jahanson/forgejo-ci-runners
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

Forgejo CI Runners

Browse source
This commit is contained in:
Joseph Hanson 2024-05-14 12:03:36 -05:00
commit e94f37d45c
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
9 changed files with 379 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
.envrc Normal file
View file

@ -0,0 +1 @@
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"

3
.gitignore vendored Normal file
View file

@ -0,0 +1,3 @@
result*
/secrets
age.key

23
.sops.yaml Normal file
View file

@ -0,0 +1,23 @@
---
# config files for sops & used for encrypting keys that sops-nix decrypts.
# each machine key is derieved from its generated `ssh_hosts_ed` file
# via ssh-to-age
# sops encrypts the secrets ready to decrypt with the private key of any of the below machines
# OR my 'main' key thats kept outside this repo securely.
# key-per-machine is a little more secure and a little more work than
# copying one key to each machine
keys:
- users:
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
- hosts:
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
creation_rules:
- path_regex: .*\.sops\.yaml$
key_groups:
- age:
- *jahanson
- *durincore

80
agents/linux.nix Normal file
View file

@ -0,0 +1,80 @@
{ pkgs, config, lib, ... }:
let
in {
environment.systemPackages = with pkgs; [
vim
# zig broken on darwin
#ncdu
git
tmux
cachix
direnv
];
sops.secrets."forgejo-runner-token" = {
# configure secret for forwarding rules
sopsFile = ./secrets.sops.yaml;
mode = "0444";
};
virtualisation.docker.enable = true;
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "monolith";
url = "https://git.hsn.dev";
# Obtaining the path to the runner token file may differ
tokenFile = config.sops.secrets.forgejo-runner-token.path;
labels = [
"ubuntu-latest:docker://node:16-bullseye"
"ubuntu-22.04:docker://node:16-bullseye"
"ubuntu-20.04:docker://node:16-bullseye"
"ubuntu-18.04:docker://node:16-buster"
## optionally provide native execution on the host:
# "native:host"
];
};
};
system.stateVersion = "24.05";
}
# extraPackages = with pkgs; [
# # custom
# cachix
# tmate
# jq
# # nixos
# docker
# openssh
# coreutils-full
# bashInteractive # bash with ncurses support
# bzip2
# cpio
# curl
# diffutils
# findutils
# gawk
# stdenv.cc.libc
# getent
# getconf
# gnugrep
# gnupatch
# gnused
# gnutar
# gzip
# xz
# less
# ncurses
# netcat
# mkpasswd
# procps
# time
# zstd
# util-linux
# which
# nixos-rebuild
# ];

32
agents/secrets.sops.yaml Normal file
View file

@ -0,0 +1,32 @@
forgejo-runner-token: ENC[AES256_GCM,data:q/K34xSOcqauWTz/WgbfGLWNXuOcL10yghV90uvjc1hpBjDVOCGnSg==,iv:OHuHGPx2HMqKdrQIs8nup7E1D352U8fq/jz5dHGtemM=,tag:kZAxNfhOaftdIGNjeDmhaw==,type:str]
cachix:
auth_token: ENC[AES256_GCM,data:h8xnfojQf+bxUDiUGx1gmGN9xj3QyqrU8kURtjrgJOWTDvg2t3osBkl9j4kUiT9gNyChA2TIUP8RKrHL/Bz8pxQuKLu337taJcj0ept2ksx0D7iMGk6chjez9Xiy+iF9cXqFgglmTHehtiR90BY1f1AFKAe241atpVyKXOdTzl61isANb0KdT6H1Iqyq+AanPO5FIAE=,iv:zVcp3zqmXYU2srHBI6FBzQZKAWu1kBp0zp3szsLhPrQ=,tag:bM3+WnhDXf6wlHT1w7rKLQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpyVy9ETldIalAvY2Yy
SzQzTzBYQVRiUklsUFU5dUtHdXUvbkhjcVVFCkhKSkZLRmN5MzZFQUdiYlN0RWdF
bWhadC9DOTExNk5PMkM3OGhmZ3ovNk0KLS0tICtIVjFMdEo4M1ZPRG5XRDFodEps
SHgzM29SNklYQ2NyWXY2K0xOQWUwUGcKfTaZ4MPjq1XicLcNigcYTB0fWGOSre07
DVh8UHbykCAZBFutF3ATC/ssYUTfMriG4xkI9Hrn04pEvlf52AgD+g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R2x1emhYOCtXTnhwcTRD
TjJjQmNkMG40Y0YxNFJzQ01uYzJNb3d3SmhVCkx5cmRiWDk2TWY4bDE3clpMM0hM
RGYyRVZ1cFdYZUxycWNQS2J3am5IVlUKLS0tIFNuMklpZGJRY2lMRjhWNU8rcWxG
SEdEMHdpcUlROVFhNkVzVHNJOHdvdFUKGNZo/gsmqQLc1xtwoMGA2Gy2yL1U/5DJ
Ltqz8nRTteaSayhS2dxGqkRM0QKEqz/MhPno6mcfMXaRCZLxisQzww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-14T16:14:00Z"
mac: ENC[AES256_GCM,data:GATqt5ftIkdZ4jtlrgwmD4pSm0CSdsMkTOZP2E3gqC2kdqbVveseQgOWe/o7gvtn4VkQMWeJSL9Q9xxtCTH3VPSX415BgANeUJfZ8sfH1WJjSPUOKTRzN6VRXWceO4C8yd9PCHMYYhrVw0wd3h+bJEhh6G4Yq9J1lRQ8WKAxdzE=,iv:ehwPu7qGaPoQeQQ9KpX1AXLJsdmyLSMdSFJ8EtGj9P8=,tag:cRr+KGtbePlc/cRYBXsRAQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

32
disko-hetzner-cloud.nix Normal file
View file

@ -0,0 +1,32 @@
{ disks ? [ "/dev/vdb" ], ... }: {
disko.devices = {
disk = {
vdb = {
device = builtins.elemAt disks 0;
type = "disk";
content = {
type = "gpt";
partitions = {
ESP = {
type = "EF00";
size = "1000M";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
root = {
size = "100%";
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
}

135
flake.lock Normal file
View file

@ -0,0 +1,135 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1715217706,
"narHash": "sha256-yEB5SEHc+o3WJpUPw455OdLy9A+gffvCJX8DZ7NCkuo=",
"owner": "nix-community",
"repo": "disko",
"rev": "8eb1b315eef89f3bdc5c9814d1b207c6d64f0046",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1715037484,
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1715458492,
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8e47858badee5594292921c2668c11004c3b0142",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "release-23.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1715534503,
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1715142527,
"narHash": "sha256-8OCDTDZzmkhoJ0HzZd/wkUfdAES9e0Jsp3qb5sM/Jys=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0efaf283bd6e3b9ecf6e961d2305bf2e1a9f49c9",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable-small",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"nixpkgs": "nixpkgs_2",
"sops-nix": "sops-nix",
"srvos": "srvos"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1715482972,
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
"type": "github"
},
"original": {
"owner": "Mic92",
"repo": "sops-nix",
"type": "github"
}
},
"srvos": {
"inputs": {
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1715216666,
"narHash": "sha256-0aTe4zSO5t6Wn+gaW5Bwr+84INd7htOdn3sdmE6/uC0=",
"owner": "numtide",
"repo": "srvos",
"rev": "65d83b87b55c9618cf02aa9b9c08ec8adaa08c9d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "srvos",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

57
flake.nix Normal file
View file

@ -0,0 +1,57 @@
{
description = "Forgejo CI Runners";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
srvos.url = "github:numtide/srvos";
disko.url = "github:nix-community/disko";
# sops-nix - secrets with mozilla sops
# https://github.com/Mic92/sops-nix
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
nixConfig = {
extra-substituters = [
"https://nix-community.cachix.org"
"https://hsndev.cachix.org"
];
extra-trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
];
};
outputs = { self, sops-nix, nixpkgs, srvos, disko, ... }@inputs:
let
linuxMachineName = "linux";
sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w";
lib = nixpkgs.lib;
inherit (self) outputs;
in {
nixosConfigurations =
{
"aarch64-linux" = lib.nixosSystem {
system = "aarch64-linux";
specialArgs = {inherit inputs outputs;};
modules = [
inputs.sops-nix.nixosModules.sops
srvos.nixosModules.hardware-hetzner-cloud
srvos.nixosModules.server
srvos.nixosModules.mixins-systemd-boot
disko.nixosModules.disko
./agents/linux.nix
(import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; })
{
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "aarch64-linux";
users.users.root.openssh.authorizedKeys.keys = [ sshPubKey ];
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "without-password";
}];
};
};
};
}

16
renovate.json Normal file
View file

@ -0,0 +1,16 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:base"
],
"nix": {
"enabled": true
},
"schedule": [
"every weekend"
],
"lockFileMaintenance": {
"enabled": true
}
}