Merge pull request 'switch to native nix gitea action' (#3) from test into main

Reviewed-on: #3

flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688486545,
-        "narHash": "sha256-rtFPwSOpqmf1PZgx7w0vgjOI/RI8b1AHdVZN1WQqilA=",
+        "lastModified": 1689239870,
+        "narHash": "sha256-G19sYUrNeIOa8I+WXQ6dKS9Tvuavz8AyzyXNwTqLE94=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "15c4d57b41b6b57024aec015e5d30a4ed4713034",
+        "rev": "68eb09b1833301d729ae6e89583173b6ceaade1c",
         "type": "github"
       },
       "original": {
@@ -50,11 +50,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688566943,
-        "narHash": "sha256-J0RL5Tg97jQ6JisbalhkcloBMDI4Oo007ToIlLvCrXY=",
+        "lastModified": 1689077593,
+        "narHash": "sha256-3qOgpWNhXy4P83b2NHbRX2SLpqEx/vDAM0Myb0iT2+w=",
         "ref": "refs/heads/main",
-        "rev": "ffe31cffbdcc22fbf92bde02beda9b17aebe6a82",
-        "revCount": 13,
+        "rev": "b1573761fd03b6d6ae2170211953e08a2f430b8c",
+        "revCount": 14,
         "type": "git",
         "url": "https://git.clan.lol/clan/clan-homepage"
       },
@@ -105,16 +105,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1688491638,
-        "narHash": "sha256-xdBCaDDRKe7jWkXSCv+nMKIShMpr6uREhGmGJJWRxng=",
+        "lastModified": 1689247091,
+        "narHash": "sha256-sg6yVZGU4yQ8vx/u/jeR7etUIQZhcc4Ss6PHNHAFZjU=",
         "owner": "Mic92",
         "repo": "nixpkgs",
-        "rev": "6f404ed21403960e252d1f9fffbb3db43301e30b",
+        "rev": "dc54601ce60a6e7b427d124550d43067ee605b53",
         "type": "github"
       },
       "original": {
         "owner": "Mic92",
-        "ref": "cloud-init",
+        "ref": "daemon",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -139,11 +139,11 @@
         "nixpkgs-stable": []
       },
       "locked": {
-        "lastModified": 1688268466,
-        "narHash": "sha256-fArazqgYyEFiNcqa136zVYXihuqzRHNOOeVICayU2Yg=",
+        "lastModified": 1689149796,
+        "narHash": "sha256-3FCUdayBHcxk6BZOxEIfa5UxbXNQzTc/VlN7ociI2Dw=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "5ed3c22c1fa0515e037e36956a67fe7e32c92957",
+        "rev": "88b964df6981e4844c07be8c192aa6bdca768a10",
         "type": "github"
       },
       "original": {
@@ -159,11 +159,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688384426,
-        "narHash": "sha256-iUhJ2JYCyzioI/G0mqgDoSH3U0fcFhm6ShmMcB0dYyY=",
+        "lastModified": 1689211908,
+        "narHash": "sha256-vkWZPUOA8L8X6s3OuVxHi+8NqVbeO3fkGkTJg2WtmdQ=",
         "owner": "numtide",
         "repo": "srvos",
-        "rev": "c9fa5cf4b6014807655bf8356b3cddc86f741b7a",
+        "rev": "e8ae8c0ac816b6388199a475bd6188943e47f5b9",
         "type": "github"
       },
       "original": {
@@ -179,11 +179,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1688026376,
-        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "lastModified": 1689243103,
+        "narHash": "sha256-IfBt2AD8qCwZs+m6BlOGEitBIkVJ0iMscMueb6QYUk4=",
         "owner": "numtide",
         "repo": "treefmt-nix",
-        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "rev": "f1dca68b908f3dd656b923b9fb62f7d755133662",
         "type": "github"
       },
       "original": {

flake.nix

@@ -7,8 +7,8 @@
   };
 
   inputs = {
-    # https://github.com/NixOS/nixpkgs/pull/241526
-    nixpkgs.url = "github:Mic92/nixpkgs/cloud-init";
+    # https://github.com/NixOS/nixpkgs/pull/243252
+    nixpkgs.url = "github:Mic92/nixpkgs/daemon";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     treefmt-nix.url = "github:numtide/treefmt-nix";
@@ -71,9 +71,6 @@
           };
         } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
           gitea = pkgs.callPackage ./pkgs/gitea { };
-          actions-runner = pkgs.callPackage ./pkgs/actions-runner.nix {
-            inherit inputs;
-          };
         };
       };
     });

modules/web01/gitea/actions-runner.nix

@@ -1,20 +1,7 @@
 { config, self, pkgs, lib, ... }:
 
-let
-  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
-in
 {
-  systemd.services.gitea-actions-runner-nix-image = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      ${lib.getExe pkgs.podman} load --input=${actions-runner}
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-  };
-  systemd.services.gitea-actions-runner-nix-token = {
+  systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
     after = [ "gitea.service" ];
     environment = {
@@ -26,28 +13,31 @@ in
       token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
       echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
     '';
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
     serviceConfig = {
       User = "gitea";
       Group = "gitea";
       StateDirectory = "gitea-actions-runner";
-      ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
       Type = "oneshot";
       RemainAfterExit = true;
     };
   };
 
-  # Format of the token file:
-  virtualisation.podman.enable = true;
-
   systemd.services.gitea-runner-nix = {
-    after = [
-      "gitea-actions-runner-nix-token.service"
-      "gitea-actions-runner-nix-image.service"
-    ];
-    requires = [
-      "gitea-actions-runner-nix-token.service"
-      "gitea-actions-runner-nix-image.service"
-    ];
+    after = [ "gitea-runner-nix-token.service" ];
+    requires = [ "gitea-runner-nix-token.service" ];
+    # TODO: systemd confinment
+    #serviceConfig = {
+    #  Environment = [
+    #    "NIX_REMOTE=daemon"
+    #    "PAGER=cat"
+    #  ];
+    #  BindPaths = [
+    #    "/nix/var/nix/daemon-socket/socket"
+    #    "/run/nscd/socket"
+    #    "/var/lib/drone"
+    #  ];
+    #};
   };
 
   services.gitea-actions-runner.instances.nix = {
@@ -59,8 +49,27 @@ in
     url = config.services.gitea.settings.server.ROOT_URL;
     # use your favourite nix secret manager to get a path for this
     tokenFile = "/var/lib/gitea-actions-runner/token";
-    labels = [
-      "nix:docker://${actions-runner.imageName}"
+    labels = [ "nix:host" ];
+    hostPackages = with pkgs; [
+      bash
+      coreutils
+      curl
+      gawk
+      gitMinimal
+      gnused
+      jq
+      nixUnstable
+      nodejs
+      wget
+      gnutar
+      bash
+      config.nix.package
+      gzip
     ];
+    settings = {
+      runner.envs = {
+        HOME = "/var/lib/gitea-runner/nix";
+      };
+    };
   };
 }

pkgs/actions-runner.nix

@@ -1,43 +0,0 @@
-{ pkgs, inputs }:
-let
-  # FIXME get rid of nix input?
-  base = import (inputs.nix + "/docker.nix") {
-    inherit pkgs;
-    name = "nix-ci-base";
-    maxLayers = 10;
-    extraPkgs = with pkgs; [
-      nodejs_20 # nodejs is needed for running most 3rdparty actions
-      # add any other pre-installed packages here
-    ];
-    # do we want this at all?
-    channelURL = "https://nixos.org/channels/nixpkgs-unstable";
-    nixConf = {
-      substituters = [
-        "https://cache.nixos.org/"
-        "https://nix-community.cachix.org"
-        # insert any other binary caches here
-      ];
-      trusted-public-keys = [
-        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        # insert the public keys for those binary caches here
-      ];
-      # allow using the new flake commands in our workflows
-      experimental-features = [ "nix-command" "flakes" ];
-    };
-  };
-in
-pkgs.dockerTools.buildImage {
-  name = "nix-runner";
-  tag = "latest";
-
-  fromImage = base;
-  fromImageName = null;
-  fromImageTag = "latest";
-
-  copyToRoot = pkgs.buildEnv {
-    name = "image-root";
-    paths = [ pkgs.coreutils-full ];
-    pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
-  };
-}