ci: switch to new docker container for nix #25
|
@ -1,19 +1,5 @@
|
||||||
{ config, self, pkgs, lib, ... }:
|
{ config, self, pkgs, lib, ... }:
|
||||||
let
|
|
||||||
inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
systemd.services.gitea-runner-nix-image = {
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
script = ''
|
|
||||||
${lib.getExe pkgs.podman} load --input=${actions-runner}
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
|
||||||
Type = "oneshot";
|
|
||||||
RemainAfterExit = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.gitea-runner-nix-token = {
|
systemd.services.gitea-runner-nix-token = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "gitea.service" ];
|
after = [ "gitea.service" ];
|
||||||
|
@ -24,13 +10,13 @@ in
|
||||||
script = ''
|
script = ''
|
||||||
set -euo pipefail
|
set -euo pipefail
|
||||||
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
|
||||||
echo "TOKEN=$token" > /var/lib/gitea-runner/token
|
echo "TOKEN=$token" > /var/lib/gitea-registration/token
|
||||||
'';
|
'';
|
||||||
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ];
|
unitConfig.ConditionPathExists = [ "!/var/lib/gitea-registration/token" ];
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
User = "gitea";
|
User = "gitea";
|
||||||
Group = "gitea";
|
Group = "gitea";
|
||||||
StateDirectory = "gitea-runner";
|
StateDirectory = "gitea-registration";
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
RemainAfterExit = true;
|
RemainAfterExit = true;
|
||||||
};
|
};
|
||||||
|
@ -42,11 +28,9 @@ in
|
||||||
systemd.services.gitea-runner-nix = {
|
systemd.services.gitea-runner-nix = {
|
||||||
after = [
|
after = [
|
||||||
"gitea-runner-nix-token.service"
|
"gitea-runner-nix-token.service"
|
||||||
"gitea-runner-nix-image.service"
|
|
||||||
];
|
];
|
||||||
requires = [
|
requires = [
|
||||||
"gitea-runner-nix-token.service"
|
"gitea-runner-nix-token.service"
|
||||||
"gitea-runner-nix-image.service"
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# TODO: systemd confinment
|
# TODO: systemd confinment
|
||||||
|
@ -113,49 +97,42 @@ in
|
||||||
# Note that this has some interactions with the User setting; so you may
|
# Note that this has some interactions with the User setting; so you may
|
||||||
# want to consult the systemd docs if using both.
|
# want to consult the systemd docs if using both.
|
||||||
DynamicUser = true;
|
DynamicUser = true;
|
||||||
# Environment = [
|
|
||||||
# ];
|
|
||||||
# BindPaths = [
|
|
||||||
# "/nix/var/nix/daemon-socket/socket"
|
|
||||||
# "/run/nscd/socket"
|
|
||||||
# "/var/lib/drone"
|
|
||||||
# ];
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.gitea-actions-runner.instances.nix = {
|
services.gitea-actions-runner.instances.nix =
|
||||||
enable = true;
|
let
|
||||||
name = "nix-runner";
|
extraBins = pkgs.runCommand "extra-bins" { } ''
|
||||||
# take the git root url from the gitea config
|
mkdir -p $out
|
||||||
# only possible if you've also configured your gitea though the same nix config
|
ln -s ${pkgs.nodejs}/bin/node $out/node
|
||||||
# otherwise you need to set it manually
|
ln -s ${pkgs.nix}/bin/nix $out/nix
|
||||||
url = config.services.gitea.settings.server.ROOT_URL;
|
ln -s ${pkgs.git}/bin/git $out/git
|
||||||
# use your favourite nix secret manager to get a path for this
|
ln -s ${pkgs.jq}/bin/jq $out/jq
|
||||||
tokenFile = "/var/lib/gitea-runner/token";
|
ln -s ${pkgs.bash}/bin/bash $out/bash
|
||||||
labels = [ "nix:docker://${actions-runner.imageName}" ];
|
for i in ${pkgs.coreutils}/bin/*; do
|
||||||
hostPackages = with pkgs; [
|
ln -s $i $out/$(basename $i)
|
||||||
bash
|
done
|
||||||
coreutils
|
'';
|
||||||
curl
|
in
|
||||||
gawk
|
{
|
||||||
gitMinimal
|
enable = true;
|
||||||
gnused
|
name = "nix-runner";
|
||||||
jq
|
# take the git root url from the gitea config
|
||||||
nixUnstable
|
# only possible if you've also configured your gitea though the same nix config
|
||||||
nodejs
|
# otherwise you need to set it manually
|
||||||
wget
|
url = config.services.gitea.settings.server.ROOT_URL;
|
||||||
gnutar
|
# use your favourite nix secret manager to get a path for this
|
||||||
bash
|
tokenFile = "/var/lib/gitea-registration/token";
|
||||||
config.nix.package
|
labels = [ "nix:docker://mic92/nix-unstable-static" ];
|
||||||
gzip
|
settings = {
|
||||||
];
|
container.options = "-v /nix:/nix -v ${extraBins}:/bin --user nixuser";
|
||||||
settings = {
|
container.valid_volumes = [
|
||||||
runner.envs = {
|
"/nix"
|
||||||
HOME = "/var/lib/gitea-runner/nix";
|
extraBins
|
||||||
# unset the token so it doesn't leak into the runner
|
];
|
||||||
TOKEN = "";
|
runner = {
|
||||||
PAGER = "cat";
|
envs.BIN = extraBins;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user