clan/clan-infra
10
0
Fork 1
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Merge pull request 'switch to scratch image' (#26) from cpu-fix into main
Some checks failed
build / test (push) Failing after 1m41s
Details

Browse Source 
Reviewed-on: #26
This commit is contained in:
Mic92 2023-07-20 13:33:39 +00:00
commit 2ea87e13e0
2 changed files with 58 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
flake.lock
View File

@ -7,11 +7,11 @@
]
},
"locked": {
"lastModified": 1689239870,
"narHash": "sha256-G19sYUrNeIOa8I+WXQ6dKS9Tvuavz8AyzyXNwTqLE94=",
"lastModified": 1689793660,
"narHash": "sha256-aPGhep6kAcFFbHQWf4pWZHcxf7osGtznEmyCjgAJ+iY=",
"owner": "nix-community",
"repo": "disko",
"rev": "68eb09b1833301d729ae6e89583173b6ceaade1c",
"rev": "774ce7df25538bd73a8d456e0828907fa6b62572",
"type": "github"
},
"original": {
@ -82,11 +82,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1689838306,
"narHash": "sha256-rKQERGxsbP+Mkkwgepmy/a3KgYYdbFR7vTgEZ6GMoIA=",
"lastModified": 1689846894,
"narHash": "sha256-6Ynd2UeWMiCvYXVEW3HOAw/u5HetpegYO2P3T7ccHJ8=",
"owner": "Mic92",
"repo": "nixpkgs",
"rev": "4bfb50dc6d66a86e61c6b38f567f7770d54db53e",
"rev": "ac1d29df2284b3bf62839cc4c503d326305d0f2f",
"type": "github"
},
"original": {
@ -115,11 +115,11 @@
"nixpkgs-stable": []
},
"locked": {
"lastModified": 1689149796,
"narHash": "sha256-3FCUdayBHcxk6BZOxEIfa5UxbXNQzTc/VlN7ociI2Dw=",
"lastModified": 1689534977,
"narHash": "sha256-EB4hasmjKgetTR0My2bS5AwELZFIQ4zANLqHKi7aVXg=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "88b964df6981e4844c07be8c192aa6bdca768a10",
"rev": "bd695cc4d0a5e1bead703cc1bec5fa3094820a81",
"type": "github"
},
"original": {
@ -135,11 +135,11 @@
]
},
"locked": {
"lastModified": 1689211908,
"narHash": "sha256-vkWZPUOA8L8X6s3OuVxHi+8NqVbeO3fkGkTJg2WtmdQ=",
"lastModified": 1689816556,
"narHash": "sha256-CSS2yBanD1YghbJ2tjAxOHCTp/QQW1ttn2qOZ4UygGA=",
"owner": "numtide",
"repo": "srvos",
"rev": "e8ae8c0ac816b6388199a475bd6188943e47f5b9",
"rev": "62c4900d023ac740a7aba6d70b660600c3450490",
"type": "github"
},
"original": {
@ -155,11 +155,11 @@
]
},
"locked": {
"lastModified": 1689243103,
"narHash": "sha256-IfBt2AD8qCwZs+m6BlOGEitBIkVJ0iMscMueb6QYUk4=",
"lastModified": 1689620039,
"narHash": "sha256-BtNwghr05z7k5YMdq+6nbue+nEalvDepuA7qdQMAKoQ=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "f1dca68b908f3dd656b923b9fb62f7d755133662",
"rev": "719c2977f958c41fa60a928e2fbc50af14844114",
"type": "github"
},
"original": {

57
modules/web01/gitea/actions-runner.nix
View File

@ -1,5 +1,19 @@
{ config, self, pkgs, lib, ... }:
{
systemd.services.gitea-runner-nix-image = {
wantedBy = [ "multi-user.target" ];
after = [ "podman.service" ];
requires = [ "podman.service" ];
path = [ pkgs.podman pkgs.gnutar ];
script = ''
tar cv --files-from /dev/null | podman import - scratch
'';
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
};
systemd.services.gitea-runner-nix-token = {
wantedBy = [ "multi-user.target" ];
after = [ "gitea.service" ];
@ -28,9 +42,11 @@
systemd.services.gitea-runner-nix = {
after = [
"gitea-runner-nix-token.service"
"gitea-runner-nix-image.service"
];
requires = [
"gitea-runner-nix-token.service"
"gitea-runner-nix-image.service"
];
# TODO: systemd confinment
@ -102,17 +118,31 @@
services.gitea-actions-runner.instances.nix =
let
extraBins = pkgs.runCommand "extra-bins" { } ''
bin = pkgs.runCommand "extra-bins" { } ''
mkdir -p $out
ln -s ${pkgs.nodejs}/bin/node $out/node
ln -s ${pkgs.nix}/bin/nix $out/nix
ln -s ${pkgs.git}/bin/git $out/git
ln -s ${pkgs.jq}/bin/jq $out/jq
ln -s ${pkgs.bash}/bin/bash $out/bash
for i in ${pkgs.coreutils}/bin/*; do
ln -s $i $out/$(basename $i)
for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs]}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/$(basename "$bin")"
done
done
'';
etc = pkgs.runCommand "etc" { } ''
mkdir -p $out/etc/nix
cat <<NIX_CONFIG > $out/etc/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch $out/etc/passwd $out/etc/group
${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
${pkgs.buildPackages.shadow}/bin/useradd --prefix $out -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
in
{
enable = true;
@ -123,16 +153,15 @@
url = config.services.gitea.settings.server.ROOT_URL;
# use your favourite nix secret manager to get a path for this
tokenFile = "/var/lib/gitea-registration/token";
labels = [ "nix:docker://mic92/nix-unstable-static" ];
labels = [ "nix:docker://scratch" ];
settings = {
container.options = "-v /nix:/nix -v ${extraBins}:/bin --user nixuser";
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
container.valid_volumes = [
"/nix"
extraBins
"/tmp"
bin
"${etc}/etc"
];
runner = {
envs.BIN = extraBins;
};
};
};
}