diff --git a/flake.lock b/flake.lock index 06a5250..fa62619 100644 --- a/flake.lock +++ b/flake.lock @@ -82,16 +82,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1689638193, - "narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=", - "owner": "DavHau", + "lastModified": 1689838306, + "narHash": "sha256-rKQERGxsbP+Mkkwgepmy/a3KgYYdbFR7vTgEZ6GMoIA=", + "owner": "Mic92", "repo": "nixpkgs", - "rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3", + "rev": "4bfb50dc6d66a86e61c6b38f567f7770d54db53e", "type": "github" }, "original": { - "owner": "DavHau", - "ref": "gitea", + "owner": "Mic92", + "ref": "daemon", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index a224d37..da3ab52 100644 --- a/flake.nix +++ b/flake.nix @@ -8,7 +8,7 @@ inputs = { # https://github.com/NixOS/nixpkgs/pull/243252 - nixpkgs.url = "github:DavHau/nixpkgs/gitea"; + nixpkgs.url = "github:Mic92/nixpkgs/daemon"; flake-parts.url = "github:hercules-ci/flake-parts"; flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs"; treefmt-nix.url = "github:numtide/treefmt-nix"; @@ -43,8 +43,9 @@ inputs.treefmt-nix.flakeModule ./targets/flake-module.nix ./modules/flake-module.nix + ./pkgs/flake-module.nix ]; - perSystem = { config, pkgs, inputs', ... }: { + perSystem = { pkgs, inputs', ... }: { treefmt = { projectRootFile = "flake.nix"; programs.terraform.enable = true; @@ -70,9 +71,6 @@ ])) ]; }; - inherit (pkgs.callPackage ./pkgs/renovate { }) renovate; - } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) { - gitea = pkgs.callPackage ./pkgs/gitea { }; }; }; }); diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix index a599b1b..e8da639 100644 --- a/modules/web01/gitea/actions-runner.nix +++ b/modules/web01/gitea/actions-runner.nix @@ -1,6 +1,19 @@ { config, self, pkgs, lib, ... }: - +let + inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner; +in { + systemd.services.gitea-runner-nix-image = { + wantedBy = [ "multi-user.target" ]; + script = '' + ${lib.getExe pkgs.podman} load --input=${actions-runner} + ''; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + }; + systemd.services.gitea-runner-nix-token = { wantedBy = [ "multi-user.target" ]; after = [ "gitea.service" ]; @@ -11,21 +24,30 @@ script = '' set -euo pipefail token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token) - echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token + echo "TOKEN=$token" > /var/lib/gitea-runner/token ''; - unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ]; + unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ]; serviceConfig = { User = "gitea"; Group = "gitea"; - StateDirectory = "gitea-actions-runner"; + StateDirectory = "gitea-runner"; Type = "oneshot"; RemainAfterExit = true; }; }; + # Format of the token file: + virtualisation.podman.enable = true; + systemd.services.gitea-runner-nix = { - after = [ "gitea-runner-nix-token.service" ]; - requires = [ "gitea-runner-nix-token.service" ]; + after = [ + "gitea-runner-nix-token.service" + "gitea-runner-nix-image.service" + ]; + requires = [ + "gitea-runner-nix-token.service" + "gitea-runner-nix-image.service" + ]; # TODO: systemd confinment serviceConfig = { @@ -109,8 +131,8 @@ # otherwise you need to set it manually url = config.services.gitea.settings.server.ROOT_URL; # use your favourite nix secret manager to get a path for this - tokenFile = "/var/lib/gitea-actions-runner/token"; - labels = [ "nix:host" ]; + tokenFile = "/var/lib/gitea-runner/token"; + labels = [ "nix:docker://${actions-runner.imageName}" ]; hostPackages = with pkgs; [ bash coreutils diff --git a/pkgs/actions-runner.nix b/pkgs/actions-runner.nix new file mode 100644 index 0000000..90b2764 --- /dev/null +++ b/pkgs/actions-runner.nix @@ -0,0 +1,43 @@ +{ pkgs, inputs }: +let + # FIXME get rid of nix input? + base = import (inputs.nix + "/docker.nix") { + inherit pkgs; + name = "nix-ci-base"; + maxLayers = 10; + extraPkgs = with pkgs; [ + nodejs_20 # nodejs is needed for running most 3rdparty actions + # add any other pre-installed packages here + ]; + # do we want this at all? + channelURL = "https://nixos.org/channels/nixpkgs-unstable"; + nixConf = { + substituters = [ + "https://cache.nixos.org/" + "https://nix-community.cachix.org" + # insert any other binary caches here + ]; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + # insert the public keys for those binary caches here + ]; + # allow using the new flake commands in our workflows + experimental-features = [ "nix-command" "flakes" ]; + }; + }; +in +pkgs.dockerTools.buildImage { + name = "nix-runner"; + tag = "latest"; + + fromImage = base; + fromImageName = null; + fromImageTag = "latest"; + + copyToRoot = pkgs.buildEnv { + name = "image-root"; + paths = [ pkgs.coreutils-full ]; + pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin + }; +} diff --git a/pkgs/flake-module.nix b/pkgs/flake-module.nix new file mode 100644 index 0000000..68bdd8d --- /dev/null +++ b/pkgs/flake-module.nix @@ -0,0 +1,12 @@ +{ lib, inputs, ... }: { + perSystem = { pkgs, inputs', ... }: { + packages = { + inherit (pkgs.callPackage ./renovate { }) renovate; + } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) { + gitea = pkgs.callPackage ./gitea { }; + actions-runner = pkgs.callPackage ./actions-runner.nix { + inherit inputs; + }; + }; + }; +}