nixos/gitea: Set up Gitea Actions

2023-11-13 14:24:08 +01:00 · 2023-11-13 14:24:08 +01:00 · f8c7183594
commit f8c7183594
parent 17324455de
6 changed files with 97 additions and 1 deletions
--- a/lib/constants.nix
+++ b/lib/constants.nix
@ -1,10 +1,13 @@
 { lib }: rec {
  # See https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix
  ids = {
    uids = {
      matrix-syncv3 = 400;
      gitea-runner = 401;
    };
    gids = {
      matrix-syncv3 = 400;
      gitea-runner = 401;
    };
  };
--- a/nixos/boxes/colony/vms/shill/gitea.nix
+++ b/nixos/boxes/colony/vms/shill/gitea.nix
@ -1,4 +1,4 @@
-{ lib, pkgs, config, ... }:
+{ lib, pkgs, config, assignments, allAssignments, ... }:
 let
  inherit (lib.my.c) pubDomain;
  inherit (lib.my.c.colony) prefixes;
@ -72,6 +72,9 @@ in
            PASSWORD = "#mailerpass#";
            REPLY_TO_ADDRESS = "git+%{token}@nul.ie";
          };
          actions = {
            ENABLED = true;
          };
        };
      };
    };
@ -98,6 +101,12 @@ in
            ip6 saddr ${prefixes.all.v6} tcp dport 3000 accept
          }
        }
        table inet nat {
          chain prerouting {
            ip daddr ${assignments.internal.ipv4.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv4.address}
            ip6 daddr ${assignments.internal.ipv6.address} tcp dport { http, https } dnat to ${allAssignments.middleman.internal.ipv6.address}
          }
        }
      '';
    };
  };
--- a/nixos/boxes/colony/vms/whale2/default.nix
+++ b/nixos/boxes/colony/vms/whale2/default.nix
@ -63,6 +63,7 @@ in
          "${modulesPath}/profiles/qemu-guest.nix"
          ./valheim.nix
          ./gitea-actions.nix
        ];
        config = mkMerge [
--- a/nixos/boxes/colony/vms/whale2/gitea-actions.nix
+++ b/nixos/boxes/colony/vms/whale2/gitea-actions.nix
@ -0,0 +1,62 @@
 { lib, pkgs, config, ... }:
 let
  inherit (builtins) toJSON;
  inherit (lib) mkForce;
  inherit (lib.my.c) pubDomain;
  cfgFile = pkgs.writeText "gitea-actions-runner.yaml" (toJSON {
    container = {
      network = "colony";
    };
  });
 in
 {
  config = {
    services = {
      gitea-actions-runner.instances = {
        main = {
          enable = true;
          name = "main-docker";
          labels = [ ];
          url = "https://git.${pubDomain}";
          tokenFile = config.age.secrets."gitea/actions-runner.env".path;
        };
      };
    };
    users = with lib.my.c.ids; {
      users = {
        gitea-runner = {
          isSystemUser = true;
          uid = uids.gitea-runner;
          group = "gitea-runner";
          home = "/var/lib/gitea-runner";
        };
      };
      groups = {
        gitea-runner.gid = gids.gitea-runner;
      };
    };
    systemd = {
      services = {
        gitea-runner-main.serviceConfig = {
          # Needs to be able to read its secrets
          DynamicUser = mkForce false;
          User = "gitea-runner";
          Group = "gitea-runner";
          ExecStart = mkForce "${config.services.gitea-actions-runner.package}/bin/act_runner -c ${cfgFile} daemon";
        };
      };
    };
    my = {
      secrets.files = {
        "gitea/actions-runner.env" = {
          owner = "gitea-runner";
          group = "gitea-runner";
        };
      };
    };
  };
 }
--- a/nixos/modules/tmproot.nix
+++ b/nixos/modules/tmproot.nix
@ -439,6 +439,16 @@ in
      (mkIf config.hardware.rasdaemon.enable {
        my.tmproot.persistence.config.directories = [ "/var/lib/rasdaemon" ];
      })
      (mkIf (config.services.gitea-actions-runner.instances != { }) {
        my.tmproot.persistence.config.directories = [
          {
            directory = "/var/lib/gitea-runner";
            mode = "0750";
            user = "gitea-runner";
            group = "gitea-runner";
          }
        ];
      })
    ]))
  ]);
--- a/secrets/gitea/actions-runner.env.age
+++ b/secrets/gitea/actions-runner.env.age
@ -0,0 +1,11 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IC9FSlh2ZyA0Ynpx
 ZU84aTNsaCsrd0ZXRHQxZmt6dnpGNUViQlhJSEs2d0lVQWhWN3gwCi9KQmJPN092
 Tjl5UjFNeWtsdXhtNjhFdlNrS0Ezb1lqT1NjNDY2ZXd1cFUKLT4gWDI1NTE5IFRT
 Rld4NUNOaHB0b0l2eTQ5STB5V0dnZS9YUjF1RTZ5VndDaW5SYzg3aU0KcU9jbDlx
 czZkVm5pUVlmdEw1MEVheU9QN3hpRzlUbFR1WTdNOEpKU3lNTQotPiBkXDItZ3Jl
 YXNlCnQrY3FaendQNVF6RXNUWGZ4TE81QXJycC9kVTZjMDY4dnVLVkhIVWlMSlRS
 NjRsL0o0YVlUUQotLS0gY0tlekNPbzdaa1EySlA2bkdqbmRMbUhUVm01NjJ1MEgv
 K2dqcDhQL3BCdwpUfh9ODJOtZ0jkeOSdCj17XbuALje7tBa41o2nl6at+WIgiodJ
 xZ+COxUZ4W1ehK2Nrjqe0zGL08JwHB3vt3Y5oitdlrjZcQRsBmM/GRKu
 -----END AGE ENCRYPTED FILE-----