From 6fe192136067982be14c8dfc35f5ca33a1a8257d Mon Sep 17 00:00:00 2001 From: Kat Inskip Date: Mon, 13 Oct 2025 09:09:58 -0700 Subject: [PATCH] fix(forgejo-runner): maybe? --- .github/workflows/flake-update.yml | 2 + .github/workflows/nodes.yml | 7 ++ ci/flake-cron.nix | 2 + ci/nodes.nix | 3 + .../servers/forgejo-runner/forgejo-runner.nix | 107 +++++++++++------- .../forgejo-runner/forgejo-runner.yaml | 4 +- 6 files changed, 82 insertions(+), 43 deletions(-) diff --git a/.github/workflows/flake-update.yml b/.github/workflows/flake-update.yml index b82e62b5..0b9fd5fb 100644 --- a/.github/workflows/flake-update.yml +++ b/.github/workflows/flake-update.yml @@ -5,6 +5,7 @@ env: CI_CONFIG: ./ci/flake-cron.nix CI_PLATFORM: gh-actions DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} jobs: ci-check: name: flake-update check @@ -52,6 +53,7 @@ jobs: NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' NF_UPDATE_GIT_COMMIT: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: flake-update name: flake update build run: nix run .#nf-update diff --git a/.github/workflows/nodes.yml b/.github/workflows/nodes.yml index 892279cc..57ce1e7f 100644 --- a/.github/workflows/nodes.yml +++ b/.github/workflows/nodes.yml @@ -5,6 +5,7 @@ env: CI_CONFIG: ./ci/nodes.nix CI_PLATFORM: gh-actions DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} jobs: ci-check: name: nodes check @@ -51,6 +52,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: home-base name: build home closure for home-base run: nix run .#nf-build-system -- homeConfigurations.home-base.activationPackage @@ -113,6 +115,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: home-graphical name: build home closure for home-graphical run: nix run .#nf-build-system -- homeConfigurations.home-graphical.activationPackage @@ -175,6 +178,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: home-neovim name: build home closure for home-neovim run: nix run .#nf-build-system -- homeConfigurations.home-neovim.activationPackage @@ -237,6 +241,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: home-shell name: build home closure for home-shell run: nix run .#nf-build-system -- homeConfigurations.home-shell.activationPackage @@ -299,6 +304,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: mai name: build system closure for mai run: nix run .#nf-build-system -- nixosConfigurations.mai.config.system.build.toplevel @@ -361,6 +367,7 @@ jobs: DISCORD_WEBHOOK_LINK: ${{ secrets.DISCORD_WEBHOOK_LINK }} NF_CONFIG_ROOT: ${{ github.workspace }} NF_UPDATE_CACHIX_PUSH: '1' + NIX_CONFIG: ${{ secrets.NIX_CONFIG }} id: mei name: build system closure for mei run: nix run .#nf-build-system -- nixosConfigurations.mei.config.system.build.toplevel diff --git a/ci/flake-cron.nix b/ci/flake-cron.nix index 6b7644be..0c9071a9 100644 --- a/ci/flake-cron.nix +++ b/ci/flake-cron.nix @@ -13,6 +13,7 @@ with lib; { CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}"; CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; DISCORD_WEBHOOK_LINK = "\${{ secrets.DISCORD_WEBHOOK_LINK }}"; + NIX_CONFIG = "\${{ secrets.NIX_CONFIG }}"; }; on = let paths = [ @@ -46,6 +47,7 @@ with lib; { NF_UPDATE_GIT_COMMIT = "1"; NF_UPDATE_CACHIX_PUSH = "1"; NF_CONFIG_ROOT = "\${{ github.workspace }}"; + NIX_CONFIG = "\${{ secrets.NIX_CONFIG }}"; }; }; }; diff --git a/ci/nodes.nix b/ci/nodes.nix index 1eb8a7be..1de58cd1 100644 --- a/ci/nodes.nix +++ b/ci/nodes.nix @@ -17,6 +17,7 @@ in { CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}"; CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; DISCORD_WEBHOOK_LINK = "\${{ secrets.DISCORD_WEBHOOK_LINK }}"; + NIX_CONFIG = "\${{ secrets.NIX_CONFIG }}"; }; on = let paths = [ @@ -41,6 +42,7 @@ in { order = 500; run = "nix run .#nf-build-system -- nixosConfigurations.${name}.config.system.build.toplevel ${name} NixOS"; env = { + NIX_CONFIG = "\${{ secrets.NIX_CONFIG }}"; CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}"; CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; DISCORD_WEBHOOK_LINK = "\${{ secrets.DISCORD_WEBHOOK_LINK }}"; @@ -56,6 +58,7 @@ in { order = 500; run = "nix run .#nf-build-system -- homeConfigurations.${name}.activationPackage ${name} Home"; env = { + NIX_CONFIG = "\${{ secrets.NIX_CONFIG }}"; CACHIX_AUTH_TOKEN = "\${{ secrets.CACHIX_AUTH_TOKEN }}"; CACHIX_SIGNING_KEY = "\${{ secrets.CACHIX_SIGNING_KEY }}"; DISCORD_WEBHOOK_LINK = "\${{ secrets.DISCORD_WEBHOOK_LINK }}"; diff --git a/nixos/servers/forgejo-runner/forgejo-runner.nix b/nixos/servers/forgejo-runner/forgejo-runner.nix index ba5d6f64..493aa4d5 100644 --- a/nixos/servers/forgejo-runner/forgejo-runner.nix +++ b/nixos/servers/forgejo-runner/forgejo-runner.nix @@ -1,48 +1,73 @@ { pkgs, config, + options, + lib, ... }: { - sops.secrets.forgejo-runner-token = { - format = "yaml"; - sopsFile = ./forgejo-runner.yaml; - }; - virtualisation.podman.enable = true; - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = config.networking.hostName; - url = "https://git.kittywit.ch"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - tokenFile = config.sops.secrets.forgejo-runner-token.path; - labels = let - arches = { - x86_64-linux = [ - "ubuntu-latest:docker://node:16-bullseye" - "ubuntu-22.04:docker://node:16-bullseye" - "ubuntu-20.04:docker://node:16-bullseye" - "ubuntu-18.04:docker://node:16-buster" - "nixos-latest:docker://nixos/nix" - "ubuntu-latest-x86_64:docker://node:16-bullseye" - "ubuntu-22.04-x86_64:docker://node:16-bullseye" - "ubuntu-20.04_x86_64:docker://node:16-bullseye" - "ubuntu-18.04-x86_64:docker://node:16-buster" - "nixos-latest-x86_64:docker://nixos/nix" - ## optionally provide native execution on the host: - # "native:host" - ]; - aarch64-linux = [ - "ubuntu-latest-aarch64:docker://node:16-bullseye" - "ubuntu-22.04-aarch64:docker://node:16-bullseye" - "ubuntu-20.04_aarch64:docker://node:16-bullseye" - "ubuntu-18.04-aarch64:docker://node:16-buster" - "nixos-latest-aarch64:docker://nixos/nix" - ]; - }; - in - arches.${pkgs.system}; + config = let + inherit (lib.attrsets) optionalAttrs; + colmenaTag = { + deployment.tags = ["forgejo-runner"]; + }; + in + (optionalAttrs (options ? deployment) colmenaTag) + // { + sops.secrets = { + forgejo-runner-token = { + format = "yaml"; + sopsFile = ./forgejo-runner.yaml; + }; + }; + virtualisation.podman = { + enable = true; + defaultNetwork.settings = { + dns_enabled = true; + ipv6_enabled = true; + }; + }; + users.groups.gitea-runner = {}; + users.users.gitea-runner = { + isSystemUser = true; + group = "gitea-runner"; + }; + networking.firewall.interfaces."podman*".allowedUDPPorts = [53]; + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = config.networking.hostName; + url = "https://git.kittywit.ch"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.sops.secrets.forgejo-runner-token.path; + labels = let + arches = { + x86_64-linux = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "nixos-latest:docker://nixos/nix" + "ubuntu-latest-x86_64:docker://node:16-bullseye" + "ubuntu-22.04-x86_64:docker://node:16-bullseye" + "ubuntu-20.04_x86_64:docker://node:16-bullseye" + "ubuntu-18.04-x86_64:docker://node:16-buster" + "nixos-latest-x86_64:docker://nixos/nix" + ## optionally provide native execution on the host: + # "native:host" + ]; + aarch64-linux = [ + "ubuntu-latest-aarch64:docker://node:16-bullseye" + "ubuntu-22.04-aarch64:docker://node:16-bullseye" + "ubuntu-20.04_aarch64:docker://node:16-bullseye" + "ubuntu-18.04-aarch64:docker://node:16-buster" + "nixos-latest-aarch64:docker://nixos/nix" + ]; + }; + in + arches.${pkgs.system}; + }; + }; }; - }; } diff --git a/nixos/servers/forgejo-runner/forgejo-runner.yaml b/nixos/servers/forgejo-runner/forgejo-runner.yaml index b35761cb..13c4d297 100644 --- a/nixos/servers/forgejo-runner/forgejo-runner.yaml +++ b/nixos/servers/forgejo-runner/forgejo-runner.yaml @@ -92,8 +92,8 @@ sops: RDdsVDNUci8xWmxGaXpwMlgyTGtSM1EKeMoFN8+WUpo6VZwQjVeUx4xTQEaEMxh+ zXGQOrMh2ZUpU0WbTHrivMxPd0nzFqJt15eUcuO41vggknR7GN0vJQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-13T14:27:51Z" - mac: ENC[AES256_GCM,data:cBGozOli5n7p0/jGKXcSda6T2h70aUnkJ19L9ZJjs+ah1GYE9gShUpsnLW+sFRPHxySy+HULGL2436iV0/m1lR+PszXMczUM+plm9s5n1uFsyjnFn2iLZjMTdjuQqi3UjzuKh+oUaYMuPWx9cvbYFu6e+T6QQG87RD/WwMcOpDU=,iv:woZFeBwzrPOoJaS/CvoZlXIYbip/Co+cqvSBn0dnkeg=,tag:WZPlqCiNVJXiopeLKXcNmA==,type:str] + lastmodified: "2025-10-13T16:08:32Z" + mac: ENC[AES256_GCM,data:9jtHZulwS2UtIQcploYwshLcdCUitTeeh2ct3SbdF1I+yVwvAQ/h4XTccVIVSEwgTo23FKp3LV8lfUiyymG5VA3HAuX5RBIEVvvh5vWJpLWkYGFQZKmfJZmAySgxmCtfVv6Uv8tJm6reOts3J2WIcxnhkA48AFykhKDO3zZpk0k=,iv:WndNMmz1AU8Zmq9MRggLa88MJh3Ux6CGEvTtFSge6CA=,tag:w8QWFPZRK3Ho3rxSkoj+Iw==,type:str] pgp: - created_at: "2025-10-13T14:17:40Z" enc: |-