ci: switch to new docker container for nix

2023-07-20 13:15:03 +02:00 · 2023-07-20 13:15:03 +02:00 · 493d12400f
commit 493d12400f
parent 696ab8ec20
1 changed files with 22 additions and 43 deletions
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@ -1,18 +1,15 @@
 { config, self, pkgs, lib, ... }:
-let
-  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
-in
 {
-  systemd.services.gitea-runner-nix-image = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      ${lib.getExe pkgs.podman} load --input=${actions-runner}
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-  };
+  #systemd.services.gitea-runner-nix-image = {
+  #  wantedBy = [ "multi-user.target" ];
+  #  script = ''
+  #    ${lib.getExe pkgs.podman} load --input=${actions-runner}
+  #  '';
+  #  serviceConfig = {
+  #    Type = "oneshot";
+  #    RemainAfterExit = true;
+  #  };
+  #};

  systemd.services.gitea-runner-nix-token = {
    wantedBy = [ "multi-user.target" ];
@ -24,13 +21,13 @@ in
    script = ''
      set -euo pipefail
      token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
-      echo "TOKEN=$token" > /var/lib/gitea-runner/token
+      echo "TOKEN=$token" > /var/lib/gitea-registration/token
    '';
-    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ];
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/token" ];
    serviceConfig = {
      User = "gitea";
      Group = "gitea";
-      StateDirectory = "gitea-runner";
+      StateDirectory = "gitea-registration";
      Type = "oneshot";
      RemainAfterExit = true;
    };
@ -42,11 +39,9 @@ in
  systemd.services.gitea-runner-nix = {
    after = [
      "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
    ];
    requires = [
      "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
    ];

    # TODO: systemd confinment
@ -123,7 +118,12 @@ in
    };
  };

-  services.gitea-actions-runner.instances.nix = {
+  services.gitea-actions-runner.instances.nix = let
+    extraBins = pkgs.runCommand "extra-bins" {} ''
+      mkdir -p $out
+      ln -s ${pkgs.nodejs}/bin/node $out/node
+    '';
+  in {
    enable = true;
    name = "nix-runner";
    # take the git root url from the gitea config
@ -131,31 +131,10 @@ in
    # otherwise you need to set it manually
    url = config.services.gitea.settings.server.ROOT_URL;
    # use your favourite nix secret manager to get a path for this
-    tokenFile = "/var/lib/gitea-runner/token";
-    labels = [ "nix:docker://${actions-runner.imageName}" ];
-    hostPackages = with pkgs; [
-      bash
-      coreutils
-      curl
-      gawk
-      gitMinimal
-      gnused
-      jq
-      nixUnstable
-      nodejs
-      wget
-      gnutar
-      bash
-      config.nix.package
-      gzip
-    ];
+    tokenFile = "/var/lib/gitea-registration/token";
+    labels = [ "nix:docker://mic92/nix-unstable-static" ];
    settings = {
-      runner.envs = {
-        HOME = "/var/lib/gitea-runner/nix";
-        # unset the token so it doesn't leak into the runner
-        TOKEN = "";
-        PAGER = "cat";
-      };
+      container.options = "-v /nix:/nix -v ${extraBins}:/host/bin --user nix";
    };
  };
 }