nixos/gitea: Set up Gitea Actions
This commit is contained in:
@@ -1,10 +1,13 @@
|
|||||||
{ lib }: rec {
|
{ lib }: rec {
|
||||||
|
# See https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
|
||||||
ids = {
|
ids = {
|
||||||
uids = {
|
uids = {
|
||||||
matrix-syncv3 = 400;
|
matrix-syncv3 = 400;
|
||||||
|
gitea-runner = 401;
|
||||||
};
|
};
|
||||||
gids = {
|
gids = {
|
||||||
matrix-syncv3 = 400;
|
matrix-syncv3 = 400;
|
||||||
|
gitea-runner = 401;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ lib, pkgs, config, ... }:
|
{ lib, pkgs, config, assignments, allAssignments, ... }:
|
||||||
let
|
let
|
||||||
inherit (lib.my.c) pubDomain;
|
inherit (lib.my.c) pubDomain;
|
||||||
inherit (lib.my.c.colony) prefixes;
|
inherit (lib.my.c.colony) prefixes;
|
||||||
@@ -72,6 +72,9 @@ in
|
|||||||
PASSWORD = "#mailerpass#";
|
PASSWORD = "#mailerpass#";
|
||||||
REPLY_TO_ADDRESS = "git+%{token}@nul.ie";
|
REPLY_TO_ADDRESS = "git+%{token}@nul.ie";
|
||||||
};
|
};
|
||||||
|
actions = {
|
||||||
|
ENABLED = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -98,6 +101,12 @@ in
|
|||||||
ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
|
ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
table inet nat {
|
||||||
|
chain prerouting {
|
||||||
|
ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
|
||||||
|
ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
|
||||||
|
}
|
||||||
|
}
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -63,6 +63,7 @@ in
|
|||||||
"${modulesPath}/profiles/qemu-guest.nix"
|
"${modulesPath}/profiles/qemu-guest.nix"
|
||||||
|
|
||||||
./valheim.nix
|
./valheim.nix
|
||||||
|
./gitea-actions.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
config = mkMerge [
|
config = mkMerge [
|
||||||
|
|||||||
62
nixos/boxes/colony/vms/whale2/gitea-actions.nix
Normal file
62
nixos/boxes/colony/vms/whale2/gitea-actions.nix
Normal file
@@ -0,0 +1,62 @@
|
|||||||
|
{ lib, pkgs, config, ... }:
|
||||||
|
let
|
||||||
|
inherit (builtins) toJSON;
|
||||||
|
inherit (lib) mkForce;
|
||||||
|
inherit (lib.my.c) pubDomain;
|
||||||
|
|
||||||
|
cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
|
||||||
|
container = {
|
||||||
|
network = "colony";
|
||||||
|
};
|
||||||
|
});
|
||||||
|
in
|
||||||
|
{
|
||||||
|
config = {
|
||||||
|
services = {
|
||||||
|
gitea-actions-runner.instances = {
|
||||||
|
main = {
|
||||||
|
enable = true;
|
||||||
|
name = "main-docker";
|
||||||
|
labels = [ ];
|
||||||
|
url = "https://git.${pubDomain}";
|
||||||
|
tokenFile = config.age.secrets."gitea/actions-runner.env".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
users = with lib.my.c.ids; {
|
||||||
|
users = {
|
||||||
|
gitea-runner = {
|
||||||
|
isSystemUser = true;
|
||||||
|
uid = uids.gitea-runner;
|
||||||
|
group = "gitea-runner";
|
||||||
|
home = "/var/lib/gitea-runner";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
groups = {
|
||||||
|
gitea-runner.gid = gids.gitea-runner;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd = {
|
||||||
|
services = {
|
||||||
|
gitea-runner-main.serviceConfig = {
|
||||||
|
# Needs to be able to read its secrets
|
||||||
|
DynamicUser = mkForce false;
|
||||||
|
User = "gitea-runner";
|
||||||
|
Group = "gitea-runner";
|
||||||
|
ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
my = {
|
||||||
|
secrets.files = {
|
||||||
|
"gitea/actions-runner.env" = {
|
||||||
|
owner = "gitea-runner";
|
||||||
|
group = "gitea-runner";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -439,6 +439,16 @@ in
|
|||||||
(mkIf config.hardware.rasdaemon.enable {
|
(mkIf config.hardware.rasdaemon.enable {
|
||||||
my.tmproot.persistence.config.directories = [ "/var/lib/rasdaemon" ];
|
my.tmproot.persistence.config.directories = [ "/var/lib/rasdaemon" ];
|
||||||
})
|
})
|
||||||
|
(mkIf (config.services.gitea-actions-runner.instances != { }) {
|
||||||
|
my.tmproot.persistence.config.directories = [
|
||||||
|
{
|
||||||
|
directory = "/var/lib/gitea-runner";
|
||||||
|
mode = "0750";
|
||||||
|
user = "gitea-runner";
|
||||||
|
group = "gitea-runner";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
})
|
||||||
]))
|
]))
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
|||||||
11
secrets/gitea/actions-runner.env.age
Normal file
11
secrets/gitea/actions-runner.env.age
Normal file
@@ -0,0 +1,11 @@
|
|||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyA0Ynpx
|
||||||
|
ZU84aTNsaCsrd0ZXRHQxZmt6dnpGNUViQlhJSEs2d0lVQWhWN3gwCi9KQmJPN092
|
||||||
|
Tjl5UjFNeWtsdXhtNjhFdlNrS0Ezb1lqT1NjNDY2ZXd1cFUKLT4gWDI1NTE5IFRT
|
||||||
|
Rld4NUNOaHB0b0l2eTQ5STB5V0dnZS9YUjF1RTZ5VndDaW5SYzg3aU0KcU9jbDlx
|
||||||
|
czZkVm5pUVlmdEw1MEVheU9QN3hpRzlUbFR1WTdNOEpKU3lNTQotPiBkXDItZ3Jl
|
||||||
|
YXNlCnQrY3FaendQNVF6RXNUWGZ4TE81QXJycC9kVTZjMDY4dnVLVkhIVWlMSlRS
|
||||||
|
NjRsL0o0YVlUUQotLS0gY0tlekNPbzdaa1EySlA2bkdqbmRMbUhUVm01NjJ1MEgv
|
||||||
|
K2dqcDhQL3BCdwpUfh9ODJOtZ0jkeOSdCj17XbuALje7tBa41o2nl6at+WIgiodJ
|
||||||
|
xZ+COxUZ4W1ehK2Nrjqe0zGL08JwHB3vt3Y5oitdlrjZcQRsBmM/GRKu
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
Reference in New Issue
Block a user