1
0
Fork 0

forgejo/ci: better nix-based runner
All checks were successful
Build / build-amd64-linux (push) Successful in 53s
Build / build-arm64-linux (push) Successful in 2m31s

This commit is contained in:
Daniel Kempkens 2023-12-05 21:46:00 +01:00
parent 394799d66f
commit cb73afe887
Signed by: daniel
SSH key fingerprint: SHA256:Ks/MyhQYcPRQiwMKLAKquWCdCPe3JXlb1WttgnAoSeM
7 changed files with 220 additions and 51 deletions

View file

@ -8,41 +8,46 @@ on:
- '.forgejo/workflows/build.yml' - '.forgejo/workflows/build.yml'
jobs: jobs:
build-amd64-linux: build-amd64-linux:
runs-on: ubuntu-latest-amd64 runs-on: nix-amd64
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- name: Install Nix - name: Cache Login
uses: https://github.com/DeterminateSystems/nix-installer-action@v4 run: |
with: echo "Logging in ..."
init: none attic login --set-default attic ${{ secrets.ATTIC_ENDPOINT }} ${{ secrets.ATTIC_TOKEN }}
planner: linux - name: Build attic-server
github-token: null run: |
- name: Setup Attic nix build '.#nixosConfigurations.tanker.pkgs.attic-server'
uses: https://github.com/ryanccn/attic-action@v0 attic push ${{ secrets.ATTIC_CACHE }} ./result
with: - name: Build attic-client
endpoint: ${{ secrets.ATTIC_ENDPOINT }} run: |
cache: ${{ secrets.ATTIC_CACHE }} nix build '.#nixosConfigurations.tanker.pkgs.attic-client'
token: ${{ secrets.ATTIC_TOKEN }} attic push ${{ secrets.ATTIC_CACHE }} ./result
- run: nix build '.#nixosConfigurations.tanker.pkgs.attic-server' - name: Build nginx
- run: nix build '.#nixosConfigurations.tanker.pkgs.attic-client' run: |
- run: nix build '.#nixosConfigurations.tanker.config.services.nginx.package' nix build '.#nixosConfigurations.tanker.config.services.nginx.package'
- run: nix build '.#nixosConfigurations.tanker.config.home-manager.users.daniel.programs.neovim.finalPackage' attic push ${{ secrets.ATTIC_CACHE }} ./result
- name: Build neovim
run: |
nix build '.#nixosConfigurations.tanker.config.home-manager.users.daniel.programs.neovim.finalPackage'
attic push ${{ secrets.ATTIC_CACHE }} ./result
build-arm64-linux: build-arm64-linux:
runs-on: ubuntu-latest-arm64 runs-on: nix-arm64
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v4
- name: Install Nix - name: Cache Login
uses: https://github.com/DeterminateSystems/nix-installer-action@v4 run: |
with: echo "Logging in ..."
init: none attic login --set-default attic ${{ secrets.ATTIC_ENDPOINT }} ${{ secrets.ATTIC_TOKEN }}
planner: linux - name: Build attic-client
github-token: null run: |
- name: Setup Attic nix build '.#nixosConfigurations.argon.pkgs.attic-client'
uses: https://github.com/ryanccn/attic-action@v0 attic push ${{ secrets.ATTIC_CACHE }} ./result
with: - name: Build nginx
endpoint: ${{ secrets.ATTIC_ENDPOINT }} run: |
cache: ${{ secrets.ATTIC_CACHE }} nix build '.#nixosConfigurations.argon.config.services.nginx.package'
token: ${{ secrets.ATTIC_TOKEN }} attic push ${{ secrets.ATTIC_CACHE }} ./result
- run: nix build '.#nixosConfigurations.argon.pkgs.attic-client' - name: Build neovim
- run: nix build '.#nixosConfigurations.argon.config.services.nginx.package' run: |
- run: nix build '.#nixosConfigurations.argon.config.home-manager.users.daniel.programs.neovim.finalPackage' nix build '.#nixosConfigurations.argon.config.home-manager.users.daniel.programs.neovim.finalPackage'
attic push ${{ secrets.ATTIC_CACHE }} ./result

View file

@ -1,10 +1,12 @@
age-encryption.org/v1 age-encryption.org/v1
-> ssh-ed25519 MtGp6g jM+++wGqvWlj9wKwKdrS3d8xpwfLp1ks4GCh3sm/6zM -> ssh-ed25519 MtGp6g I3WQex/smit8a4Isd02PK5wjcjy2hUed3UJpd0y33So
QkBPJf0lBF617AFcko4KA/Aq6mi6eMWp/ye2Abf2fKk SyMzqODrDT5V8VEjp8ERWWa8f/LkJXOfB0I2v0/5xMk
-> ssh-ed25519 iO8/4g IGCdvdMB6PdiqxA9yamSUMCfH4Bk0JmtOuZt4WZrFGM -> ssh-ed25519 iO8/4g 7HVKn8hYsADqVUoaJZQq+VsnLa3fwRsDNEuAe4HYBmM
cz19imzpQAkWv+iCoUzBfMRC5D0yusCMQkROrjBhoJ0 ZZrHbVUtM0gKgIhSVARW7VhB3VVMd3kqu4aClviJYjE
-> PT|e-grease cJG6UW4o -> XGZy\BA-grease (7F_&
4G+Rp2jt1sZbGLxuKl7DgX1wl1kaOhhEjkloCeaHg0lt6P7bmjcg++jh6hWs7MhO ogqkD7AyPLaMX7ZRC+MXIHSUR0pRYFGGpQzLse/J+Xfn+d8Fca+ORmdZ7hszVCYV
dMp8SKY9 2+vZ3YeW5undYzkMjJuVyZf5qS/S5Mbp
--- VdFRpEBs74LJOqJNYwiGeb/wy/e7Wm+aFQnw3AI1pFw --- rVstDRi//LFd7AO4GKNShRHipPHwPdl1B3pKqYoNZms
r åkòBúxµvŠ™a ob""éh&éÅîb{ñÌH´òã,×q¢·Ã RSm½¤ûÃTûo ¾hB•gdµ ÷?GÒ¼n0©î Ä4AªhÜ!q¢aøtVµ!±Æòr![P+ÔDv·Ò'%F ¹Ê<C2B9>Ú$ü<>LŸPa
cÔÀiôkZÁÄ%@`èã<C3A8>“Åè&¡
å`[;

View file

@ -87,11 +87,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1700927249, "lastModified": 1701775991,
"narHash": "sha256-iqmIWiEng890/ru7ZBf4nUezFPyRm2fjRTvuwwxqk2o=", "narHash": "sha256-/51DaSTzoW+wQfj5P9EnTbSxixDFjjhfnGdMKcSp+is=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "3cb78c93e6a02f494aaf6aeb37481c27a2e2ee22", "rev": "f84c3684900d11cf19f530070d32d55f0ed51374",
"type": "github" "type": "github"
}, },
"original": { "original": {

View file

@ -22,7 +22,7 @@ in
../nixos/attic.nix ../nixos/attic.nix
(import ../nixos/forgejo-runner.nix (args // { name = "argon"; tag = "ubuntu-latest-arm64"; })) (import ../nixos/forgejo-runner.nix (args // { name = "argon"; tag = "ubuntu-latest-arm64"; nixTag = "arm64"; }))
../nixos/tailscale.nix ../nixos/tailscale.nix

View file

@ -33,7 +33,7 @@ in
../nixos/fedifetcher.nix ../nixos/fedifetcher.nix
../nixos/forgejo.nix ../nixos/forgejo.nix
(import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; })) (import ../nixos/forgejo-runner.nix (args // { name = "tanker"; tag = "ubuntu-latest-amd64"; nixTag = "amd64"; }))
../nixos/headscale.nix ../nixos/headscale.nix

View file

@ -1,14 +1,155 @@
{ pkgs, config, name, tag, ... }: { pkgs, config, name, tag, nixTag, ... }:
# Based on: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
let let
forgejoUrl = "https://git.kempkens.io"; forgejoUrl = "https://git.kempkens.io";
storeDeps = pkgs.runCommand "store-deps" { } ''
mkdir -p $out/bin
for dir in ${toString [ pkgs.attic-client pkgs.coreutils pkgs.findutils pkgs.gnugrep pkgs.gawk pkgs.git pkgs.nixVersions.stable pkgs.bash pkgs.jq pkgs.nodejs ]}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
in in
{ {
systemd.services = {
forgejo-runner-nix-image = {
wantedBy = [ "multi-user.target" ];
after = [ "podman.service" ];
requires = [ "podman.service" ];
path = [ config.virtualisation.podman.package pkgs.gnutar pkgs.shadow pkgs.getent ];
script = ''
set -eux -o pipefail
mkdir -p etc/nix
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nix-ci-user))
userid=$(cut -d: -f3 < <(getent passwd nix-ci-user))
groupadd --prefix $(pwd) --gid "$groupid" nix-ci-user
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nix-ci-user nix-ci-user
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
tar -cv . | tar -tvf -
tar -cv . | podman import - forgejo-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "forgejo-runner-nix-image";
WorkingDirectory = "/run/forgejo-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
};
};
forgejo-runner-nix = {
after = [ "forgejo-runner-nix-image.service" ];
requires = [ "forgejo-runner-nix-image.service" ];
serviceConfig = {
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~@swap"
# needed by go?
#"~@resources"
"~@privileged"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
};
};
};
users.users.nix-ci-user = {
group = "nix-ci-user";
description = "Used for running nix-based CI jobs";
home = "/var/empty";
isSystemUser = true;
};
users.groups.nix-ci-user = { };
services.gitea-actions-runner = { services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner; package = pkgs.forgejo-actions-runner;
instances = { instances = {
tanker = { act = {
enable = true; enable = true;
url = forgejoUrl; url = forgejoUrl;
@ -19,6 +160,27 @@ in
"${tag}:docker://ghcr.io/catthehacker/ubuntu:act-latest" "${tag}:docker://ghcr.io/catthehacker/ubuntu:act-latest"
]; ];
}; };
nix = {
enable = true;
url = forgejoUrl;
name = "${name}-nix";
tokenFile = config.age.secrets.forgejo-actions-token.path;
labels = [
"nix-${nixTag}:docker://forgejo-runner-nix"
];
settings = {
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nix-ci-user --device=/dev/kvm";
container.valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
};
};
}; };
}; };
} }