Forgejo CI Runners

.envrc

@@ -0,0 +1 @@
+export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"

.gitignore

@@ -0,0 +1,3 @@
+result*
+/secrets
+age.key

.sops.yaml

@@ -0,0 +1,23 @@
+---
+# config files for sops & used for encrypting keys that sops-nix decrypts.
+# each machine key is derieved from its generated `ssh_hosts_ed` file
+# via ssh-to-age
+# sops encrypts the secrets ready to decrypt with the private key of any of the below machines
+# OR my 'main' key thats kept outside this repo securely.
+
+# key-per-machine is a little more secure and a little more work than
+# copying one key to each machine
+
+keys:
+  - users:
+    - &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+  - hosts:
+    - &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+
+
+creation_rules:
+  - path_regex: .*\.sops\.yaml$
+    key_groups:
+      - age:
+        - *jahanson
+        - *durincore

agents/linux.nix

@@ -0,0 +1,80 @@
+{ pkgs, config, lib, ... }:
+
+let
+in {
+  environment.systemPackages = with pkgs; [ 
+    vim 
+    # zig broken on darwin
+    #ncdu 
+    git
+    tmux 
+    cachix
+    direnv
+  ];
+
+  sops.secrets."forgejo-runner-token" = {
+    # configure secret for forwarding rules
+    sopsFile = ./secrets.sops.yaml;
+    mode = "0444";
+  };
+
+  
+  virtualisation.docker.enable = true;
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.hsn.dev";
+      # Obtaining the path to the runner token file may differ
+      tokenFile = config.sops.secrets.forgejo-runner-token.path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        "ubuntu-22.04:docker://node:16-bullseye"
+        "ubuntu-20.04:docker://node:16-bullseye"
+        "ubuntu-18.04:docker://node:16-buster"     
+        ## optionally provide native execution on the host:
+        # "native:host"
+      ];
+    };
+  };
+  system.stateVersion = "24.05";
+}
+
+# extraPackages = with pkgs; [ 
+#   # custom
+#     cachix 
+#     tmate
+#     jq
+#     # nixos
+#     docker
+#     openssh
+#     coreutils-full
+#     bashInteractive # bash with ncurses support
+#     bzip2
+#     cpio
+#     curl
+#     diffutils
+#     findutils
+#     gawk
+#     stdenv.cc.libc
+#     getent
+#     getconf
+#     gnugrep
+#     gnupatch
+#     gnused
+#     gnutar
+#     gzip
+#     xz
+#     less
+#     ncurses
+#     netcat
+#     mkpasswd
+#     procps
+#     time
+#     zstd
+#     util-linux
+#     which
+#     nixos-rebuild
+# ];

agents/secrets.sops.yaml

@@ -0,0 +1,32 @@
+forgejo-runner-token: ENC[AES256_GCM,data:q/K34xSOcqauWTz/WgbfGLWNXuOcL10yghV90uvjc1hpBjDVOCGnSg==,iv:OHuHGPx2HMqKdrQIs8nup7E1D352U8fq/jz5dHGtemM=,tag:kZAxNfhOaftdIGNjeDmhaw==,type:str]
+cachix:
+    auth_token: ENC[AES256_GCM,data:h8xnfojQf+bxUDiUGx1gmGN9xj3QyqrU8kURtjrgJOWTDvg2t3osBkl9j4kUiT9gNyChA2TIUP8RKrHL/Bz8pxQuKLu337taJcj0ept2ksx0D7iMGk6chjez9Xiy+iF9cXqFgglmTHehtiR90BY1f1AFKAe241atpVyKXOdTzl61isANb0KdT6H1Iqyq+AanPO5FIAE=,iv:zVcp3zqmXYU2srHBI6FBzQZKAWu1kBp0zp3szsLhPrQ=,tag:bM3+WnhDXf6wlHT1w7rKLQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpyVy9ETldIalAvY2Yy
+            SzQzTzBYQVRiUklsUFU5dUtHdXUvbkhjcVVFCkhKSkZLRmN5MzZFQUdiYlN0RWdF
+            bWhadC9DOTExNk5PMkM3OGhmZ3ovNk0KLS0tICtIVjFMdEo4M1ZPRG5XRDFodEps
+            SHgzM29SNklYQ2NyWXY2K0xOQWUwUGcKfTaZ4MPjq1XicLcNigcYTB0fWGOSre07
+            DVh8UHbykCAZBFutF3ATC/ssYUTfMriG4xkI9Hrn04pEvlf52AgD+g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R2x1emhYOCtXTnhwcTRD
+            TjJjQmNkMG40Y0YxNFJzQ01uYzJNb3d3SmhVCkx5cmRiWDk2TWY4bDE3clpMM0hM
+            RGYyRVZ1cFdYZUxycWNQS2J3am5IVlUKLS0tIFNuMklpZGJRY2lMRjhWNU8rcWxG
+            SEdEMHdpcUlROVFhNkVzVHNJOHdvdFUKGNZo/gsmqQLc1xtwoMGA2Gy2yL1U/5DJ
+            Ltqz8nRTteaSayhS2dxGqkRM0QKEqz/MhPno6mcfMXaRCZLxisQzww==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-14T16:14:00Z"
+    mac: ENC[AES256_GCM,data:GATqt5ftIkdZ4jtlrgwmD4pSm0CSdsMkTOZP2E3gqC2kdqbVveseQgOWe/o7gvtn4VkQMWeJSL9Q9xxtCTH3VPSX415BgANeUJfZ8sfH1WJjSPUOKTRzN6VRXWceO4C8yd9PCHMYYhrVw0wd3h+bJEhh6G4Yq9J1lRQ8WKAxdzE=,iv:ehwPu7qGaPoQeQQ9KpX1AXLJsdmyLSMdSFJ8EtGj9P8=,tag:cRr+KGtbePlc/cRYBXsRAQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

disko-hetzner-cloud.nix

@@ -0,0 +1,32 @@
+{ disks ? [ "/dev/vdb" ], ... }: {
+  disko.devices = {
+    disk = {
+      vdb = {
+        device = builtins.elemAt disks 0;
+        type = "disk";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP =  {
+              type = "EF00";
+              size = "1000M";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            root = {
+              size = "100%";
+              content = {
+                type = "filesystem";
+                format = "ext4";
+                mountpoint = "/";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

flake.lock

@@ -0,0 +1,135 @@
+{
+  "nodes": {
+    "disko": {
+      "inputs": {
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1715217706,
+        "narHash": "sha256-yEB5SEHc+o3WJpUPw455OdLy9A+gffvCJX8DZ7NCkuo=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "8eb1b315eef89f3bdc5c9814d1b207c6d64f0046",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1715037484,
+        "narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1715458492,
+        "narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "8e47858badee5594292921c2668c11004c3b0142",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1715534503,
+        "narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1715142527,
+        "narHash": "sha256-8OCDTDZzmkhoJ0HzZd/wkUfdAES9e0Jsp3qb5sM/Jys=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "0efaf283bd6e3b9ecf6e961d2305bf2e1a9f49c9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "disko": "disko",
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix",
+        "srvos": "srvos"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1715482972,
+        "narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1715216666,
+        "narHash": "sha256-0aTe4zSO5t6Wn+gaW5Bwr+84INd7htOdn3sdmE6/uC0=",
+        "owner": "numtide",
+        "repo": "srvos",
+        "rev": "65d83b87b55c9618cf02aa9b9c08ec8adaa08c9d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "srvos",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,57 @@
+{
+  description = "Forgejo CI Runners";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    srvos.url = "github:numtide/srvos";
+    disko.url = "github:nix-community/disko";
+    # sops-nix - secrets with mozilla sops
+    # https://github.com/Mic92/sops-nix
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  nixConfig = {
+    extra-substituters = [
+      "https://nix-community.cachix.org"
+      "https://hsndev.cachix.org"
+    ];
+    extra-trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+      "hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
+    ];
+  };
+
+  outputs = { self, sops-nix, nixpkgs, srvos, disko, ... }@inputs:
+  let
+    linuxMachineName = "linux";
+    sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w";
+    lib = nixpkgs.lib;
+    inherit (self) outputs;
+    in {
+      nixosConfigurations = 
+      {
+        "aarch64-linux" = lib.nixosSystem {
+        system = "aarch64-linux";
+        specialArgs = {inherit inputs outputs;};
+        modules = [
+          inputs.sops-nix.nixosModules.sops
+          srvos.nixosModules.hardware-hetzner-cloud
+          srvos.nixosModules.server
+          srvos.nixosModules.mixins-systemd-boot
+          disko.nixosModules.disko
+          ./agents/linux.nix
+          (import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; })
+          {
+            boot.loader.efi.canTouchEfiVariables = true;
+            networking.hostName = "aarch64-linux";
+            users.users.root.openssh.authorizedKeys.keys = [ sshPubKey ];
+            services.openssh.enable = true;
+            services.openssh.settings.PermitRootLogin = "without-password";
+          }];
+        };
+      };
+  }; 
+}

renovate.json

@@ -0,0 +1,16 @@
+{	
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:base"
+  ],
+  "nix": {
+    "enabled": true
+  },
+  "schedule": [
+    "every weekend"
+  ],
+  "lockFileMaintenance": {
+    "enabled": true
+  }
+}
+