set up gitea actions runner

2023-07-13 11:05:07 +02:00 · 2023-07-13 11:05:07 +02:00 · 5adf44c23e
commit 5adf44c23e
parent ed9bb9b9e9
12 changed files with 271 additions and 22 deletions
--- a/.gitea/workflows/check.yaml
+++ b/.gitea/workflows/check.yaml
@ -0,0 +1,9 @@
+name: build
+on:
+  push:
+jobs:
+  test:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v3
+      - run: nix flake check -vL
--- a/flake.lock
+++ b/flake.lock
@ -63,6 +63,46 @@
        "url": "https://git.clan.lol/clan/clan-homepage"
      }
    },
+    "lowdown-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1633514407,
+        "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "kristapsdz",
+        "repo": "lowdown",
+        "type": "github"
+      }
+    },
+    "nix": {
+      "inputs": {
+        "flake-compat": [],
+        "lowdown-src": "lowdown-src",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-regression": []
+      },
+      "locked": {
+        "lastModified": 1686048923,
+        "narHash": "sha256-/XCWa2osNFIpPC5MkxlX6qTZf/DaTLwS3LWN0SRFiuU=",
+        "owner": "nixos",
+        "repo": "nix",
+        "rev": "84050709ea18f3285a85d729f40c8f8eddf5008e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "2.16.1",
+        "repo": "nix",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1688491638,
@ -84,6 +124,7 @@
        "disko": "disko",
        "flake-parts": "flake-parts",
        "homepage": "homepage",
+        "nix": "nix",
        "nixpkgs": "nixpkgs",
        "sops-nix": "sops-nix",
        "srvos": "srvos",
--- a/flake.nix
+++ b/flake.nix
@ -28,6 +28,11 @@
    srvos.url = "github:numtide/srvos";
    # Use the version of nixpkgs that has been tested to work with SrvOS
    srvos.inputs.nixpkgs.follows = "nixpkgs";
+
+    nix.url = "github:/nixos/nix?ref=2.16.1";
+    nix.inputs.nixpkgs.follows = "nixpkgs";
+    nix.inputs.nixpkgs-regression.follows = "";
+    nix.inputs.flake-compat.follows = "";
  };

  outputs = inputs@{ flake-parts, ... }:
@ -44,6 +49,10 @@
          programs.terraform.enable = true;
          programs.nixpkgs-fmt.enable = true;
        };
+        packages.actions-runner = pkgs.callPackage ./pkgs/actions-runner.nix {
+          inherit inputs;
+        };
+        packages.gitea = pkgs.callPackage ./pkgs/gitea {};
        packages.default = pkgs.mkShell {
          packages = [
            pkgs.bashInteractive
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@ -0,0 +1,65 @@
+{ config, self, pkgs, lib, ... }:
+
+let
+  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
+in {
+  systemd.services.gitea-actions-runner-nix-image = {
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      ${lib.getExe pkgs.podman} load --input=${actions-runner}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+  systemd.services.gitea-actions-runner-nix-token = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "gitea.service" ];
+    environment = {
+      GITEA_CUSTOM = "/var/lib/gitea/custom";
+      GITEA_WORK_DIR = "/var/lib/gitea";
+    };
+    script = ''
+      set -euo pipefail
+      token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
+      echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
+    '';
+    serviceConfig = {
+      User = "gitea";
+      Group = "gitea";
+      StateDirectory = "gitea-actions-runner";
+      ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
+  # Format of the token file:
+  virtualisation.podman.enable = true;
+
+  systemd.services.gitea-runner-nix = {
+    after = [ 
+      "gitea-actions-runner-nix-token.service"
+      "gitea-actions-runner-nix-image.service"
+    ];
+    requires = [ 
+      "gitea-actions-runner-nix-token.service" 
+      "gitea-actions-runner-nix-image.service"
+    ];
+  };
+
+  services.gitea-actions-runner.instances.nix = {
+    enable = true;
+    name = "nix-runner";
+    # take the git root url from the gitea config
+    # only possible if you've also configured your gitea though the same nix config
+    # otherwise you need to set it manually
+    url = config.services.gitea.settings.server.ROOT_URL;
+    # use your favourite nix secret manager to get a path for this
+    tokenFile = "/var/lib/gitea-actions-runner/token";
+    labels = [
+      "nix:docker://${actions-runner.imageName}"
+    ];
+  };
+}
--- a/modules/web01/gitea/default.nix
+++ b/modules/web01/gitea/default.nix
@ -1,12 +1,9 @@
-{ pkgs, ... }: {
+{ pkgs, self, ... }: {

-  services.postgresql.enable = true;
-  services.postgresql.package = pkgs.postgresql_14;
-  services.postgresql.settings = {
-    max_connections = "300";
-    shared_buffers = "80MB";
-  };
-  services.postgresqlBackup.enable = true;
+  imports = [
+    ./postgresql.nix
+    ./actions-runner.nix
+  ];

  services.gitea = {
    enable = true;
@ -15,12 +12,9 @@
      host = "/run/postgresql";
      port = 5432;
    };
-    package = pkgs.gitea.overrideAttrs (oldAttrs: {
-      patches = [
-        # To keep out spam bots: https://github.com/Mic92/gitea/tree/bot-check
-        ./0001-add-bot-check.patch
-      ];
-    });
+    package = self.packages.${pkgs.hostPlatform.system}.gitea;
+
+    settings.actions.ENABLED = true;
    settings.mailer = {
      ENABLED = true;
      FROM = "gitea@clan.lol";
@ -44,5 +38,4 @@
      proxy_pass http://localhost:3002;
    '';
  };
-
 }
--- a/modules/web01/gitea/postgresql.nix
+++ b/modules/web01/gitea/postgresql.nix
@ -0,0 +1,9 @@
+{ pkgs, ... }: {
+  services.postgresql.enable = true;
+  services.postgresql.package = pkgs.postgresql_14;
+  services.postgresql.settings = {
+    max_connections = "300";
+    shared_buffers = "80MB";
+  };
+  services.postgresqlBackup.enable = true;
+}
--- a/pkgs/actions-runner.nix
+++ b/pkgs/actions-runner.nix
@ -0,0 +1,43 @@
+{ pkgs, inputs }:
+let
+  # FIXME get rid of nix input?
+  base = import (inputs.nix + "/docker.nix") {
+    inherit pkgs;
+    name = "nix-ci-base";
+    maxLayers = 10;
+    extraPkgs = with pkgs; [
+      nodejs_20 # nodejs is needed for running most 3rdparty actions
+      # add any other pre-installed packages here
+    ];
+    # do we want this at all?
+    channelURL = "https://nixos.org/channels/nixpkgs-unstable";
+    nixConf = {
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        # insert any other binary caches here
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        # insert the public keys for those binary caches here
+      ];
+      # allow using the new flake commands in our workflows
+      experimental-features = [ "nix-command" "flakes" ];
+    };
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "nix-runner";
+  tag = "latest";
+
+  fromImage = base;
+  fromImageName = null;
+  fromImageTag = "latest";
+
+  copyToRoot = pkgs.buildEnv {
+    name = "image-root";
+    paths = [ pkgs.coreutils-full ];
+    pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
+  };
+}
--- a/pkgs/gitea/0001-add-bot-check.patch
+++ b/pkgs/gitea/0001-add-bot-check.patch
@ -0,0 +1,62 @@
+From f06e0e1aaa9bb0602e6944d0dd4370e24b66b4e3 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
+Date: Wed, 5 Jul 2023 15:02:03 +0200
+Subject: [PATCH] add bot check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
+---
+ routers/web/auth/auth.go              | 5 +++++
+ services/forms/user_form.go           | 1 +
+ templates/user/auth/signup_inner.tmpl | 5 +++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
+index 9f1395225..2f7f434a5 100644
+--- a/routers/web/auth/auth.go
+++ b/routers/web/auth/auth.go
+@@ -411,6 +411,11 @@ func SignUpPost(ctx *context.Context) {
+ 	context.SetCaptchaData(ctx)
+ 	ctx.Data["PageIsSignUp"] = true
+ 
+	if form.Notabot != "Notabot" {
+		ctx.Error(http.StatusForbidden)
+		return
+	}
+
+ 	// Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
+ 	if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
+ 		ctx.Error(http.StatusForbidden)
+diff --git a/services/forms/user_form.go b/services/forms/user_form.go
+index 1f5abf94e..196300a14 100644
+--- a/services/forms/user_form.go
+++ b/services/forms/user_form.go
+@@ -94,6 +94,7 @@ type RegisterForm struct {
+ 	UserName string `binding:"Required;Username;MaxSize(40)"`
+ 	Email    string `binding:"Required;MaxSize(254)"`
+ 	Password string `binding:"MaxSize(255)"`
+	Notabot  string `binding:"Required"`
+ 	Retype   string
+ }
+ 
+diff --git a/templates/user/auth/signup_inner.tmpl b/templates/user/auth/signup_inner.tmpl
+index 8dfcb7b7d..0316163c5 100644
+--- a/templates/user/auth/signup_inner.tmpl
+++ b/templates/user/auth/signup_inner.tmpl
+@@ -24,6 +24,11 @@
+ 					<input id="email" name="email" type="email" value="{{.email}}" required>
+ 				</div>
+ 
+				<div class="required inline field">
+					<input type="checkbox" id="notabot" name="notabot" value="Notabot">
+					<label for="notabot">Confirm that you are not a bot</label><br>
+				</div>
+
+ 				{{if not .DisablePassword}}
+ 					<div class="required inline field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeRegister))}}error{{end}}">
+ 						<label for="password">{{.locale.Tr "password"}}</label>
+-- 
+2.41.0
+
--- a/pkgs/gitea/default.nix
+++ b/pkgs/gitea/default.nix
@ -0,0 +1,16 @@
+{ gitea, fetchurl }:
+
+gitea.overrideAttrs (old: rec {
+  name = "gitea-${version}";
+  # we currently use a release candiate to generate runner tokes on startup
+  version = "1.20.0-rc2";
+  patches = old.patches ++ [
+    ./0001-add-bot-check.patch
+  ];
+
+  # not fetching directly from the git repo, because that lacks several vendor files for the web UI
+  src = fetchurl {
+    url = "https://dl.gitea.com/gitea/${version}/gitea-src-${version}.tar.gz";
+    hash = "sha256-AYlTbbYtd+N8W7buEd1+6J49mGE6X6a+1eYAcwEore4=";
+  };
+})
--- a/targets/flake-module.nix
+++ b/targets/flake-module.nix
@ -16,6 +16,7 @@ in
              self = {
                inputs = self.inputs;
                nixosModules = self.nixosModules;
+                packages = self.packages;
              };
            };

--- a/targets/web01/secrets.yaml
+++ b/targets/web01/secrets.yaml
@ -1,5 +1,6 @@
 ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
 harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
+gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -33,8 +34,8 @@ sops:
            Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
            KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-07-05T15:22:34Z"
-    mac: ENC[AES256_GCM,data:sSrzzvy97ok92DNRP9rDruu+lPlG2NZEKTL7E7lCLCtSkbRh1ciVAEuavRhnGFBB4jCYNwT43oyLNOq9oVY3G7d2sehalMxG0DNpOkyeSkVcYv5DKQzSwd08rq0sl6MGMcEdJ4wx7lYGtHiN4NoPhzpqi9SyesSCsHcYzJ2uNfM=,iv:6jUTtEDY2zzn/7ZsmymY7gqafBmQ1791iWw6La9VD9A=,tag:46mE6aDPnkdzqcwzyouhXg==,type:str]
+    lastmodified: "2023-07-12T14:19:37Z"
+    mac: ENC[AES256_GCM,data:qnO1VyiPUK0uoAQux/3tRs2uE8e5aJVNL6SuR7lTNSJkfdV42H0w1AzFwyrAfnTzOkGGqJ9/gESH5/WyDuLSwYmRDUFH4E9CQI5RtjEfiiGDd9ah58kDDhy8UhhH1U1lfzUQMLSq7WJOFLF6tMVYZz+cSMCbrMHdcilzXFBwoEA=,iv:YTrQItix0HLekjGCa7apf73cQ+Zg57czvwtuFrSgUZ4=,tag:3uyWTBjFdHDa2dMerVqjrQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.7.3
--- a/targets/web01/terraform.tfstate
+++ b/targets/web01/terraform.tfstate