forgejo/ci: better nix-based runner
This commit is contained in:
parent
394799d66f
commit
cb73afe887
7 changed files with 220 additions and 51 deletions
|
@ -8,41 +8,46 @@ on:
|
||||||
- '.forgejo/workflows/build.yml'
|
- '.forgejo/workflows/build.yml'
|
||||||
jobs:
|
jobs:
|
||||||
build-amd64-linux:
|
build-amd64-linux:
|
||||||
runs-on: ubuntu-latest-amd64
|
runs-on: nix-amd64
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v4
|
||||||
- name: Install Nix
|
- name: Cache Login
|
||||||
uses: https://github.com/DeterminateSystems/nix-installer-action@v4
|
run: |
|
||||||
with:
|
echo "Logging in ..."
|
||||||
init: none
|
attic login --set-default attic ${{ secrets.ATTIC_ENDPOINT }} ${{ secrets.ATTIC_TOKEN }}
|
||||||
planner: linux
|
- name: Build attic-server
|
||||||
github-token: null
|
run: |
|
||||||
- name: Setup Attic
|
nix build '.#nixosConfigurations.tanker.pkgs.attic-server'
|
||||||
uses: https://github.com/ryanccn/attic-action@v0
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
with:
|
- name: Build attic-client
|
||||||
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
|
run: |
|
||||||
cache: ${{ secrets.ATTIC_CACHE }}
|
nix build '.#nixosConfigurations.tanker.pkgs.attic-client'
|
||||||
token: ${{ secrets.ATTIC_TOKEN }}
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
- run: nix build '.#nixosConfigurations.tanker.pkgs.attic-server'
|
- name: Build nginx
|
||||||
- run: nix build '.#nixosConfigurations.tanker.pkgs.attic-client'
|
run: |
|
||||||
- run: nix build '.#nixosConfigurations.tanker.config.services.nginx.package'
|
nix build '.#nixosConfigurations.tanker.config.services.nginx.package'
|
||||||
- run: nix build '.#nixosConfigurations.tanker.config.home-manager.users.daniel.programs.neovim.finalPackage'
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
|
- name: Build neovim
|
||||||
|
run: |
|
||||||
|
nix build '.#nixosConfigurations.tanker.config.home-manager.users.daniel.programs.neovim.finalPackage'
|
||||||
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
build-arm64-linux:
|
build-arm64-linux:
|
||||||
runs-on: ubuntu-latest-arm64
|
runs-on: nix-arm64
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v3
|
- uses: actions/checkout@v4
|
||||||
- name: Install Nix
|
- name: Cache Login
|
||||||
uses: https://github.com/DeterminateSystems/nix-installer-action@v4
|
run: |
|
||||||
with:
|
echo "Logging in ..."
|
||||||
init: none
|
attic login --set-default attic ${{ secrets.ATTIC_ENDPOINT }} ${{ secrets.ATTIC_TOKEN }}
|
||||||
planner: linux
|
- name: Build attic-client
|
||||||
github-token: null
|
run: |
|
||||||
- name: Setup Attic
|
nix build '.#nixosConfigurations.argon.pkgs.attic-client'
|
||||||
uses: https://github.com/ryanccn/attic-action@v0
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
with:
|
- name: Build nginx
|
||||||
endpoint: ${{ secrets.ATTIC_ENDPOINT }}
|
run: |
|
||||||
cache: ${{ secrets.ATTIC_CACHE }}
|
nix build '.#nixosConfigurations.argon.config.services.nginx.package'
|
||||||
token: ${{ secrets.ATTIC_TOKEN }}
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
- run: nix build '.#nixosConfigurations.argon.pkgs.attic-client'
|
- name: Build neovim
|
||||||
- run: nix build '.#nixosConfigurations.argon.config.services.nginx.package'
|
run: |
|
||||||
- run: nix build '.#nixosConfigurations.argon.config.home-manager.users.daniel.programs.neovim.finalPackage'
|
nix build '.#nixosConfigurations.argon.config.home-manager.users.daniel.programs.neovim.finalPackage'
|
||||||
|
attic push ${{ secrets.ATTIC_CACHE }} ./result
|
||||||
|
|
Binary file not shown.
|
@ -1,10 +1,12 @@
|
||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 MtGp6g jM+++wGqvWlj9wKwKdrS3d8xpwfLp1ks4GCh3sm/6zM
|
-> ssh-ed25519 MtGp6g I3WQex/smit8a4Isd02PK5wjcjy2hUed3UJpd0y33So
|
||||||
QkBPJf0lBF617AFcko4KA/Aq6mi6eMWp/ye2Abf2fKk
|
SyMzqODrDT5V8VEjp8ERWWa8f/LkJXOfB0I2v0/5xMk
|
||||||
-> ssh-ed25519 iO8/4g IGCdvdMB6PdiqxA9yamSUMCfH4Bk0JmtOuZt4WZrFGM
|
-> ssh-ed25519 iO8/4g 7HVKn8hYsADqVUoaJZQq+VsnLa3fwRsDNEuAe4HYBmM
|
||||||
cz19imzpQAkWv+iCoUzBfMRC5D0yusCMQkROrjBhoJ0
|
ZZrHbVUtM0gKgIhSVARW7VhB3VVMd3kqu4aClviJYjE
|
||||||
-> PT|e-grease cJG6UW4o
|
-> XGZy\BA-grease (7F_&
|
||||||
4G+Rp2jt1sZbGLxuKl7DgX1wl1kaOhhEjkloCeaHg0lt6P7bmjcg++jh6hWs7MhO
|
ogqkD7AyPLaMX7ZRC+MXIHSUR0pRYFGGpQzLse/J+Xfn+d8Fca+ORmdZ7hszVCYV
|
||||||
dMp8SKY9
|
2+vZ3YeW5undYzkMjJuVyZf5qS/S5Mbp
|
||||||
--- VdFRpEBs74LJOqJNYwiGeb/wy/e7Wm+aFQnw3AI1pFw
|
--- rVstDRi//LFd7AO4GKNShRHipPHwPdl1B3pKqYoNZms
|
||||||
r‹åkòBúx–µvŠ™aob""éh&éÅîb{ñÌH´òã,’×q¢·Ã RSm½¤ûÃTûo ¾hB•gdµ
÷?GÒ¼n0©î
|
Ä4AªhÜ!q¢aøtVµ!±Æòr![P+ÔDv·Ò'%F
¹Ê<C2B9>Ú$ü<>LŸPa
|
||||||
|
cÔÀiôkZÁÄ%@`èã<C3A8>“Åè&¡
|
||||||
|
å`[;
|
|
@ -87,11 +87,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1700927249,
|
"lastModified": 1701775991,
|
||||||
"narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=",
|
"narHash": "sha256-/51DaSTzoW+wQfj5P9EnTbSxixDFjjhfnGdMKcSp+is=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "disko",
|
"repo": "disko",
|
||||||
"rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22",
|
"rev": "f84c3684900d11cf19f530070d32d55f0ed51374",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -22,7 +22,7 @@ in
|
||||||
|
|
||||||
../nixos/attic.nix
|
../nixos/attic.nix
|
||||||
|
|
||||||
(import ../nixos/forgejo-runner.nix (args // { name = "argon"; tag = "ubuntu-latest-arm64"; }))
|
(import ../nixos/forgejo-runner.nix (args // { name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; }))
|
||||||
|
|
||||||
../nixos/tailscale.nix
|
../nixos/tailscale.nix
|
||||||
|
|
||||||
|
|
|
@ -33,7 +33,7 @@ in
|
||||||
../nixos/fedifetcher.nix
|
../nixos/fedifetcher.nix
|
||||||
|
|
||||||
../nixos/forgejo.nix
|
../nixos/forgejo.nix
|
||||||
(import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; }))
|
(import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; nixTag = "amd64"; }))
|
||||||
|
|
||||||
../nixos/headscale.nix
|
../nixos/headscale.nix
|
||||||
|
|
||||||
|
|
|
@ -1,14 +1,155 @@
|
||||||
{ pkgs, config, name, tag, ... }:
|
{ pkgs, config, name, tag, nixTag, ... }:
|
||||||
|
|
||||||
|
# Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
|
||||||
|
|
||||||
let
|
let
|
||||||
forgejoUrl = "https://git.kempkens.io";
|
forgejoUrl = "https://git.kempkens.io";
|
||||||
|
|
||||||
|
storeDeps = pkgs.runCommand "store-deps" { } ''
|
||||||
|
mkdir -p $out/bin
|
||||||
|
for dir in ${toString [ pkgs.attic-client pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nixVersions.stable pkgs.bash pkgs.jq pkgs.nodejs ]}; do
|
||||||
|
for bin in "$dir"/bin/*; do
|
||||||
|
ln -s "$bin" "$out/bin/$(basename "$bin")"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# Add SSL CA certs
|
||||||
|
mkdir -p $out/etc/ssl/certs
|
||||||
|
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
systemd.services = {
|
||||||
|
forgejo-runner-nix-image = {
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
after = [ "podman.service" ];
|
||||||
|
requires = [ "podman.service" ];
|
||||||
|
path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
|
||||||
|
script = ''
|
||||||
|
set -eux -o pipefail
|
||||||
|
mkdir -p etc/nix
|
||||||
|
|
||||||
|
touch etc/passwd etc/group
|
||||||
|
groupid=$(cut -d: -f3 < <(getent group nix-ci-user))
|
||||||
|
userid=$(cut -d: -f3 < <(getent passwd nix-ci-user))
|
||||||
|
groupadd --prefix $(pwd) --gid "$groupid" nix-ci-user
|
||||||
|
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
|
||||||
|
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nix-ci-user nix-ci-user
|
||||||
|
|
||||||
|
cat <<NIX_CONFIG > etc/nix/nix.conf
|
||||||
|
accept-flake-config = true
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
NIX_CONFIG
|
||||||
|
|
||||||
|
cat <<NSSWITCH > etc/nsswitch.conf
|
||||||
|
passwd: files mymachines systemd
|
||||||
|
group: files mymachines systemd
|
||||||
|
shadow: files
|
||||||
|
|
||||||
|
hosts: files mymachines dns myhostname
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
ethers: files
|
||||||
|
services: files
|
||||||
|
protocols: files
|
||||||
|
rpc: files
|
||||||
|
NSSWITCH
|
||||||
|
|
||||||
|
tar -cv . | tar -tvf -
|
||||||
|
tar -cv . | podman import - forgejo-runner-nix
|
||||||
|
'';
|
||||||
|
serviceConfig = {
|
||||||
|
RuntimeDirectory = "forgejo-runner-nix-image";
|
||||||
|
WorkingDirectory = "/run/forgejo-runner-nix-image";
|
||||||
|
Type = "oneshot";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
forgejo-runner-nix = {
|
||||||
|
after = [ "forgejo-runner-nix-image.service" ];
|
||||||
|
requires = [ "forgejo-runner-nix-image.service" ];
|
||||||
|
|
||||||
|
serviceConfig = {
|
||||||
|
# Hardening (may overlap with DynamicUser=)
|
||||||
|
# The following options are only for optimizing output of systemd-analyze
|
||||||
|
AmbientCapabilities = "";
|
||||||
|
CapabilityBoundingSet = "";
|
||||||
|
# ProtectClock= adds DeviceAllow=char-rtc r
|
||||||
|
DeviceAllow = "";
|
||||||
|
NoNewPrivileges = true;
|
||||||
|
PrivateDevices = true;
|
||||||
|
PrivateMounts = true;
|
||||||
|
PrivateTmp = true;
|
||||||
|
PrivateUsers = true;
|
||||||
|
ProtectClock = true;
|
||||||
|
ProtectControlGroups = true;
|
||||||
|
ProtectHome = true;
|
||||||
|
ProtectHostname = true;
|
||||||
|
ProtectKernelLogs = true;
|
||||||
|
ProtectKernelModules = true;
|
||||||
|
ProtectKernelTunables = true;
|
||||||
|
ProtectSystem = "strict";
|
||||||
|
RemoveIPC = true;
|
||||||
|
RestrictNamespaces = true;
|
||||||
|
RestrictRealtime = true;
|
||||||
|
RestrictSUIDSGID = true;
|
||||||
|
UMask = "0066";
|
||||||
|
ProtectProc = "invisible";
|
||||||
|
SystemCallFilter = [
|
||||||
|
"~@clock"
|
||||||
|
"~@cpu-emulation"
|
||||||
|
"~@module"
|
||||||
|
"~@mount"
|
||||||
|
"~@obsolete"
|
||||||
|
"~@raw-io"
|
||||||
|
"~@reboot"
|
||||||
|
"~@swap"
|
||||||
|
# needed by go?
|
||||||
|
#"~@resources"
|
||||||
|
"~@privileged"
|
||||||
|
"~capset"
|
||||||
|
"~setdomainname"
|
||||||
|
"~sethostname"
|
||||||
|
];
|
||||||
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
|
||||||
|
|
||||||
|
# Needs network access
|
||||||
|
PrivateNetwork = false;
|
||||||
|
# Cannot be true due to Node
|
||||||
|
MemoryDenyWriteExecute = false;
|
||||||
|
|
||||||
|
# The more restrictive "pid" option makes `nix` commands in CI emit
|
||||||
|
# "GC Warning: Couldn't read /proc/stat"
|
||||||
|
# You may want to set this to "pid" if not using `nix` commands
|
||||||
|
ProcSubset = "all";
|
||||||
|
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
|
||||||
|
# ASLR (address space layout randomization) which requires the
|
||||||
|
# `personality` syscall
|
||||||
|
# You may want to set this to `true` if not using coverage tooling on
|
||||||
|
# compiled code
|
||||||
|
LockPersonality = false;
|
||||||
|
|
||||||
|
# Note that this has some interactions with the User setting; so you may
|
||||||
|
# want to consult the systemd docs if using both.
|
||||||
|
DynamicUser = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users.users.nix-ci-user = {
|
||||||
|
group = "nix-ci-user";
|
||||||
|
description = "Used for running nix-based CI jobs";
|
||||||
|
home = "/var/empty";
|
||||||
|
isSystemUser = true;
|
||||||
|
};
|
||||||
|
users.groups.nix-ci-user = { };
|
||||||
|
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
package = pkgs.forgejo-actions-runner;
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
|
||||||
instances = {
|
instances = {
|
||||||
tanker = {
|
act = {
|
||||||
enable = true;
|
enable = true;
|
||||||
url = forgejoUrl;
|
url = forgejoUrl;
|
||||||
|
|
||||||
|
@ -19,6 +160,27 @@ in
|
||||||
"${tag}:docker://ghcr.io/catthehacker/ubuntu:act-latest"
|
"${tag}:docker://ghcr.io/catthehacker/ubuntu:act-latest"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
nix = {
|
||||||
|
enable = true;
|
||||||
|
url = forgejoUrl;
|
||||||
|
|
||||||
|
name = "${name}-nix";
|
||||||
|
tokenFile = config.age.secrets.forgejo-actions-token.path;
|
||||||
|
|
||||||
|
labels = [
|
||||||
|
"nix-${nixTag}:docker://forgejo-runner-nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nix-ci-user --device=/dev/kvm";
|
||||||
|
container.valid_volumes = [
|
||||||
|
"/nix"
|
||||||
|
"${storeDeps}/bin"
|
||||||
|
"${storeDeps}/etc/ssl"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue