set up gitea actions runner
This commit is contained in:
parent
ed9bb9b9e9
commit
5adf44c23e
9
.gitea/workflows/check.yaml
Normal file
9
.gitea/workflows/check.yaml
Normal file
|
@ -0,0 +1,9 @@
|
|||
name: build
|
||||
on:
|
||||
push:
|
||||
jobs:
|
||||
test:
|
||||
runs-on: nix
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: nix flake check -vL
|
41
flake.lock
41
flake.lock
|
@ -63,6 +63,46 @@
|
|||
"url": "https://git.clan.lol/clan/clan-homepage"
|
||||
}
|
||||
},
|
||||
"lowdown-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1633514407,
|
||||
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [],
|
||||
"lowdown-src": "lowdown-src",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-regression": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1686048923,
|
||||
"narHash": "sha256-/XCWa2osNFIpPC5MkxlX6qTZf/DaTLwS3LWN0SRFiuU=",
|
||||
"owner": "nixos",
|
||||
"repo": "nix",
|
||||
"rev": "84050709ea18f3285a85d729f40c8f8eddf5008e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "2.16.1",
|
||||
"repo": "nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1688491638,
|
||||
|
@ -84,6 +124,7 @@
|
|||
"disko": "disko",
|
||||
"flake-parts": "flake-parts",
|
||||
"homepage": "homepage",
|
||||
"nix": "nix",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix",
|
||||
"srvos": "srvos",
|
||||
|
|
|
@ -28,6 +28,11 @@
|
|||
srvos.url = "github:numtide/srvos";
|
||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
nix.url = "github:/nixos/nix?ref=2.16.1";
|
||||
nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
nix.inputs.nixpkgs-regression.follows = "";
|
||||
nix.inputs.flake-compat.follows = "";
|
||||
};
|
||||
|
||||
outputs = inputs@{ flake-parts, ... }:
|
||||
|
@ -44,6 +49,10 @@
|
|||
programs.terraform.enable = true;
|
||||
programs.nixpkgs-fmt.enable = true;
|
||||
};
|
||||
packages.actions-runner = pkgs.callPackage ./pkgs/actions-runner.nix {
|
||||
inherit inputs;
|
||||
};
|
||||
packages.gitea = pkgs.callPackage ./pkgs/gitea {};
|
||||
packages.default = pkgs.mkShell {
|
||||
packages = [
|
||||
pkgs.bashInteractive
|
||||
|
|
65
modules/web01/gitea/actions-runner.nix
Normal file
65
modules/web01/gitea/actions-runner.nix
Normal file
|
@ -0,0 +1,65 @@
|
|||
{ config, self, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
|
||||
in {
|
||||
systemd.services.gitea-actions-runner-nix-image = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
script = ''
|
||||
${lib.getExe pkgs.podman} load --input=${actions-runner}
|
||||
'';
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
systemd.services.gitea-actions-runner-nix-token = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "gitea.service" ];
|
||||
environment = {
|
||||
GITEA_CUSTOM = "/var/lib/gitea/custom";
|
||||
GITEA_WORK_DIR = "/var/lib/gitea";
|
||||
};
|
||||
script = ''
|
||||
set -euo pipefail
|
||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
|
||||
'';
|
||||
serviceConfig = {
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
StateDirectory = "gitea-actions-runner";
|
||||
ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
|
||||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# Format of the token file:
|
||||
virtualisation.podman.enable = true;
|
||||
|
||||
systemd.services.gitea-runner-nix = {
|
||||
after = [
|
||||
"gitea-actions-runner-nix-token.service"
|
||||
"gitea-actions-runner-nix-image.service"
|
||||
];
|
||||
requires = [
|
||||
"gitea-actions-runner-nix-token.service"
|
||||
"gitea-actions-runner-nix-image.service"
|
||||
];
|
||||
};
|
||||
|
||||
services.gitea-actions-runner.instances.nix = {
|
||||
enable = true;
|
||||
name = "nix-runner";
|
||||
# take the git root url from the gitea config
|
||||
# only possible if you've also configured your gitea though the same nix config
|
||||
# otherwise you need to set it manually
|
||||
url = config.services.gitea.settings.server.ROOT_URL;
|
||||
# use your favourite nix secret manager to get a path for this
|
||||
tokenFile = "/var/lib/gitea-actions-runner/token";
|
||||
labels = [
|
||||
"nix:docker://${actions-runner.imageName}"
|
||||
];
|
||||
};
|
||||
}
|
|
@ -1,12 +1,9 @@
|
|||
{ pkgs, ... }: {
|
||||
{ pkgs, self, ... }: {
|
||||
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_14;
|
||||
services.postgresql.settings = {
|
||||
max_connections = "300";
|
||||
shared_buffers = "80MB";
|
||||
};
|
||||
services.postgresqlBackup.enable = true;
|
||||
imports = [
|
||||
./postgresql.nix
|
||||
./actions-runner.nix
|
||||
];
|
||||
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
|
@ -15,12 +12,9 @@
|
|||
host = "/run/postgresql";
|
||||
port = 5432;
|
||||
};
|
||||
package = pkgs.gitea.overrideAttrs (oldAttrs: {
|
||||
patches = [
|
||||
# To keep out spam bots: https://github.com/Mic92/gitea/tree/bot-check
|
||||
./0001-add-bot-check.patch
|
||||
];
|
||||
});
|
||||
package = self.packages.${pkgs.hostPlatform.system}.gitea;
|
||||
|
||||
settings.actions.ENABLED = true;
|
||||
settings.mailer = {
|
||||
ENABLED = true;
|
||||
FROM = "gitea@clan.lol";
|
||||
|
@ -44,5 +38,4 @@
|
|||
proxy_pass http://localhost:3002;
|
||||
'';
|
||||
};
|
||||
|
||||
}
|
||||
|
|
9
modules/web01/gitea/postgresql.nix
Normal file
9
modules/web01/gitea/postgresql.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ pkgs, ... }: {
|
||||
services.postgresql.enable = true;
|
||||
services.postgresql.package = pkgs.postgresql_14;
|
||||
services.postgresql.settings = {
|
||||
max_connections = "300";
|
||||
shared_buffers = "80MB";
|
||||
};
|
||||
services.postgresqlBackup.enable = true;
|
||||
}
|
43
pkgs/actions-runner.nix
Normal file
43
pkgs/actions-runner.nix
Normal file
|
@ -0,0 +1,43 @@
|
|||
{ pkgs, inputs }:
|
||||
let
|
||||
# FIXME get rid of nix input?
|
||||
base = import (inputs.nix + "/docker.nix") {
|
||||
inherit pkgs;
|
||||
name = "nix-ci-base";
|
||||
maxLayers = 10;
|
||||
extraPkgs = with pkgs; [
|
||||
nodejs_20 # nodejs is needed for running most 3rdparty actions
|
||||
# add any other pre-installed packages here
|
||||
];
|
||||
# do we want this at all?
|
||||
channelURL = "https://nixos.org/channels/nixpkgs-unstable";
|
||||
nixConf = {
|
||||
substituters = [
|
||||
"https://cache.nixos.org/"
|
||||
"https://nix-community.cachix.org"
|
||||
# insert any other binary caches here
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
# insert the public keys for those binary caches here
|
||||
];
|
||||
# allow using the new flake commands in our workflows
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
};
|
||||
};
|
||||
in
|
||||
pkgs.dockerTools.buildImage {
|
||||
name = "nix-runner";
|
||||
tag = "latest";
|
||||
|
||||
fromImage = base;
|
||||
fromImageName = null;
|
||||
fromImageTag = "latest";
|
||||
|
||||
copyToRoot = pkgs.buildEnv {
|
||||
name = "image-root";
|
||||
paths = [ pkgs.coreutils-full ];
|
||||
pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
|
||||
};
|
||||
}
|
62
pkgs/gitea/0001-add-bot-check.patch
Normal file
62
pkgs/gitea/0001-add-bot-check.patch
Normal file
|
@ -0,0 +1,62 @@
|
|||
From f06e0e1aaa9bb0602e6944d0dd4370e24b66b4e3 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
|
||||
Date: Wed, 5 Jul 2023 15:02:03 +0200
|
||||
Subject: [PATCH] add bot check
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
Signed-off-by: Jörg Thalheim <joerg@thalheim.io>
|
||||
---
|
||||
routers/web/auth/auth.go | 5 +++++
|
||||
services/forms/user_form.go | 1 +
|
||||
templates/user/auth/signup_inner.tmpl | 5 +++++
|
||||
3 files changed, 11 insertions(+)
|
||||
|
||||
diff --git a/routers/web/auth/auth.go b/routers/web/auth/auth.go
|
||||
index 9f1395225..2f7f434a5 100644
|
||||
--- a/routers/web/auth/auth.go
|
||||
+++ b/routers/web/auth/auth.go
|
||||
@@ -411,6 +411,11 @@ func SignUpPost(ctx *context.Context) {
|
||||
context.SetCaptchaData(ctx)
|
||||
ctx.Data["PageIsSignUp"] = true
|
||||
|
||||
+ if form.Notabot != "Notabot" {
|
||||
+ ctx.Error(http.StatusForbidden)
|
||||
+ return
|
||||
+ }
|
||||
+
|
||||
// Permission denied if DisableRegistration or AllowOnlyExternalRegistration options are true
|
||||
if setting.Service.DisableRegistration || setting.Service.AllowOnlyExternalRegistration {
|
||||
ctx.Error(http.StatusForbidden)
|
||||
diff --git a/services/forms/user_form.go b/services/forms/user_form.go
|
||||
index 1f5abf94e..196300a14 100644
|
||||
--- a/services/forms/user_form.go
|
||||
+++ b/services/forms/user_form.go
|
||||
@@ -94,6 +94,7 @@ type RegisterForm struct {
|
||||
UserName string `binding:"Required;Username;MaxSize(40)"`
|
||||
Email string `binding:"Required;MaxSize(254)"`
|
||||
Password string `binding:"MaxSize(255)"`
|
||||
+ Notabot string `binding:"Required"`
|
||||
Retype string
|
||||
}
|
||||
|
||||
diff --git a/templates/user/auth/signup_inner.tmpl b/templates/user/auth/signup_inner.tmpl
|
||||
index 8dfcb7b7d..0316163c5 100644
|
||||
--- a/templates/user/auth/signup_inner.tmpl
|
||||
+++ b/templates/user/auth/signup_inner.tmpl
|
||||
@@ -24,6 +24,11 @@
|
||||
<input id="email" name="email" type="email" value="{{.email}}" required>
|
||||
</div>
|
||||
|
||||
+ <div class="required inline field">
|
||||
+ <input type="checkbox" id="notabot" name="notabot" value="Notabot">
|
||||
+ <label for="notabot">Confirm that you are not a bot</label><br>
|
||||
+ </div>
|
||||
+
|
||||
{{if not .DisablePassword}}
|
||||
<div class="required inline field {{if and (.Err_Password) (or (not .LinkAccountMode) (and .LinkAccountMode .LinkAccountModeRegister))}}error{{end}}">
|
||||
<label for="password">{{.locale.Tr "password"}}</label>
|
||||
--
|
||||
2.41.0
|
||||
|
16
pkgs/gitea/default.nix
Normal file
16
pkgs/gitea/default.nix
Normal file
|
@ -0,0 +1,16 @@
|
|||
{ gitea, fetchurl }:
|
||||
|
||||
gitea.overrideAttrs (old: rec {
|
||||
name = "gitea-${version}";
|
||||
# we currently use a release candiate to generate runner tokes on startup
|
||||
version = "1.20.0-rc2";
|
||||
patches = old.patches ++ [
|
||||
./0001-add-bot-check.patch
|
||||
];
|
||||
|
||||
# not fetching directly from the git repo, because that lacks several vendor files for the web UI
|
||||
src = fetchurl {
|
||||
url = "https://dl.gitea.com/gitea/${version}/gitea-src-${version}.tar.gz";
|
||||
hash = "sha256-AYlTbbYtd+N8W7buEd1+6J49mGE6X6a+1eYAcwEore4=";
|
||||
};
|
||||
})
|
|
@ -16,6 +16,7 @@ in
|
|||
self = {
|
||||
inputs = self.inputs;
|
||||
nixosModules = self.nixosModules;
|
||||
packages = self.packages;
|
||||
};
|
||||
};
|
||||
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
ssh_host_ed25519_key: ENC[AES256_GCM,data:68nXUeyy7xh/KKdd4ajdrkuzc54ZpnXhMpPjaDYtwMLlHja/O/t7g4IlVgLTKWwgMbr5/lAj04cEI99dAuoARaE+p4ldQeQNzPb7ZOPyRmSnBgO/qgtZoKNLaIX7q+Mwl+vsa2d2ZSHG8Fu7hzNIELWHQoaIFi782U+yKt2LHhahdVyY/FUPcymi0EtrwCqBHKSlEu+SXiwDXT4f+PCBtyaCJT4T4Mo2+TbERur9r9YOnKG2GEg46lDwTrr6FMya5K2WBks7AQwQ+rpoHCEy05tTg3GTJd8DypLhemrHMD7HeYzRf+HnVCyTngxmoquCD5/g9OM+fu63GIsnbGItWxREfjfzvODKuPaVCOat4mWQr1pLch1lcIkxQhU4EXg4LgHUMXFnQFrR8rvRT++YK1nRLB3w/lyvU4PAoocYlNR3G9JEClRnu4GH615ILEjXhyUZyAHIGx1+W7M6j4aGFhm3NOJWCTctaFd5r6uUeTqDpV757UzgHIR5lhtlfjeL41r3mmN09os/HpKt9EZ0,iv:+T4xz2xvyerO/ffW/YAKUkf5B/UVL8cUOl/ifWKIIx4=,tag:NTJklV5yqMT7uq0TvclhIA==,type:str]
|
||||
harmonia-key: ENC[AES256_GCM,data:pZObqfbLogp0DYs47Tg2STKT9HptPSiP4sgcf31FD68PKSWhkgJbdY3gO/pfa0zsnvZTrAiljR8Ugh/x9z70T/XhjgZ/dIKqtcrGw0or9WPDmVzD4UHYm6iWR30MZLa9EBK0GFInlcSa/g==,iv:9HRnOaqP1iKMyyRX7evl6woZgfw9h4t7mBD98v/iBng=,tag:MQDio//aEOAOTVWlgADYDQ==,type:str]
|
||||
gitea-actions-runner: ENC[AES256_GCM,data:JKXAa7J1V3GH8lp3UtHTBmiezJlqxX1ItHLE7UcaIeNFQH8We2imaOMVftMpVCeXTpRX,iv:W9+4wH4asw3+w28i5om0OcJFHrABC85bhjhbgGWEs8E=,tag:Rf9XBeiEoJ1Pt8Z1TDIyJA==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
|
@ -33,8 +34,8 @@ sops:
|
|||
Q2J3VHNZZm13RlFwekJ6MHpPTmpZek0KiOqGozDqC5QQop5y+Scq+QHhVSXX43Ix
|
||||
KS496VWzRCdXYdgMk9gleA0AjaOGdAZOzdxsMQrWo+XfHrCy/1fU/w==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-07-05T15:22:34Z"
|
||||
mac: ENC[AES256_GCM,data:sSrzzvy97ok92DNRP9rDruu+lPlG2NZEKTL7E7lCLCtSkbRh1ciVAEuavRhnGFBB4jCYNwT43oyLNOq9oVY3G7d2sehalMxG0DNpOkyeSkVcYv5DKQzSwd08rq0sl6MGMcEdJ4wx7lYGtHiN4NoPhzpqi9SyesSCsHcYzJ2uNfM=,iv:6jUTtEDY2zzn/7ZsmymY7gqafBmQ1791iWw6La9VD9A=,tag:46mE6aDPnkdzqcwzyouhXg==,type:str]
|
||||
lastmodified: "2023-07-12T14:19:37Z"
|
||||
mac: ENC[AES256_GCM,data:qnO1VyiPUK0uoAQux/3tRs2uE8e5aJVNL6SuR7lTNSJkfdV42H0w1AzFwyrAfnTzOkGGqJ9/gESH5/WyDuLSwYmRDUFH4E9CQI5RtjEfiiGDd9ah58kDDhy8UhhH1U1lfzUQMLSq7WJOFLF6tMVYZz+cSMCbrMHdcilzXFBwoEA=,iv:YTrQItix0HLekjGCa7apf73cQ+Zg57czvwtuFrSgUZ4=,tag:3uyWTBjFdHDa2dMerVqjrQ==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
|
|
File diff suppressed because one or more lines are too long
Loading…
Reference in New Issue
Block a user