jahanson/forgejo-ci-runners
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

overhauled build, import, deploy, and bootstrap scripts and added tailscale.

Browse source
This commit is contained in:
Joseph Hanson 2025-01-01 23:33:39 -06:00
parent 949c01f0cc
commit 50fd9928b2
9 changed files with 111 additions and 81 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

85
mise-tasks/bootstrap_instance.sh Executable file
View file

@ -0,0 +1,85 @@
#!/usr/bin/env bash
# Prerequisites:
# 1password vault created with a single item in it with the property 'runner_token'.
# Define the vault and item used.
# Usage: ./bootstrap_instace.sh <incus vm instance name>
set -euo pipefail
# Check if instance name is provided
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <instance-name>" >&2
exit 1
fi
INCUS_INSTANCE="$1" # Use the provided instance name
# Set variables
INCUS_PATH="/var/lib/gitea-runner/default/tokenfile"
# Check if OP_SESSION environment variable exists, if not, sign in
if [ -z "${OP_SESSION:-}" ]; then
echo "Not logged in to 1Password CLI. Attempting to sign in..."
if ! eval "$(op signin)"; then
echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
exit 1
fi
fi
# Retrieve both tokens from 1Password
RUNNER_TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token")
TAILSCALE_KEY=$(op read "op://forgejo-runner/tailscale/client_secret")
if [ -z "$RUNNER_TOKEN" ]; then
echo "Failed to retrieve runner token from 1Password" >&2
exit 1
fi
if [ -z "$TAILSCALE_KEY" ]; then
echo "Failed to retrieve Tailscale auth key from 1Password" >&2
exit 1
fi
# Function to configure runner token with retries
push_and_check_token() {
local retries=5
local count=0
while [ $count -lt $retries ]; do
echo "Attempt $((count+1)) of $retries: Configuring runner token..."
if incus exec "$INCUS_INSTANCE" -- sh -c "echo 'TOKEN=$RUNNER_TOKEN' > '$INCUS_PATH'"; then
if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then
echo "Runner token file successfully verified in Incus instance."
return 0
fi
fi
((count++))
echo "File not found or configuration failed. Retrying in 5 seconds..."
sleep 5
done
echo "Failed to configure and verify runner token after $retries attempts." >&2
return 1
}
# Configure runner token and Tailscale
if push_and_check_token; then
echo "Runner token successfully configured in instance $INCUS_INSTANCE"
echo "Configuring Tailscale..."
TAILSCALE_CMD="/run/current-system/sw/bin/tailscale"
TAILSCALE_ARGS=(
"--ssh"
"--auth-key=\"$TAILSCALE_KEY?ephemeral=false&preauthorized=true\""
"--advertise-tags=tag:forgejo-runner"
)
if incus exec "$INCUS_INSTANCE" -- sh -c "$TAILSCALE_CMD up ${TAILSCALE_ARGS[*]}"; then
echo "Tailscale successfully configured"
else
echo "Failed to configure Tailscale" >&2
exit 1
fi
else
echo "Failed to bootstrap $INCUS_INSTANCE" >&2
exit 1
fi
echo "Bootstrapping $INCUS_INSTANCE completed successfully."

10
mise-tasks/build_import.sh
View file

@ -10,19 +10,19 @@ check_command() {
} }
# Build the qemu image and get the path # Build the qemu image and get the path
qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths) qemuImageBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.qemuImage --print-out-paths)
check_command "Building qemu image" check_command "Building qemu image"
# Build the metadata and get the path # Build the metadata and get the path
metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths) metadataBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.metadata --print-out-paths)
check_command "Building metadata" check_command "Building metadata"
# Set the paths for the metadata and qemu image # Set the paths for the metadata and qemu image
MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz" MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz"
QBP="${qemuImageBuildPath}/nixos.qcow2" QIBP="${qemuImageBuildPath}/nixos.qcow2"
# Import the image to Incus and capture the instance name # Import the image to Incus and capture the instance name
incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP" incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QIBP"
check_command "Importing image to Incus" check_command "Importing image to Incus"
echo "Process completed successfully" echo "Importing $1 completed successfully."

5
mise-tasks/launch.sh
View file

@ -6,8 +6,7 @@ INCUS_PROFILE="forgejo-runner"
INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+') INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+')
echo "The captured instance name is: $INSTANCE_NAME" echo "The captured instance name is: $INSTANCE_NAME"
# Call the push_token.sh script with the new instance name # Call the bootstrap_instance.sh script with the new instance name
"$MISE_TASK_DIR"/push_token.sh "$INSTANCE_NAME" "$MISE_TASK_DIR"/bootstrap_instance.sh "$INSTANCE_NAME"
echo "Pushing token to instance"
echo "Process completed successfully" echo "Process completed successfully"

73
mise-tasks/push_token.sh
View file

@ -1,73 +0,0 @@
#!/usr/bin/env bash
# Prerequisites:
# 1password vault created with a single item in it with the property 'runner_token'.
# Define the vault and item used.
# Usage: ./push_token.sh <incus vm instance name>
set -euo pipefail
# Check if instance name is provided
if [ "$#" -ne 1 ]; then
echo "Usage: $0 <instance-name>" >&2
exit 1
fi
INCUS_INSTANCE="$1" # Use the provided instance name
# Set variables
TOKEN_FILE="tokenfile" # Name of the temporary file to store the token
INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE"
# Check if OP_SESSION environment variable exists, if not, sign in
if [ -z "${OP_SESSION:-}" ]; then
echo "Not logged in to 1Password CLI. Attempting to sign in..."
if ! eval "$(op signin)"; then
echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
exit 1
fi
fi
# Retrieve the token from 1Password using op:// format
TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token")
if [ -z "$TOKEN" ]; then
echo "Failed to retrieve token from 1Password" >&2
exit 1
fi
# Create the token file
echo "TOKEN=$TOKEN" > "$TOKEN_FILE"
# Function to push file and check existence with retries
push_and_check_file() {
local retries=5
local count=0
while [ $count -lt $retries ]; do
echo "Attempt $((count+1)) of $retries: Pushing file to Incus instance..."
if incus file push "$TOKEN_FILE" "$INCUS_INSTANCE$INCUS_PATH"; then
if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then
echo "File successfully verified in Incus instance."
return 0
fi
fi
((count++))
echo "File not found or push failed. Retrying in 5 seconds..."
sleep 5
done
echo "Failed to push and verify file after $retries attempts." >&2
return 1
}
# Push the file to Incus and verify its existence
if push_and_check_file; then
echo "Token file successfully pushed and verified in Incus instance $INCUS_INSTANCE"
else
echo "Failed to push or verify token file in Incus instance $INCUS_INSTANCE" >&2
rm "$TOKEN_FILE"
exit 1
fi
# Clean up the local token file
rm "$TOKEN_FILE"
echo "Operation completed successfully"

0
profiles/fj-shadowfax-x86_64.nix → profiles/.archive/fj-shadowfax-x86_64.nix
View file

0
profiles/host-qemu.nix → profiles/.archive/host-qemu.nix
View file

0
profiles/hw-shadowfax.nix → profiles/.archive/hw-shadowfax.nix
View file

0
profiles/role-fj-hetzner.nix → profiles/.archive/role-fj-hetzner.nix
View file

19
profiles/role-lxc-vm.nix
View file

@ -8,6 +8,7 @@
# and has the correct permissions. # and has the correct permissions.
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -" "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -"
"d /var/lib/tailscale 0750 root root -"
]; ];
services.gitea-actions-runner = { services.gitea-actions-runner = {
@ -20,10 +21,28 @@
# `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400` # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400`
tokenFile = "/var/lib/gitea-runner/default/tokenfile"; tokenFile = "/var/lib/gitea-runner/default/tokenfile";
labels = [ labels = [
"docker:docker://node:20-bullseye"
"docker-x86_64:docker://node:20-bullseye" "docker-x86_64:docker://node:20-bullseye"
"ubuntu-x86_64:docker://node:20-bullseye" "ubuntu-x86_64:docker://node:20-bullseye"
"native-x86_64:host" "native-x86_64:host"
]; ];
}; };
}; };
# Enable Tailscale with enhanced configuration
services.tailscale = {
enable = true;
openFirewall = true;
};
# Ensure networking dependencies are properly ordered
# systemd.services.tailscaled = {
# after = [
# "network-pre.target"
# "NetworkManager.service"
# "systemd-resolved.service"
# ];
# wants = [ "network-pre.target" ];
# requires = [ "network-online.target" ];
# };
} }