Forgejo CI Runners
This commit is contained in:
commit
e94f37d45c
9 changed files with 379 additions and 0 deletions
1
.envrc
Normal file
1
.envrc
Normal file
|
@ -0,0 +1 @@
|
|||
export SOPS_AGE_KEY_FILE="$(expand_path ./age.key)"
|
3
.gitignore
vendored
Normal file
3
.gitignore
vendored
Normal file
|
@ -0,0 +1,3 @@
|
|||
result*
|
||||
/secrets
|
||||
age.key
|
23
.sops.yaml
Normal file
23
.sops.yaml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
# config files for sops & used for encrypting keys that sops-nix decrypts.
|
||||
# each machine key is derieved from its generated `ssh_hosts_ed` file
|
||||
# via ssh-to-age
|
||||
# sops encrypts the secrets ready to decrypt with the private key of any of the below machines
|
||||
# OR my 'main' key thats kept outside this repo securely.
|
||||
|
||||
# key-per-machine is a little more secure and a little more work than
|
||||
# copying one key to each machine
|
||||
|
||||
keys:
|
||||
- users:
|
||||
- &jahanson age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||
- hosts:
|
||||
- &durincore age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
||||
|
||||
|
||||
creation_rules:
|
||||
- path_regex: .*\.sops\.yaml$
|
||||
key_groups:
|
||||
- age:
|
||||
- *jahanson
|
||||
- *durincore
|
80
agents/linux.nix
Normal file
80
agents/linux.nix
Normal file
|
@ -0,0 +1,80 @@
|
|||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
in {
|
||||
environment.systemPackages = with pkgs; [
|
||||
vim
|
||||
# zig broken on darwin
|
||||
#ncdu
|
||||
git
|
||||
tmux
|
||||
cachix
|
||||
direnv
|
||||
];
|
||||
|
||||
sops.secrets."forgejo-runner-token" = {
|
||||
# configure secret for forwarding rules
|
||||
sopsFile = ./secrets.sops.yaml;
|
||||
mode = "0444";
|
||||
};
|
||||
|
||||
|
||||
virtualisation.docker.enable = true;
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances.default = {
|
||||
enable = true;
|
||||
name = "monolith";
|
||||
url = "https://git.hsn.dev";
|
||||
# Obtaining the path to the runner token file may differ
|
||||
tokenFile = config.sops.secrets.forgejo-runner-token.path;
|
||||
labels = [
|
||||
"ubuntu-latest:docker://node:16-bullseye"
|
||||
"ubuntu-22.04:docker://node:16-bullseye"
|
||||
"ubuntu-20.04:docker://node:16-bullseye"
|
||||
"ubuntu-18.04:docker://node:16-buster"
|
||||
## optionally provide native execution on the host:
|
||||
# "native:host"
|
||||
];
|
||||
};
|
||||
};
|
||||
system.stateVersion = "24.05";
|
||||
}
|
||||
|
||||
# extraPackages = with pkgs; [
|
||||
# # custom
|
||||
# cachix
|
||||
# tmate
|
||||
# jq
|
||||
# # nixos
|
||||
# docker
|
||||
# openssh
|
||||
# coreutils-full
|
||||
# bashInteractive # bash with ncurses support
|
||||
# bzip2
|
||||
# cpio
|
||||
# curl
|
||||
# diffutils
|
||||
# findutils
|
||||
# gawk
|
||||
# stdenv.cc.libc
|
||||
# getent
|
||||
# getconf
|
||||
# gnugrep
|
||||
# gnupatch
|
||||
# gnused
|
||||
# gnutar
|
||||
# gzip
|
||||
# xz
|
||||
# less
|
||||
# ncurses
|
||||
# netcat
|
||||
# mkpasswd
|
||||
# procps
|
||||
# time
|
||||
# zstd
|
||||
# util-linux
|
||||
# which
|
||||
# nixos-rebuild
|
||||
# ];
|
32
agents/secrets.sops.yaml
Normal file
32
agents/secrets.sops.yaml
Normal file
|
@ -0,0 +1,32 @@
|
|||
forgejo-runner-token: ENC[AES256_GCM,data:q/K34xSOcqauWTz/WgbfGLWNXuOcL10yghV90uvjc1hpBjDVOCGnSg==,iv:OHuHGPx2HMqKdrQIs8nup7E1D352U8fq/jz5dHGtemM=,tag:kZAxNfhOaftdIGNjeDmhaw==,type:str]
|
||||
cachix:
|
||||
auth_token: ENC[AES256_GCM,data:h8xnfojQf+bxUDiUGx1gmGN9xj3QyqrU8kURtjrgJOWTDvg2t3osBkl9j4kUiT9gNyChA2TIUP8RKrHL/Bz8pxQuKLu337taJcj0ept2ksx0D7iMGk6chjez9Xiy+iF9cXqFgglmTHehtiR90BY1f1AFKAe241atpVyKXOdTzl61isANb0KdT6H1Iqyq+AanPO5FIAE=,iv:zVcp3zqmXYU2srHBI6FBzQZKAWu1kBp0zp3szsLhPrQ=,tag:bM3+WnhDXf6wlHT1w7rKLQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age18kj3xhlvgjeg2awwku3r8d95w360uysu0w5ejghnp4kh8qmtge5qwa2vjp
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SGpyVy9ETldIalAvY2Yy
|
||||
SzQzTzBYQVRiUklsUFU5dUtHdXUvbkhjcVVFCkhKSkZLRmN5MzZFQUdiYlN0RWdF
|
||||
bWhadC9DOTExNk5PMkM3OGhmZ3ovNk0KLS0tICtIVjFMdEo4M1ZPRG5XRDFodEps
|
||||
SHgzM29SNklYQ2NyWXY2K0xOQWUwUGcKfTaZ4MPjq1XicLcNigcYTB0fWGOSre07
|
||||
DVh8UHbykCAZBFutF3ATC/ssYUTfMriG4xkI9Hrn04pEvlf52AgD+g==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
- recipient: age1d9p83j52m2xg0vh9k7q0uwlxwhs3y6tlv68yg9s2h9mdw2fmmsqshddz5m
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6R2x1emhYOCtXTnhwcTRD
|
||||
TjJjQmNkMG40Y0YxNFJzQ01uYzJNb3d3SmhVCkx5cmRiWDk2TWY4bDE3clpMM0hM
|
||||
RGYyRVZ1cFdYZUxycWNQS2J3am5IVlUKLS0tIFNuMklpZGJRY2lMRjhWNU8rcWxG
|
||||
SEdEMHdpcUlROVFhNkVzVHNJOHdvdFUKGNZo/gsmqQLc1xtwoMGA2Gy2yL1U/5DJ
|
||||
Ltqz8nRTteaSayhS2dxGqkRM0QKEqz/MhPno6mcfMXaRCZLxisQzww==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-05-14T16:14:00Z"
|
||||
mac: ENC[AES256_GCM,data:GATqt5ftIkdZ4jtlrgwmD4pSm0CSdsMkTOZP2E3gqC2kdqbVveseQgOWe/o7gvtn4VkQMWeJSL9Q9xxtCTH3VPSX415BgANeUJfZ8sfH1WJjSPUOKTRzN6VRXWceO4C8yd9PCHMYYhrVw0wd3h+bJEhh6G4Yq9J1lRQ8WKAxdzE=,iv:ehwPu7qGaPoQeQQ9KpX1AXLJsdmyLSMdSFJ8EtGj9P8=,tag:cRr+KGtbePlc/cRYBXsRAQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
32
disko-hetzner-cloud.nix
Normal file
32
disko-hetzner-cloud.nix
Normal file
|
@ -0,0 +1,32 @@
|
|||
{ disks ? [ "/dev/vdb" ], ... }: {
|
||||
disko.devices = {
|
||||
disk = {
|
||||
vdb = {
|
||||
device = builtins.elemAt disks 0;
|
||||
type = "disk";
|
||||
content = {
|
||||
type = "gpt";
|
||||
partitions = {
|
||||
ESP = {
|
||||
type = "EF00";
|
||||
size = "1000M";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "vfat";
|
||||
mountpoint = "/boot";
|
||||
};
|
||||
};
|
||||
root = {
|
||||
size = "100%";
|
||||
content = {
|
||||
type = "filesystem";
|
||||
format = "ext4";
|
||||
mountpoint = "/";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
135
flake.lock
Normal file
135
flake.lock
Normal file
|
@ -0,0 +1,135 @@
|
|||
{
|
||||
"nodes": {
|
||||
"disko": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715217706,
|
||||
"narHash": "sha256-yEB5SEHc+o3WJpUPw455OdLy9A+gffvCJX8DZ7NCkuo=",
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"rev": "8eb1b315eef89f3bdc5c9814d1b207c6d64f0046",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "disko",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1715037484,
|
||||
"narHash": "sha256-OUt8xQFmBU96Hmm4T9tOWTu4oCswCzoVl+pxSq/kiFc=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "ad7efee13e0d216bf29992311536fce1d3eefbef",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixpkgs-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs-stable": {
|
||||
"locked": {
|
||||
"lastModified": 1715458492,
|
||||
"narHash": "sha256-q0OFeZqKQaik2U8wwGDsELEkgoZMK7gvfF6tTXkpsqE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "8e47858badee5594292921c2668c11004c3b0142",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "release-23.11",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1715534503,
|
||||
"narHash": "sha256-5ZSVkFadZbFP1THataCaSf0JH2cAH3S29hU9rrxTEqk=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "2057814051972fa1453ddfb0d98badbea9b83c06",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1715142527,
|
||||
"narHash": "sha256-8OCDTDZzmkhoJ0HzZd/wkUfdAES9e0Jsp3qb5sM/Jys=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "0efaf283bd6e3b9ecf6e961d2305bf2e1a9f49c9",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable-small",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"disko": "disko",
|
||||
"nixpkgs": "nixpkgs_2",
|
||||
"sops-nix": "sops-nix",
|
||||
"srvos": "srvos"
|
||||
}
|
||||
},
|
||||
"sops-nix": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-stable": "nixpkgs-stable"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715482972,
|
||||
"narHash": "sha256-y1uMzXNlrVOWYj1YNcsGYLm4TOC2aJrwoUY1NjQs9fM=",
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"rev": "b6cb5de2ce57acb10ecdaaf9bbd62a5ff24fa02e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "Mic92",
|
||||
"repo": "sops-nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"srvos": {
|
||||
"inputs": {
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1715216666,
|
||||
"narHash": "sha256-0aTe4zSO5t6Wn+gaW5Bwr+84INd7htOdn3sdmE6/uC0=",
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"rev": "65d83b87b55c9618cf02aa9b9c08ec8adaa08c9d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "srvos",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
57
flake.nix
Normal file
57
flake.nix
Normal file
|
@ -0,0 +1,57 @@
|
|||
{
|
||||
description = "Forgejo CI Runners";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
srvos.url = "github:numtide/srvos";
|
||||
disko.url = "github:nix-community/disko";
|
||||
# sops-nix - secrets with mozilla sops
|
||||
# https://github.com/Mic92/sops-nix
|
||||
sops-nix = {
|
||||
url = "github:Mic92/sops-nix";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
};
|
||||
};
|
||||
|
||||
nixConfig = {
|
||||
extra-substituters = [
|
||||
"https://nix-community.cachix.org"
|
||||
"https://hsndev.cachix.org"
|
||||
];
|
||||
extra-trusted-public-keys = [
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
"hsndev.cachix.org-1:vN1/XGBZtMLnTFYDmTLDrullgZHSUYY3Kqt+Yg/C+tE="
|
||||
];
|
||||
};
|
||||
|
||||
outputs = { self, sops-nix, nixpkgs, srvos, disko, ... }@inputs:
|
||||
let
|
||||
linuxMachineName = "linux";
|
||||
sshPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w";
|
||||
lib = nixpkgs.lib;
|
||||
inherit (self) outputs;
|
||||
in {
|
||||
nixosConfigurations =
|
||||
{
|
||||
"aarch64-linux" = lib.nixosSystem {
|
||||
system = "aarch64-linux";
|
||||
specialArgs = {inherit inputs outputs;};
|
||||
modules = [
|
||||
inputs.sops-nix.nixosModules.sops
|
||||
srvos.nixosModules.hardware-hetzner-cloud
|
||||
srvos.nixosModules.server
|
||||
srvos.nixosModules.mixins-systemd-boot
|
||||
disko.nixosModules.disko
|
||||
./agents/linux.nix
|
||||
(import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; })
|
||||
{
|
||||
boot.loader.efi.canTouchEfiVariables = true;
|
||||
networking.hostName = "aarch64-linux";
|
||||
users.users.root.openssh.authorizedKeys.keys = [ sshPubKey ];
|
||||
services.openssh.enable = true;
|
||||
services.openssh.settings.PermitRootLogin = "without-password";
|
||||
}];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
16
renovate.json
Normal file
16
renovate.json
Normal file
|
@ -0,0 +1,16 @@
|
|||
{
|
||||
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
|
||||
"extends": [
|
||||
"config:base"
|
||||
],
|
||||
"nix": {
|
||||
"enabled": true
|
||||
},
|
||||
"schedule": [
|
||||
"every weekend"
|
||||
],
|
||||
"lockFileMaintenance": {
|
||||
"enabled": true
|
||||
}
|
||||
}
|
||||
|
Loading…
Reference in a new issue