harmonia: put in correct public key #108
|
@ -3,7 +3,7 @@
|
|||
|
||||
nixConfig = {
|
||||
extra-substituters = [ "https://cache.clan.lol" ];
|
||||
extra-trusted-public-keys = [ "cache.clan.lol-1:j83TYLUVsrSXZvQdMoY+Ms81Xd/nO8GNuQQHqphzRSg=" ];
|
||||
extra-trusted-public-keys = [ "cache.clan.lol-1:3KztgSAB5R1M+Dz7vzkBGzXdodizbgLXGXKXlcQLA28=" ];
|
||||
};
|
||||
|
||||
inputs = {
|
||||
|
@ -25,6 +25,7 @@
|
|||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
clan-core.url = "git+https://git.clan.lol/clan/clan-core";
|
||||
#clan-core.url = "git+file:///home/joerg/work/clan/clan-core?ref=kvm-fix";
|
||||
clan-core.inputs.flake-parts.follows = "flake-parts";
|
||||
clan-core.inputs.nixpkgs.follows = "nixpkgs";
|
||||
clan-core.inputs.treefmt-nix.follows = "treefmt-nix";
|
||||
|
|
|
@ -12,8 +12,9 @@ let
|
|||
mkdir -p $out/etc/ssl/certs
|
||||
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
||||
'';
|
||||
numInstances = 10;
|
||||
in
|
||||
{
|
||||
lib.mkMerge [{
|
||||
# everything here has no dependencies on the store
|
||||
systemd.services.gitea-runner-nix-image = {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
|
@ -71,8 +72,9 @@ in
|
|||
isSystemUser = true;
|
||||
};
|
||||
users.groups.nixuser = { };
|
||||
|
||||
systemd.services.gitea-runner-nix-token = {
|
||||
}
|
||||
{
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}-token") numInstances) (name: {
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "gitea.service" ];
|
||||
environment = {
|
||||
|
@ -82,9 +84,9 @@ in
|
|||
script = ''
|
||||
set -euo pipefail
|
||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||
echo "TOKEN=$token" > /var/lib/gitea-registration/token
|
||||
echo "TOKEN=$token" > /var/lib/gitea-registration/${name}
|
||||
'';
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/token" ];
|
||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/${name}" ];
|
||||
serviceConfig = {
|
||||
User = "gitea";
|
||||
Group = "gitea";
|
||||
|
@ -92,13 +94,14 @@ in
|
|||
Type = "oneshot";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
# Format of the token file:
|
||||
virtualisation = {
|
||||
podman.enable = true;
|
||||
podman.extraPackages = [ pkgs.zfs ];
|
||||
};
|
||||
|
||||
virtualisation.containers.storage.settings = {
|
||||
storage.driver = "zfs";
|
||||
storage.graphroot = "/var/lib/containers/storage";
|
||||
|
@ -110,14 +113,15 @@ in
|
|||
# podman seems to not work with systemd-resolved
|
||||
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
|
||||
};
|
||||
|
||||
systemd.services.gitea-runner-nix = {
|
||||
}
|
||||
{
|
||||
systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (name: {
|
||||
after = [
|
||||
"gitea-runner-nix-token.service"
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
requires = [
|
||||
"gitea-runner-nix-token.service"
|
||||
"${name}-token.service"
|
||||
"gitea-runner-nix-image.service"
|
||||
];
|
||||
|
||||
|
@ -186,9 +190,9 @@ in
|
|||
# want to consult the systemd docs if using both.
|
||||
DynamicUser = true;
|
||||
};
|
||||
};
|
||||
});
|
||||
|
||||
services.gitea-actions-runner.instances.nix = {
|
||||
services.gitea-actions-runner.instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (name: {
|
||||
enable = true;
|
||||
name = "nix-runner";
|
||||
# take the git root url from the gitea config
|
||||
|
@ -196,7 +200,7 @@ in
|
|||
# otherwise you need to set it manually
|
||||
url = config.services.gitea.settings.server.ROOT_URL;
|
||||
# use your favourite nix secret manager to get a path for this
|
||||
tokenFile = "/var/lib/gitea-registration/token";
|
||||
tokenFile = "/var/lib/gitea-registration/gitea-runner-${name}-token";
|
||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
||||
settings = {
|
||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||
|
@ -208,5 +212,5 @@ in
|
|||
"${storeDeps}/etc/ssl"
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
});
|
||||
}]
|
||||
|
|
Loading…
Reference in New Issue
Block a user