forgejo-ci-runners/flake.nix
Renovate Bot 753e791812
Some checks failed
Build on PR / nix-build (fj-shadowfax-01, native-x86_64, x86_64-linux) (pull_request) Failing after 1m14s
Deploy on PR Merge / if_merged (fj-shadowfax-01, native-x86_64, x86_64-linux) (pull_request) Has been skipped
Build on PR / nix-build (fj-hetzner-aarch64-01, native-aarch64, aarch64-linux) (pull_request) Has been cancelled
Deploy on PR Merge / if_merged (fj-hetzner-aarch64-01, native-aarch64, aarch64-linux) (pull_request) Has been cancelled
Update nixpkgs to nixos-24.11
2024-11-18 02:02:11 +00:00

181 lines
6.3 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{
description = "Forgejo CI Runners";
inputs = {
# NixOS nixpkgs 24.05
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
# Lix - Substitution of the Nix package manager, focused on correctness, usability, and growth and committed to doing right by its community.
# https://git.lix.systems/lix-project/lix
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
# srvos - NixOS modules for Hetzner Cloud and other services
srvos.url = "github:numtide/srvos";
# disko - NixOS module for managing disks
disko.url = "github:nix-community/disko";
# Cachix helper functions for deploying NixOS systems with flakes.
cachix-deploy-flake.url = "github:cachix/cachix-deploy-flake";
# Cachix - Nix binary cache hosting and continuous integration
cachix-flake = {
url = "github:cachix/cachix";
inputs.nixpkgs.follows = "nixpkgs";
};
# sops-nix - Atomic secret provisioning for NixOS based on sops
# https://github.com/Mic92/sops-nix
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, sops-nix, nixpkgs, srvos, disko, cachix-flake, cachix-deploy-flake, lix-module, ... }@inputs:
let
inherit (nixpkgs) lib;
common = system: rec {
pkgs = import nixpkgs {
inherit system;
overlays = [
(final: prev: {
cachix = cachix-flake.packages.${system}.default;
})
];
};
cachix-deploy-lib = cachix-deploy-flake.lib pkgs;
};
aarch64-linux-modules = [
sops-nix.nixosModules.sops
srvos.nixosModules.hardware-hetzner-cloud
srvos.nixosModules.server
srvos.nixosModules.mixins-systemd-boot
disko.nixosModules.disko
lix-module.nixosModules.default
./agents/fj-hetzner-aarch64.nix
(import ./disko-hetzner-cloud.nix { disks = [ "/dev/sda" ]; })
{
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "fj-hetzner-aarch64-01";
users.users.root.openssh.authorizedKeys.keys =
[
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "without-password";
}
];
x86_64-linux-modules = [
sops-nix.nixosModules.sops
./hardware/shadowfax.nix
srvos.nixosModules.server
srvos.nixosModules.mixins-systemd-boot
disko.nixosModules.disko
lix-module.nixosModules.default
./agents/fj-shadowfax-x86_64.nix
(import ./disko-shadowfax.nix { disks = [ "/dev/sda" ]; })
{
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = "fj-shadowfax-01";
users.users.root.openssh.authorizedKeys.keys =
[
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsUe5YF5z8vGcEYtQX7AAiw2rJygGf2l7xxr8nZZa7w jahanson@legiondary"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJyA/yMPPo+scxBaDFUk7WeEyMAMhXUro5vi4feOKsJT jahanson@durincore"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcLI5qN69BuoLp8p7nTYKoLdsBNmZB31OerZ63Car1g jahanson@telchar"
];
services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "without-password";
}
];
in
{
# NixOS configurations for manual deployment
nixosConfigurations =
{
"fj-hetzner-aarch64" = lib.nixosSystem {
system = "aarch64-linux";
specialArgs = { inherit inputs; };
modules = aarch64-linux-modules;
};
"fj-x86_64" = lib.nixosSystem {
system = "x86_64-linux";
specialArgs = { inherit inputs; };
modules = x86_64-linux-modules;
};
};
# Cachix deploy for automated deployments
packages.aarch64-linux.default =
let
inherit (common "aarch64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.nixos {
# system = "aarch64-linux";
imports = aarch64-linux-modules;
};
packages.x86_64-linux.default =
let
inherit (common "x86_64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.nixos {
imports = x86_64-linux-modules;
};
# Constructs a deploy.json output that can be used to deploy the runners
# https://docs.cachix.org/deploy/reference#deploy-json
deploy-json =
{
"aarch64-linux" =
let
inherit (common "aarch64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.spec
{
agents = {
"fj-hetzner-aarch64-01" =
let
inherit (common "aarch64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.nixos {
# system = "aarch64-linux";
imports = aarch64-linux-modules;
};
};
};
"x86_64-linux" =
let
inherit (common "x86_64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.spec
{
agents = {
"fj-shadowfax-01" =
let
inherit (common "x86_64-linux") cachix-deploy-lib;
in
cachix-deploy-lib.nixos {
imports = x86_64-linux-modules;
};
};
};
};
# Convenience output that aggregates the outputs for home, nixos.
# Also used in ci to build targets generally.
top =
let
nixtop = nixpkgs.lib.genAttrs
(builtins.attrNames inputs.self.nixosConfigurations)
(attr: inputs.self.nixosConfigurations.${attr}.config.system.build.toplevel);
in
nixtop;
};
}