commit e94f37d45cb1cd7a7b2aa890015de5252e56cc9a Author: Joseph Hanson Date: Tue May 14 12:03:36 2024 -0500 Forgejo CI Runners diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..a094d01 --- /dev/null +++ b/.envrc @@ -0,0 +1 @@ +export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)" diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a1a786e --- /dev/null +++ b/.gitignore @@ -0,0 +1,3 @@ +result* +/secrets +age.key \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..90f316c --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,23 @@ +--- +# config files for sops & used for encrypting keys that sops-nix decrypts. +# each machine key is derieved from its generated `ssh_hosts_ed` file +# via ssh-to-age +# sops encrypts the secrets ready to decrypt with the private key of any of the below machines +# OR my 'main' key thats kept outside this repo securely. + +# key-per-machine is a little more secure and a little more work than +# copying one key to each machine + +keys: + - users: + - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp + - hosts: + - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m + + +creation_rules: + - path_regex: .*\.sops\.yaml$ + key_groups: + - age: + - *jahanson + - *durincore \ No newline at end of file diff --git a/agents/linux.nix b/agents/linux.nix new file mode 100644 index 0000000..6df48c7 --- /dev/null +++ b/agents/linux.nix @@ -0,0 +1,80 @@ +{ pkgs, config, lib, ... }: + +let +in { + environment.systemPackages = with pkgs; [ + vim + # zig broken on darwin + #ncdu + git + tmux + cachix + direnv + ]; + + sops.secrets."forgejo-runner-token" = { + # configure secret for forwarding rules + sopsFile = ./secrets.sops.yaml; + mode = "0444"; + }; + + + virtualisation.docker.enable = true; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.hsn.dev"; + # Obtaining the path to the runner token file may differ + tokenFile = config.sops.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + ## optionally provide native execution on the host: + # "native:host" + ]; + }; + }; + system.stateVersion = "24.05"; +} + +# extraPackages = with pkgs; [ +# # custom +# cachix +# tmate +# jq +# # nixos +# docker +# openssh +# coreutils-full +# bashInteractive # bash with ncurses support +# bzip2 +# cpio +# curl +# diffutils +# findutils +# gawk +# stdenv.cc.libc +# getent +# getconf +# gnugrep +# gnupatch +# gnused +# gnutar +# gzip +# xz +# less +# ncurses +# netcat +# mkpasswd +# procps +# time +# zstd +# util-linux +# which +# nixos-rebuild +# ]; \ No newline at end of file diff --git a/agents/secrets.sops.yaml b/agents/secrets.sops.yaml new file mode 100644 index 0000000..eca7d95 --- /dev/null +++ b/agents/secrets.sops.yaml @@ -0,0 +1,32 @@ +forgejo-runner-token: ENC[AES256_GCM,data:q/K34xSOcqauWTz/WgbfGLWNXuOcL10yghV90uvjc1hpBjDVOCGnSg==,iv:OHuHGPx2HMqKdrQIs8nup7E1D352U8fq/jz5dHGtemM=,tag:kZAxNfhOaftdIGNjeDmhaw==,type:str] +cachix: + auth_token: ENC[AES256_GCM,data:h8xnfojQf+bxUDiUGx1gmGN9xj3QyqrU8kURtjrgJOWTDvg2t3osBkl9j4kUiT9gNyChA2TIUP8RKrHL/Bz8pxQuKLu337taJcj0ept2ksx0D7iMGk6chjez9Xiy+iF9cXqFgglmTHehtiR90BY1f1AFKAe241atpVyKXOdTzl61isANb0KdT6H1Iqyq+AanPO5FIAE=,iv:zVcp3zqmXYU2srHBI6FBzQZKAWu1kBp0zp3szsLhPrQ=,tag:bM3+WnhDXf6wlHT1w7rKLQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpyVy9ETldIalAvY2Yy + SzQzTzBYQVRiUklsUFU5dUtHdXUvbkhjcVVFCkhKSkZLRmN5MzZFQUdiYlN0RWdF + bWhadC9DOTExNk5PMkM3OGhmZ3ovNk0KLS0tICtIVjFMdEo4M1ZPRG5XRDFodEps + SHgzM29SNklYQ2NyWXY2K0xOQWUwUGcKfTaZ4MPjq1XicLcNigcYTB0fWGOSre07 + DVh8UHbykCAZBFutF3ATC/ssYUTfMriG4xkI9Hrn04pEvlf52AgD+g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R2x1emhYOCtXTnhwcTRD + TjJjQmNkMG40Y0YxNFJzQ01uYzJNb3d3SmhVCkx5cmRiWDk2TWY4bDE3clpMM0hM + RGYyRVZ1cFdYZUxycWNQS2J3am5IVlUKLS0tIFNuMklpZGJRY2lMRjhWNU8rcWxG + SEdEMHdpcUlROVFhNkVzVHNJOHdvdFUKGNZo/gsmqQLc1xtwoMGA2Gy2yL1U/5DJ + Ltqz8nRTteaSayhS2dxGqkRM0QKEqz/MhPno6mcfMXaRCZLxisQzww== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-14T16:14:00Z" + mac: ENC[AES256_GCM,data:GATqt5ftIkdZ4jtlrgwmD4pSm0CSdsMkTOZP2E3gqC2kdqbVveseQgOWe/o7gvtn4VkQMWeJSL9Q9xxtCTH3VPSX415BgANeUJfZ8sfH1WJjSPUOKTRzN6VRXWceO4C8yd9PCHMYYhrVw0wd3h+bJEhh6G4Yq9J1lRQ8WKAxdzE=,iv:ehwPu7qGaPoQeQQ9KpX1AXLJsdmyLSMdSFJ8EtGj9P8=,tag:cRr+KGtbePlc/cRYBXsRAQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/disko-hetzner-cloud.nix b/disko-hetzner-cloud.nix new file mode 100644 index 0000000..5a01c02 --- /dev/null +++ b/disko-hetzner-cloud.nix @@ -0,0 +1,32 @@ +{ disks ? [ "/dev/vdb" ], ... }: { + disko.devices = { + disk = { + vdb = { + device = builtins.elemAt disks 0; + type = "disk"; + content = { + type = "gpt"; + partitions = { + ESP = { + type = "EF00"; + size = "1000M"; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..8cacd64 --- /dev/null +++ b/flake.lock @@ -0,0 +1,135 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": "nixpkgs" + }, + "locked": { + "lastModified": 1715217706, + "narHash": "sha256-yEB5SEHc+o3WJpUPw455OdLy9A+gffvCJX8DZ7NCkuo=", + "owner": "nix-community", + "repo": "disko", + "rev": "8eb1b315eef89f3bdc5c9814d1b207c6d64f0046", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1715037484, + "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable": { + "locked": { + "lastModified": 1715458492, + "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8e47858badee5594292921c2668c11004c3b0142", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "release-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1715534503, + "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "2057814051972fa1453ddfb0d98badbea9b83c06", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1715142527, + "narHash": "sha256-8OCDTDZzmkhoJ0HzZd/wkUfdAES9e0Jsp3qb5sM/Jys=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "0efaf283bd6e3b9ecf6e961d2305bf2e1a9f49c9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nixpkgs": "nixpkgs_2", + "sops-nix": "sops-nix", + "srvos": "srvos" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable" + }, + "locked": { + "lastModified": 1715482972, + "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=", + "owner": "Mic92", + "repo": "sops-nix", + "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e", + "type": "github" + }, + "original": { + "owner": "Mic92", + "repo": "sops-nix", + "type": "github" + } + }, + "srvos": { + "inputs": { + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1715216666, + "narHash": "sha256-0aTe4zSO5t6Wn+gaW5Bwr+84INd7htOdn3sdmE6/uC0=", + "owner": "numtide", + "repo": "srvos", + "rev": "65d83b87b55c9618cf02aa9b9c08ec8adaa08c9d", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "srvos", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..5c0808d --- /dev/null +++ b/flake.nix @@ -0,0 +1,57 @@ +{ + description = "Forgejo CI Runners"; + + inputs = { + nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; + srvos.url = "github:numtide/srvos"; + disko.url = "github:nix-community/disko"; + # sops-nix - secrets with mozilla sops + # https://github.com/Mic92/sops-nix + sops-nix = { + url = "github:Mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + }; + + nixConfig = { + extra-substituters = [ + "https://nix-community.cachix.org" + "https://hsndev.cachix.org" + ]; + extra-trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + "hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE=" + ]; + }; + + outputs = { self, sops-nix, nixpkgs, srvos, disko, ... }@inputs: + let + linuxMachineName = "linux"; + sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w"; + lib = nixpkgs.lib; + inherit (self) outputs; + in { + nixosConfigurations = + { + "aarch64-linux" = lib.nixosSystem { + system = "aarch64-linux"; + specialArgs = {inherit inputs outputs;}; + modules = [ + inputs.sops-nix.nixosModules.sops + srvos.nixosModules.hardware-hetzner-cloud + srvos.nixosModules.server + srvos.nixosModules.mixins-systemd-boot + disko.nixosModules.disko + ./agents/linux.nix + (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; }) + { + boot.loader.efi.canTouchEfiVariables = true; + networking.hostName = "aarch64-linux"; + users.users.root.openssh.authorizedKeys.keys = [ sshPubKey ]; + services.openssh.enable = true; + services.openssh.settings.PermitRootLogin = "without-password"; + }]; + }; + }; + }; +} diff --git a/renovate.json b/renovate.json new file mode 100644 index 0000000..9a2cd66 --- /dev/null +++ b/renovate.json @@ -0,0 +1,16 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:base" + ], + "nix": { + "enabled": true + }, + "schedule": [ + "every weekend" + ], + "lockFileMaintenance": { + "enabled": true + } +} +