diff --git a/lib/constants.nix b/lib/constants.nix index 4e202ad..2afaf08 100644 --- a/lib/constants.nix +++ b/lib/constants.nix @@ -1,10 +1,13 @@ { lib }: rec { + # See https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix ids = { uids = { matrix-syncv3 = 400; + gitea-runner = 401; }; gids = { matrix-syncv3 = 400; + gitea-runner = 401; }; }; diff --git a/nixos/boxes/colony/vms/shill/gitea.nix b/nixos/boxes/colony/vms/shill/gitea.nix index 8344cc5..f59fc98 100644 --- a/nixos/boxes/colony/vms/shill/gitea.nix +++ b/nixos/boxes/colony/vms/shill/gitea.nix @@ -1,4 +1,4 @@ -{ lib, pkgs, config, ... }: +{ lib, pkgs, config, assignments, allAssignments, ... }: let inherit (lib.my.c) pubDomain; inherit (lib.my.c.colony) prefixes; @@ -72,6 +72,9 @@ in PASSWORD = "#mailerpass#"; REPLY_TO_ADDRESS = "git+%{token}@nul.ie"; }; + actions = { + ENABLED = true; + }; }; }; }; @@ -98,6 +101,12 @@ in ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept } } + table inet nat { + chain prerouting { + ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address} + ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address} + } + } ''; }; }; diff --git a/nixos/boxes/colony/vms/whale2/default.nix b/nixos/boxes/colony/vms/whale2/default.nix index 6901b95..e72ebe8 100644 --- a/nixos/boxes/colony/vms/whale2/default.nix +++ b/nixos/boxes/colony/vms/whale2/default.nix @@ -63,6 +63,7 @@ in "${modulesPath}/profiles/qemu-guest.nix" ./valheim.nix + ./gitea-actions.nix ]; config = mkMerge [ diff --git a/nixos/boxes/colony/vms/whale2/gitea-actions.nix b/nixos/boxes/colony/vms/whale2/gitea-actions.nix new file mode 100644 index 0000000..a331557 --- /dev/null +++ b/nixos/boxes/colony/vms/whale2/gitea-actions.nix @@ -0,0 +1,62 @@ +{ lib, pkgs, config, ... }: +let + inherit (builtins) toJSON; + inherit (lib) mkForce; + inherit (lib.my.c) pubDomain; + + cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON { + container = { + network = "colony"; + }; + }); +in +{ + config = { + services = { + gitea-actions-runner.instances = { + main = { + enable = true; + name = "main-docker"; + labels = [ ]; + url = "https://git.${pubDomain}"; + tokenFile = config.age.secrets."gitea/actions-runner.env".path; + }; + }; + }; + + users = with lib.my.c.ids; { + users = { + gitea-runner = { + isSystemUser = true; + uid = uids.gitea-runner; + group = "gitea-runner"; + home = "/var/lib/gitea-runner"; + }; + }; + groups = { + gitea-runner.gid = gids.gitea-runner; + }; + }; + + systemd = { + services = { + gitea-runner-main.serviceConfig = { + # Needs to be able to read its secrets + DynamicUser = mkForce false; + User = "gitea-runner"; + Group = "gitea-runner"; + ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon"; + }; + }; + }; + + my = { + secrets.files = { + "gitea/actions-runner.env" = { + owner = "gitea-runner"; + group = "gitea-runner"; + }; + }; + }; + }; +} diff --git a/nixos/modules/tmproot.nix b/nixos/modules/tmproot.nix index 7aa4003..74f3cba 100644 --- a/nixos/modules/tmproot.nix +++ b/nixos/modules/tmproot.nix @@ -439,6 +439,16 @@ in (mkIf config.hardware.rasdaemon.enable { my.tmproot.persistence.config.directories = [ "/var/lib/rasdaemon" ]; }) + (mkIf (config.services.gitea-actions-runner.instances != { }) { + my.tmproot.persistence.config.directories = [ + { + directory = "/var/lib/gitea-runner"; + mode = "0750"; + user = "gitea-runner"; + group = "gitea-runner"; + } + ]; + }) ])) ]); diff --git a/secrets/gitea/actions-runner.env.age b/secrets/gitea/actions-runner.env.age new file mode 100644 index 0000000..5b98860 --- /dev/null +++ b/secrets/gitea/actions-runner.env.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyA0Ynpx +ZU84aTNsaCsrd0ZXRHQxZmt6dnpGNUViQlhJSEs2d0lVQWhWN3gwCi9KQmJPN092 +Tjl5UjFNeWtsdXhtNjhFdlNrS0Ezb1lqT1NjNDY2ZXd1cFUKLT4gWDI1NTE5IFRT +Rld4NUNOaHB0b0l2eTQ5STB5V0dnZS9YUjF1RTZ5VndDaW5SYzg3aU0KcU9jbDlx +czZkVm5pUVlmdEw1MEVheU9QN3hpRzlUbFR1WTdNOEpKU3lNTQotPiBkXDItZ3Jl +YXNlCnQrY3FaendQNVF6RXNUWGZ4TE81QXJycC9kVTZjMDY4dnVLVkhIVWlMSlRS +NjRsL0o0YVlUUQotLS0gY0tlekNPbzdaa1EySlA2bkdqbmRMbUhUVm01NjJ1MEgv +K2dqcDhQL3BCdwpUfh9ODJOtZ0jkeOSdCj17XbuALje7tBa41o2nl6at+WIgiodJ +xZ+COxUZ4W1ehK2Nrjqe0zGL08JwHB3vt3Y5oitdlrjZcQRsBmM/GRKu +-----END AGE ENCRYPTED FILE-----