mise-tasks/bootstrap_instance.sh

@@ -0,0 +1,85 @@
+#!/usr/bin/env bash
+# Prerequisites:
+# 1password vault created with a single item in it with the property 'runner_token'.
+# Define the vault and item used.
+# Usage: ./bootstrap_instace.sh <incus vm instance name>
+
+set -euo pipefail
+
+# Check if instance name is provided
+if [ "$#" -ne 1 ]; then
+    echo "Usage: $0 <instance-name>" >&2
+    exit 1
+fi
+
+INCUS_INSTANCE="$1"  # Use the provided instance name
+
+# Set variables
+INCUS_PATH="/var/lib/gitea-runner/default/tokenfile"
+
+# Check if OP_SESSION environment variable exists, if not, sign in
+if [ -z "${OP_SESSION:-}" ]; then
+    echo "Not logged in to 1Password CLI. Attempting to sign in..."
+    if ! eval "$(op signin)"; then
+        echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
+        exit 1
+    fi
+fi
+
+# Retrieve both tokens from 1Password
+RUNNER_TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token")
+TAILSCALE_KEY=$(op read "op://forgejo-runner/tailscale/client_secret")
+
+if [ -z "$RUNNER_TOKEN" ]; then
+    echo "Failed to retrieve runner token from 1Password" >&2
+    exit 1
+fi
+
+if [ -z "$TAILSCALE_KEY" ]; then
+    echo "Failed to retrieve Tailscale auth key from 1Password" >&2
+    exit 1
+fi
+
+# Function to configure runner token with retries
+push_and_check_token() {
+    local retries=5
+    local count=0
+    while [ $count -lt $retries ]; do
+        echo "Attempt $((count+1)) of $retries: Configuring runner token..."
+        if incus exec "$INCUS_INSTANCE" -- sh -c "echo 'TOKEN=$RUNNER_TOKEN' > '$INCUS_PATH'"; then
+            if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then
+                echo "Runner token file successfully verified in Incus instance."
+                return 0
+            fi
+        fi
+        ((count++))
+        echo "File not found or configuration failed. Retrying in 5 seconds..."
+        sleep 5
+    done
+    echo "Failed to configure and verify runner token after $retries attempts." >&2
+    return 1
+}
+
+# Configure runner token and Tailscale
+if push_and_check_token; then
+    echo "Runner token successfully configured in instance $INCUS_INSTANCE"
+    echo "Configuring Tailscale..."
+    TAILSCALE_CMD="/run/current-system/sw/bin/tailscale"
+    TAILSCALE_ARGS=(
+        "--ssh"
+        "--auth-key=\"$TAILSCALE_KEY?ephemeral=false&preauthorized=true\""
+        "--advertise-tags=tag:forgejo-runner"
+    )
+    if incus exec "$INCUS_INSTANCE" -- sh -c "$TAILSCALE_CMD up ${TAILSCALE_ARGS[*]}"; then
+        echo "Tailscale successfully configured"
+    else
+        echo "Failed to configure Tailscale" >&2
+        exit 1
+    fi
+else
+    echo "Failed to bootstrap $INCUS_INSTANCE" >&2
+    exit 1
+fi
+
+echo "Bootstrapping $INCUS_INSTANCE completed successfully."
+

mise-tasks/build_import.sh

@@ -10,19 +10,19 @@ check_command() {
 }
 
 # Build the qemu image and get the path
-qemuImageBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.qemuImage --print-out-paths)
+qemuImageBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.qemuImage --print-out-paths)
 check_command "Building qemu image"
 
 # Build the metadata and get the path
-metadataBuildPath=$(nix build .#nixosConfigurations.lxc-vm-x86_64.config.system.build.metadata --print-out-paths)
+metadataBuildPath=$(nix build .#nixosConfigurations.x86_64.config.system.build.metadata --print-out-paths)
 check_command "Building metadata"
 
 # Set the paths for the metadata and qemu image
 MBP="${metadataBuildPath}/tarball/nixos-system-x86_64-linux.tar.xz"
-QBP="${qemuImageBuildPath}/nixos.qcow2"
+QIBP="${qemuImageBuildPath}/nixos.qcow2"
 
 # Import the image to Incus and capture the instance name
-incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QBP"
+incus image import --alias nixos-gen/custom/fj-lxc-vm-x86_64 "$MBP" "$QIBP"
 check_command "Importing image to Incus"
 
-echo "Process completed successfully"
+echo "Importing $1 completed successfully."

mise-tasks/launch.sh

@@ -6,8 +6,7 @@ INCUS_PROFILE="forgejo-runner"
 INSTANCE_NAME=$(incus launch nixos-gen/custom/fj-lxc-vm-x86_64 -p ${INCUS_PROFILE:-'default'} | grep -oP 'Instance name is: \K\S+')
 echo "The captured instance name is: $INSTANCE_NAME"
 
-# Call the push_token.sh script with the new instance name
-"$MISE_TASK_DIR"/push_token.sh "$INSTANCE_NAME"
-echo "Pushing token to instance"
+# Call the bootstrap_instance.sh script with the new instance name
+"$MISE_TASK_DIR"/bootstrap_instance.sh "$INSTANCE_NAME"
 
 echo "Process completed successfully"

mise-tasks/push_token.sh

@@ -1,73 +0,0 @@
-#!/usr/bin/env bash
-# Prerequisites:
-# 1password vault created with a single item in it with the property 'runner_token'.
-# Define the vault and item used.
-# Usage: ./push_token.sh <incus vm instance name>
-
-set -euo pipefail
-
-# Check if instance name is provided
-if [ "$#" -ne 1 ]; then
-    echo "Usage: $0 <instance-name>" >&2
-    exit 1
-fi
-
-INCUS_INSTANCE="$1"  # Use the provided instance name
-
-# Set variables
-TOKEN_FILE="tokenfile"  # Name of the temporary file to store the token
-INCUS_PATH="/var/lib/gitea-runner/default/$TOKEN_FILE"
-
-# Check if OP_SESSION environment variable exists, if not, sign in
-if [ -z "${OP_SESSION:-}" ]; then
-    echo "Not logged in to 1Password CLI. Attempting to sign in..."
-    if ! eval "$(op signin)"; then
-        echo "Failed to sign in to 1Password CLI. Please sign in manually using 'op signin'" >&2
-        exit 1
-    fi
-fi
-
-# Retrieve the token from 1Password using op:// format
-TOKEN=$(op read "op://forgejo-runner/forgejo-runner/runner_token")
-
-if [ -z "$TOKEN" ]; then
-    echo "Failed to retrieve token from 1Password" >&2
-    exit 1
-fi
-
-# Create the token file
-echo "TOKEN=$TOKEN" > "$TOKEN_FILE"
-
-# Function to push file and check existence with retries
-push_and_check_file() {
-    local retries=5
-    local count=0
-    while [ $count -lt $retries ]; do
-        echo "Attempt $((count+1)) of $retries: Pushing file to Incus instance..."
-        if incus file push "$TOKEN_FILE" "$INCUS_INSTANCE$INCUS_PATH"; then
-            if incus exec "$INCUS_INSTANCE" -- test -f "$INCUS_PATH"; then
-                echo "File successfully verified in Incus instance."
-                return 0
-            fi
-        fi
-        ((count++))
-        echo "File not found or push failed. Retrying in 5 seconds..."
-        sleep 5
-    done
-    echo "Failed to push and verify file after $retries attempts." >&2
-    return 1
-}
-
-# Push the file to Incus and verify its existence
-if push_and_check_file; then
-    echo "Token file successfully pushed and verified in Incus instance $INCUS_INSTANCE"
-else
-    echo "Failed to push or verify token file in Incus instance $INCUS_INSTANCE" >&2
-    rm "$TOKEN_FILE"
-    exit 1
-fi
-
-# Clean up the local token file
-rm "$TOKEN_FILE"
-
-echo "Operation completed successfully"

profiles/role-lxc-vm.nix

@@ -8,6 +8,7 @@
   # and has the correct permissions.
   systemd.tmpfiles.rules = [
     "d /var/lib/gitea-runner/default 0750 gitea-runner gitea-runner -"
+    "d /var/lib/tailscale 0750 root root -"
   ];
 
   services.gitea-actions-runner = {
@@ -20,10 +21,28 @@
       # `incus file push "$TOKEN_FILE" "$INCUS_INSTANCE/var/lib/forgejo/$TOKEN_FILE" --mode 400`
       tokenFile = "/var/lib/gitea-runner/default/tokenfile";
       labels = [
+        "docker:docker://node:20-bullseye"
         "docker-x86_64:docker://node:20-bullseye"
         "ubuntu-x86_64:docker://node:20-bullseye"
         "native-x86_64:host"
       ];
     };
   };
+
+  # Enable Tailscale with enhanced configuration
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  # Ensure networking dependencies are properly ordered
+  # systemd.services.tailscaled = {
+  #   after = [
+  #     "network-pre.target"
+  #     "NetworkManager.service"
+  #     "systemd-resolved.service"
+  #   ];
+  #   wants = [ "network-pre.target" ];
+  #   requires = [ "network-online.target" ];
+  # };
 }