clan-infra/modules/web01/gitea/actions-runner.nix

136 lines
3.9 KiB
Nix
Raw Normal View History

2023-07-13 09:05:07 +00:00
{ config, self, pkgs, lib, ... }:
2023-07-13 09:29:21 +00:00
{
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
systemd.services.gitea-runner-nix-token = {
2023-07-13 09:05:07 +00:00
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
environment = {
GITEA_CUSTOM = "/var/lib/gitea/custom";
GITEA_WORK_DIR = "/var/lib/gitea";
};
script = ''
set -euo pipefail
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
'';
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
2023-07-13 09:05:07 +00:00
serviceConfig = {
User = "gitea";
Group = "gitea";
StateDirectory = "gitea-actions-runner";
Type = "oneshot";
RemainAfterExit = true;
};
};
systemd.services.gitea-runner-nix = {
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
after = [ "gitea-runner-nix-token.service" ];
requires = [ "gitea-runner-nix-token.service" ];
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
# TODO: systemd confinment
serviceConfig = {
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~capset"
"~setdomainname"
"~sethostname"
];
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" "AF_NETLINK" ];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
# Environment = [
# ];
# BindPaths = [
# "/nix/var/nix/daemon-socket/socket"
# "/run/nscd/socket"
# "/var/lib/drone"
# ];
};
2023-07-13 09:05:07 +00:00
};
services.gitea-actions-runner.instances.nix = {
enable = true;
name = "nix-runner";
# take the git root url from the gitea config
# only possible if you've also configured your gitea though the same nix config
# otherwise you need to set it manually
url = config.services.gitea.settings.server.ROOT_URL;
# use your favourite nix secret manager to get a path for this
tokenFile = "/var/lib/gitea-actions-runner/token";
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
labels = [ "nix:host" ];
hostPackages = with pkgs; [
bash
coreutils
curl
gawk
gitMinimal
gnused
jq
nixUnstable
nodejs
wget
gnutar
bash
config.nix.package
gzip
2023-07-13 09:05:07 +00:00
];
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
settings = {
runner.envs = {
HOME = "/var/lib/gitea-runner/nix";
2023-07-13 12:17:43 +00:00
# unset the token so it doesn't leak into the runner
TOKEN = "";
PAGER = "cat";
switch to native nix gitea action gitea: check runner label flake.lock: Update Flake lock file updates: • Updated input 'disko': 'github:nix-community/disko/15c4d57b41b6b57024aec015e5d30a4ed4713034' (2023-07-04) → 'github:nix-community/disko/68eb09b1833301d729ae6e89583173b6ceaade1c' (2023-07-13) • Updated input 'homepage': 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=ffe31cffbdcc22fbf92bde02beda9b17aebe6a82' (2023-07-05) → 'git+https://git.clan.lol/clan/clan-homepage?ref=refs/heads/main&rev=b1573761fd03b6d6ae2170211953e08a2f430b8c' (2023-07-11) • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/9e9bef88786414db7178ad610e7874730d21c5bb' (2023-07-13) → 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5ed3c22c1fa0515e037e36956a67fe7e32c92957' (2023-07-02) → 'github:Mic92/sops-nix/88b964df6981e4844c07be8c192aa6bdca768a10' (2023-07-12) • Updated input 'srvos': 'github:numtide/srvos/c9fa5cf4b6014807655bf8356b3cddc86f741b7a' (2023-07-03) → 'github:numtide/srvos/e8ae8c0ac816b6388199a475bd6188943e47f5b9' (2023-07-13) • Updated input 'treefmt-nix': 'github:numtide/treefmt-nix/df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf' (2023-06-29) → 'github:numtide/treefmt-nix/f1dca68b908f3dd656b923b9fb62f7d755133662' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/76873846521e9f2eacc3d2db7c3643b222e22a59' (2023-07-13) → 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:Mic92/nixpkgs/21d75bf07c3cd8c10aea2e86e7d683e12b8bc5c4' (2023-07-13) → 'github:Mic92/nixpkgs/dc54601ce60a6e7b427d124550d43067ee605b53' (2023-07-13)
2023-07-13 10:01:23 +00:00
};
};
2023-07-13 09:05:07 +00:00
};
}