From c6a1982ede092384e667aab50ae098eaf2d2dd7b Mon Sep 17 00:00:00 2001 From: xinyangli Date: Tue, 26 Mar 2024 01:56:59 +0800 Subject: [PATCH] calcite: use as forgejo runner --- machines/calcite/configuration.nix | 6 + machines/calcite/secrets.yaml | 5 +- modules/home-manager/git.nix | 2 +- modules/nixos/default.nix | 1 + modules/nixos/forgejo-actions-runner.nix | 34 ++++++ oci-images/nix-ci-base/flake.lock | 134 +++++++++++++++++++++++ oci-images/nix-ci-base/flake.nix | 68 ++++++++++++ 7 files changed, 247 insertions(+), 3 deletions(-) create mode 100644 modules/nixos/forgejo-actions-runner.nix create mode 100644 oci-images/nix-ci-base/flake.lock create mode 100644 oci-images/nix-ci-base/flake.nix diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 5e0b056..f906f3b 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -259,11 +259,17 @@ owner = "root"; sopsFile = ./secrets.yaml; }; + gitea_env = { + owner = "root"; + sopsFile = ./secrets.yaml; + }; }; custom.restic.enable = true; custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path; custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path; + custom.forgejo-actions-runner.enable = true; + custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path; # MTP support services.gvfs.enable = true; diff --git a/machines/calcite/secrets.yaml b/machines/calcite/secrets.yaml index 90312d4..80381ef 100644 --- a/machines/calcite/secrets.yaml +++ b/machines/calcite/secrets.yaml @@ -1,6 +1,7 @@ restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str] restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str] sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str] +gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str] sops: kms: [] gcp_kms: [] @@ -25,8 +26,8 @@ sops: WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-07T16:18:51Z" - mac: ENC[AES256_GCM,data:lBbtSYZ/UxBPBVVa6Bg0NiZxhFcjEREGBPEgCZau+C9aMQcMJp4s+SPKRaBDGuf2ee95pwuyYOb6M9Jr9dQxRAoAubgyaxAXUrC6U5Q8+VlKxMdvfBNJ5m8OGbkwHACrjkaWTRfHB8rPMH/yuIuuSZl8AB1m2GcT8uoluTsCMGo=,iv:FmFLPhoaR/YAVEJhQIhoUrZGX4p+fw/iCf1BN+NdX/U=,tag:/rZTAt20hd9LretuOHhTbQ==,type:str] + lastmodified: "2024-03-25T13:44:27Z" + mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/modules/home-manager/git.nix b/modules/home-manager/git.nix index cee2e22..e198c0b 100644 --- a/modules/home-manager/git.nix +++ b/modules/home-manager/git.nix @@ -14,7 +14,7 @@ in enable = mkEnableOption "Git ssh signing"; keyFile = mkOption { type = types.str; - default = "~/.ssh/id.pub"; + default = "~/.ssh/id_ecdsa.pub"; }; }; }; diff --git a/modules/nixos/default.nix b/modules/nixos/default.nix index 1a6a520..a19ba87 100644 --- a/modules/nixos/default.nix +++ b/modules/nixos/default.nix @@ -8,5 +8,6 @@ ./sing-box.nix ./kanidm-client.nix ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge + ./forgejo-actions-runner.nix ]; } diff --git a/modules/nixos/forgejo-actions-runner.nix b/modules/nixos/forgejo-actions-runner.nix new file mode 100644 index 0000000..5b76c69 --- /dev/null +++ b/modules/nixos/forgejo-actions-runner.nix @@ -0,0 +1,34 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.custom.forgejo-actions-runner; +in +{ + options = { + custom.forgejo-actions-runner = { + enable = lib.mkEnableOption "TPM supported ssh agent in go"; + tokenFile = lib.mkOption { + type = lib.types.path; + }; + }; + }; + config = lib.mkIf cfg.enable { + virtualisation.docker.enable = true; + services.gitea-actions-runner.package = pkgs.forgejo-actions-runner; + services.gitea-actions-runner.instances = { + "git.xinyang.life" = { + enable = true; + url = "https://git.xinyang.life"; + tokenFile = cfg.tokenFile; + name = config.networking.hostName; + labels = [ + "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:18-bullseye" + "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11" + ]; + settings = { + container.network = "host"; + }; + }; + }; + }; +} diff --git a/oci-images/nix-ci-base/flake.lock b/oci-images/nix-ci-base/flake.lock new file mode 100644 index 0000000..82fcde6 --- /dev/null +++ b/oci-images/nix-ci-base/flake.lock @@ -0,0 +1,134 @@ +{ + "nodes": { + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1673956053, + "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "libgit2": { + "flake": false, + "locked": { + "lastModified": 1697646580, + "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=", + "owner": "libgit2", + "repo": "libgit2", + "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5", + "type": "github" + }, + "original": { + "owner": "libgit2", + "repo": "libgit2", + "type": "github" + } + }, + "nix": { + "inputs": { + "flake-compat": "flake-compat", + "libgit2": "libgit2", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1710178469, + "narHash": "sha256-9b9qJ+7rGjLKbIswMf0/2pgUWH/xOlYLk7P4WYNcGDs=", + "owner": "nixos", + "repo": "nix", + "rev": "34807c8906a61219ec2e9132c9cf0bd4d29e1d12", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "2.21.0", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1711124224, + "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "56528ee42526794d413d6f244648aaee4a7b56c0", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-23.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nix": "nix", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/oci-images/nix-ci-base/flake.nix b/oci-images/nix-ci-base/flake.nix new file mode 100644 index 0000000..56bba4f --- /dev/null +++ b/oci-images/nix-ci-base/flake.nix @@ -0,0 +1,68 @@ +{ + inputs = { + nix.url = "github:/nixos/nix?ref=2.21.0"; + nix.inputs.nixpkgs.follows = "nixpkgs"; + nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { + self, + flake-utils, + nix, + nixpkgs, + ... + }: + flake-utils.lib.eachDefaultSystem (system: let + pkgs = (import nixpkgs) { + inherit system; + }; + lib = pkgs.lib; + in rec { + packages = rec { + # a modified version of the nixos/nix image + # re-using the upstream nix docker image generation code + base = import (nix + "/docker.nix") { + inherit pkgs; + name = "nix-ci-base"; + maxLayers = 10; + extraPkgs = with pkgs; [ + nodejs_20 # nodejs is needed for running most 3rdparty actions + # add any other pre-installed packages here + ]; + # change this is you want + channelURL = "https://nixos.org/channels/nixpkgs-23.11"; + nixConf = { + substituters = [ + "https://mirrors.bfsu.edu.cn/nix-channels/store" + "https://mirrors.ustc.edu.cn/nix-channels/store" + "https://cache.nixos.org/" + + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + # allow using the new flake commands in our workflows + experimental-features = ["nix-command" "flakes"]; + }; + }; + # make /bin/sleep available on the image + runner = pkgs.dockerTools.buildImage { + name = "nix-runner"; + tag = "2.21.0-pkgs-23.11"; + + fromImage = base; + fromImageName = null; + fromImageTag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [pkgs.coreutils-full]; + pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin + }; + }; + }; + }); +}