From eef8f8b367e423f166655976a0b51c9f30c3c9c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 20 Jul 2023 13:15:03 +0200
Subject: [PATCH 1/2] ci: switch to new docker container for nix

---
 modules/web01/gitea/actions-runner.nix | 65 +++++++++-----------------
 1 file changed, 22 insertions(+), 43 deletions(-)

diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix
index e8da639..386d8ad 100644
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@@ -1,18 +1,15 @@
 { config, self, pkgs, lib, ... }:
-let
-  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
-in
 {
-  systemd.services.gitea-runner-nix-image = {
-    wantedBy = [ "multi-user.target" ];
-    script = ''
-      ${lib.getExe pkgs.podman} load --input=${actions-runner}
-    '';
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-  };
+  #systemd.services.gitea-runner-nix-image = {
+  #  wantedBy = [ "multi-user.target" ];
+  #  script = ''
+  #    ${lib.getExe pkgs.podman} load --input=${actions-runner}
+  #  '';
+  #  serviceConfig = {
+  #    Type = "oneshot";
+  #    RemainAfterExit = true;
+  #  };
+  #};
 
   systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
@@ -24,13 +21,13 @@ in
     script = ''
       set -euo pipefail
       token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
-      echo "TOKEN=$token" > /var/lib/gitea-runner/token
+      echo "TOKEN=$token" > /var/lib/gitea-registration/token
     '';
-    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ];
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/token" ];
     serviceConfig = {
       User = "gitea";
       Group = "gitea";
-      StateDirectory = "gitea-runner";
+      StateDirectory = "gitea-registration";
       Type = "oneshot";
       RemainAfterExit = true;
     };
@@ -42,11 +39,9 @@ in
   systemd.services.gitea-runner-nix = {
     after = [
       "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
     ];
     requires = [
       "gitea-runner-nix-token.service"
-      "gitea-runner-nix-image.service"
     ];
 
     # TODO: systemd confinment
@@ -123,7 +118,12 @@ in
     };
   };
 
-  services.gitea-actions-runner.instances.nix = {
+  services.gitea-actions-runner.instances.nix = let
+    extraBins = pkgs.runCommand "extra-bins" {} ''
+      mkdir -p $out
+      ln -s ${pkgs.nodejs}/bin/node $out/node
+    '';
+  in {
     enable = true;
     name = "nix-runner";
     # take the git root url from the gitea config
@@ -131,31 +131,10 @@ in
     # otherwise you need to set it manually
     url = config.services.gitea.settings.server.ROOT_URL;
     # use your favourite nix secret manager to get a path for this
-    tokenFile = "/var/lib/gitea-runner/token";
-    labels = [ "nix:docker://${actions-runner.imageName}" ];
-    hostPackages = with pkgs; [
-      bash
-      coreutils
-      curl
-      gawk
-      gitMinimal
-      gnused
-      jq
-      nixUnstable
-      nodejs
-      wget
-      gnutar
-      bash
-      config.nix.package
-      gzip
-    ];
+    tokenFile = "/var/lib/gitea-registration/token";
+    labels = [ "nix:docker://mic92/nix-unstable-static" ];
     settings = {
-      runner.envs = {
-        HOME = "/var/lib/gitea-runner/nix";
-        # unset the token so it doesn't leak into the runner
-        TOKEN = "";
-        PAGER = "cat";
-      };
+      container.options = "-v /nix:/nix -v ${extraBins}:/host/bin --user nixuser";
     };
   };
 }
-- 
2.45.1


From 3c7ad968ad17bbfb617b6b0d0ffd8d54e438fd56 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Thalheim?= <joerg@thalheim.io>
Date: Thu, 20 Jul 2023 14:42:28 +0200
Subject: [PATCH 2/2] actions-runner: add missing executables to docker
 container

---
 modules/web01/gitea/actions-runner.nix | 70 +++++++++++++-------------
 1 file changed, 34 insertions(+), 36 deletions(-)

diff --git a/modules/web01/gitea/actions-runner.nix b/modules/web01/gitea/actions-runner.nix
index 386d8ad..bf9ba68 100644
--- a/modules/web01/gitea/actions-runner.nix
+++ b/modules/web01/gitea/actions-runner.nix
@@ -1,16 +1,5 @@
 { config, self, pkgs, lib, ... }:
 {
-  #systemd.services.gitea-runner-nix-image = {
-  #  wantedBy = [ "multi-user.target" ];
-  #  script = ''
-  #    ${lib.getExe pkgs.podman} load --input=${actions-runner}
-  #  '';
-  #  serviceConfig = {
-  #    Type = "oneshot";
-  #    RemainAfterExit = true;
-  #  };
-  #};
-
   systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
     after = [ "gitea.service" ];
@@ -108,33 +97,42 @@
       # Note that this has some interactions with the User setting; so you may
       # want to consult the systemd docs if using both.
       DynamicUser = true;
-      #  Environment = [
-      #  ];
-      #  BindPaths = [
-      #    "/nix/var/nix/daemon-socket/socket"
-      #    "/run/nscd/socket"
-      #    "/var/lib/drone"
-      #  ];
     };
   };
 
-  services.gitea-actions-runner.instances.nix = let
-    extraBins = pkgs.runCommand "extra-bins" {} ''
-      mkdir -p $out
-      ln -s ${pkgs.nodejs}/bin/node $out/node
-    '';
-  in {
-    enable = true;
-    name = "nix-runner";
-    # take the git root url from the gitea config
-    # only possible if you've also configured your gitea though the same nix config
-    # otherwise you need to set it manually
-    url = config.services.gitea.settings.server.ROOT_URL;
-    # use your favourite nix secret manager to get a path for this
-    tokenFile = "/var/lib/gitea-registration/token";
-    labels = [ "nix:docker://mic92/nix-unstable-static" ];
-    settings = {
-      container.options = "-v /nix:/nix -v ${extraBins}:/host/bin --user nixuser";
+  services.gitea-actions-runner.instances.nix =
+    let
+      extraBins = pkgs.runCommand "extra-bins" { } ''
+        mkdir -p $out
+        ln -s ${pkgs.nodejs}/bin/node $out/node
+        ln -s ${pkgs.nix}/bin/nix $out/nix
+        ln -s ${pkgs.git}/bin/git $out/git
+        ln -s ${pkgs.jq}/bin/jq $out/jq
+        ln -s ${pkgs.bash}/bin/bash $out/bash
+        for i in ${pkgs.coreutils}/bin/*; do
+          ln -s $i $out/$(basename $i)
+        done
+      '';
+    in
+    {
+      enable = true;
+      name = "nix-runner";
+      # take the git root url from the gitea config
+      # only possible if you've also configured your gitea though the same nix config
+      # otherwise you need to set it manually
+      url = config.services.gitea.settings.server.ROOT_URL;
+      # use your favourite nix secret manager to get a path for this
+      tokenFile = "/var/lib/gitea-registration/token";
+      labels = [ "nix:docker://mic92/nix-unstable-static" ];
+      settings = {
+        container.options = "-v /nix:/nix -v ${extraBins}:/bin --user nixuser";
+        container.valid_volumes = [
+          "/nix"
+          extraBins
+        ];
+        runner = {
+          envs.BIN = extraBins;
+        };
+      };
     };
-  };
 }
-- 
2.45.1