marked this conversation as resolved
@ -0,0 +147,4 @@
podman.enable = true;
podman.extraPackages = (lib.optional useZfs pkgs.zfs) ++ cfg.extraPodmanPackages;
containers = {
containersConf.settings.containers.dns_servers = [ "1.1.1.1" "5.5.5.5" ];
Member

5.5.5.5 is a valid dns server? Why not use networking.nameservers?

5.5.5.5 is a valid dns server? Why not use networking.nameservers?
dennis marked this conversation as resolved
@ -0,0 +228,4 @@
tokenFile = "/var/lib/gitea-registration/gitea-runner-${iname}-token";
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = if useKvm then
Member

We should deduplicate the code here

We should deduplicate the code here
dennis marked this conversation as resolved
@ -0,0 +229,4 @@
labels = [ "nix:docker://gitea-runner-nix" ];
settings.container = {
options = if useKvm then
"-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser"
Member

As long as we have https://gitea.c3d2.de/c3d2-admins/secrets we can't mount the nix store

As long as we have https://gitea.c3d2.de/c3d2-admins/secrets we can't mount the nix store
dennis marked this conversation as resolved
dennis force-pushed gitea-actions-runner from 3333c96b6d to fa6d9b4fe2 2024-04-10 21:12:47 +02:00 Compare
dennis changed title from WIP: add gitea-actions-runner module to add gitea-actions-runner module 2024-04-10 21:13:32 +02:00
dennis force-pushed gitea-actions-runner from fa6d9b4fe2 to e05e695bd8 2024-04-10 22:56:07 +02:00 Compare
dennis force-pushed gitea-actions-runner from e05e695bd8 to 837c41a2ae 2024-04-12 21:59:13 +02:00 Compare
sandro closed this pull request 2024-08-05 01:14:49 +02:00

Pull request closed

Sign in to join this conversation.
No reviewers
No Milestone
No Assignees
2 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: c3d2/nix-config#135
No description provided.