calcite: use as forgejo runner

machines/calcite/configuration.nix

@@ -259,11 +259,17 @@
       owner = "root";
       sopsFile = ./secrets.yaml;
     };
+    gitea_env = {
+      owner = "root";
+      sopsFile = ./secrets.yaml;
+    };
   };
   custom.restic.enable = true;
   custom.restic.repositoryFile = config.sops.secrets.restic_repo_calcite.path;
   custom.restic.passwordFile = config.sops.secrets.restic_repo_calcite_password.path;
 
+  custom.forgejo-actions-runner.enable = true;
+  custom.forgejo-actions-runner.tokenFile = config.sops.secrets.gitea_env.path;
 
   # MTP support
   services.gvfs.enable = true;

machines/calcite/secrets.yaml

@@ -1,6 +1,7 @@
 restic_repo_calcite_password: ENC[AES256_GCM,data:9ALTQULAMyLY4FIxuVztf9r3,iv:fObBBeqpHAVYl8YUopz9fZd3YWB+0sc8l+sR12rmxb4=,tag:l3xDc2/cpQr38X/cd7qMXA==,type:str]
 restic_repo_calcite: ENC[AES256_GCM,data:+m9cjMXrZoCPg/S+/wV4WFBmg6pbFpqJ7JOdwOX0Z37bgoQXh4wcVPKK3CLd7G/iQjpO8SXaqJ1/d8r4Ydk21Gp1WqkB8g==,iv:DweDUujXp6i5XwwxeFjUsLDOJQJlRIT6GKPPxABNWiY=,tag:hdBHIjAcDQ1Ky/8hIv3+Ow==,type:str]
 sing_box_url: ENC[AES256_GCM,data:2z2bDKdn51o1eaqhgE0pTg4FWcO8wcLNlnBZ69Q3Jm5GCxkXxsxN7DgqQvRVeakOHvaenQotF+nc6tlhKPsyzdQeG0yl3YYhGb9o3DkmpUjC6lalMSoiw1rSMVyBg4KYCWxmhR9iRurun62+5INGZwwHVqAjgWJhy/9+pdIFtgKyd/t0JhSU,iv:gIGbvRd88vZu3cVW7e4emZmmNO8QcubLrxS1sCwi4Co=,tag:AzLLtcA9jAbeuo6eWU6ilw==,type:str]
+gitea_env: ENC[AES256_GCM,data:hENSYBo2Zp9s+dVv9CHkf1kDqa+AU5XQFUWfww/rwGqFeZW0aouHMSxdW7ORU2o=,iv:KmqU1VnZ6LeIflBJ2hyTvLDPN/CSdqyBd2600xIVSNQ=,tag:DkwVTLuYJG6kEzl5dyV8pw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -25,8 +26,8 @@ sops:
             WGlLdXVoZlp3bEFXZjlMdG1VOUZDNUkKQ2NNTE3OsNUr2pOI7qeNFSCVkUIVRS+g
             FG5FbJJcFihXqr+Qo0nZkq+xq07vIia7mKoqyoIfkKwweiVzDKyrkQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-01-07T16:18:51Z"
-    mac: ENC[AES256_GCM,data:lBbtSYZ/UxBPBVVa6Bg0NiZxhFcjEREGBPEgCZau+C9aMQcMJp4s+SPKRaBDGuf2ee95pwuyYOb6M9Jr9dQxRAoAubgyaxAXUrC6U5Q8+VlKxMdvfBNJ5m8OGbkwHACrjkaWTRfHB8rPMH/yuIuuSZl8AB1m2GcT8uoluTsCMGo=,iv:FmFLPhoaR/YAVEJhQIhoUrZGX4p+fw/iCf1BN+NdX/U=,tag:/rZTAt20hd9LretuOHhTbQ==,type:str]
+    lastmodified: "2024-03-25T13:44:27Z"
+    mac: ENC[AES256_GCM,data:RPm7Y6R19Ygs2tptgQNap4AMZ2PgRwigGXVMpNcBT94L1YJoSGaJUDwukqHuzHGPvOqMZaEMIlorWQ5Ou7MSVhWZE2V8IsRCC5IWqcFI1FQjKc9WcImuIXPILKwCX+ScWrzbSmV0iYWxbeXTPU77pW4kAB7n4w/9CZfMP8BJcOw=,iv:sS0ttKYmaulWAY99awyBGCNpGxg8F0QCxeVmI2LbvP8=,tag:Av8VRPEmyeVV31S59sfPYA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1

modules/home-manager/git.nix

@@ -14,7 +14,7 @@ in
           enable = mkEnableOption "Git ssh signing";
           keyFile = mkOption {
             type = types.str;
-            default = "~/.ssh/id.pub";
+            default = "~/.ssh/id_ecdsa.pub";
           };
         };
       };

modules/nixos/default.nix

@@ -8,5 +8,6 @@
     ./sing-box.nix
     ./kanidm-client.nix
     ./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
+    ./forgejo-actions-runner.nix
   ];
 }

modules/nixos/forgejo-actions-runner.nix

@@ -0,0 +1,34 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.custom.forgejo-actions-runner;
+in
+{
+  options = {
+    custom.forgejo-actions-runner = {
+      enable = lib.mkEnableOption "TPM supported ssh agent in go";
+      tokenFile = lib.mkOption {
+        type = lib.types.path;
+      };
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    virtualisation.docker.enable = true;
+    services.gitea-actions-runner.package = pkgs.forgejo-actions-runner;
+    services.gitea-actions-runner.instances = {
+      "git.xinyang.life" = {
+        enable = true;
+        url = "https://git.xinyang.life";
+        tokenFile = cfg.tokenFile;
+        name = config.networking.hostName;
+        labels = [
+          "debian-latest:docker://node:18-bullseye"
+          "ubuntu-latest:docker://node:18-bullseye"
+          "nix:docker://xiny/nix-runner:2.21.0-pkgs-23.11"
+        ];
+        settings = {
+          container.network = "host";
+        };
+      };
+    };
+  };
+}

oci-images/nix-ci-base/flake.lock

@@ -0,0 +1,134 @@
+{
+  "nodes": {
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "libgit2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1697646580,
+        "narHash": "sha256-oX4Z3S9WtJlwvj0uH9HlYcWv+x1hqp8mhXl7HsLu2f0=",
+        "owner": "libgit2",
+        "repo": "libgit2",
+        "rev": "45fd9ed7ae1a9b74b957ef4f337bc3c8b3df01b5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "libgit2",
+        "repo": "libgit2",
+        "type": "github"
+      }
+    },
+    "nix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "libgit2": "libgit2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": "nixpkgs-regression"
+      },
+      "locked": {
+        "lastModified": 1710178469,
+        "narHash": "sha256-9b9qJ+7rGjLKbIswMf0/2pgUWH/xOlYLk7P4WYNcGDs=",
+        "owner": "nixos",
+        "repo": "nix",
+        "rev": "34807c8906a61219ec2e9132c9cf0bd4d29e1d12",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "2.21.0",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1711124224,
+        "narHash": "sha256-l0zlN/3CiodvWDtfBOVxeTwYSRz93muVbXWSpaMjXxM=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "56528ee42526794d413d6f244648aaee4a7b56c0",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-regression": {
+      "locked": {
+        "lastModified": 1643052045,
+        "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nix": "nix",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

oci-images/nix-ci-base/flake.nix

@@ -0,0 +1,68 @@
+{
+  inputs = {
+    nix.url = "github:/nixos/nix?ref=2.21.0";
+    nix.inputs.nixpkgs.follows = "nixpkgs";
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.11";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = {
+    self,
+    flake-utils,
+    nix,
+    nixpkgs,
+    ...
+  }:
+    flake-utils.lib.eachDefaultSystem (system: let
+      pkgs = (import nixpkgs) {
+        inherit system;
+      };
+      lib = pkgs.lib;
+    in rec {
+      packages = rec {
+        # a modified version of the nixos/nix image
+        # re-using the upstream nix docker image generation code
+        base = import (nix + "/docker.nix") {
+          inherit pkgs;
+          name = "nix-ci-base";
+          maxLayers = 10;
+          extraPkgs = with pkgs; [
+            nodejs_20 # nodejs is needed for running most 3rdparty actions
+            # add any other pre-installed packages here
+          ];
+          # change this is you want 
+          channelURL = "https://nixos.org/channels/nixpkgs-23.11";
+          nixConf = {
+            substituters = [
+              "https://mirrors.bfsu.edu.cn/nix-channels/store"
+              "https://mirrors.ustc.edu.cn/nix-channels/store"
+              "https://cache.nixos.org/"
+
+              "https://nix-community.cachix.org"
+            ];
+            trusted-public-keys = [
+              "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+              "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+            ];
+            # allow using the new flake commands in our workflows
+            experimental-features = ["nix-command" "flakes"];
+          };
+        };
+        # make /bin/sleep available on the image
+        runner = pkgs.dockerTools.buildImage {
+          name = "nix-runner";
+          tag = "2.21.0-pkgs-23.11";
+
+          fromImage = base;
+          fromImageName = null;
+          fromImageTag = "latest";
+
+          copyToRoot = pkgs.buildEnv {
+            name = "image-root";
+            paths = [pkgs.coreutils-full];
+            pathsToLink = ["/bin"]; # add coreutuls (which includes sleep) to /bin
+          };
+        };
+      };
+    });
+}