albert/nix
albert/nix
1
0
Fork 0
Code Issues Pull requests Activity Actions2

Testing

Browse source
This commit is contained in:
albert 2025-02-03 09:43:56 -08:00
parent ebbba413e7
commit 884a255970
Signed by: albert
GPG key ID: 3895DD267CA11BA9
3 changed files with 58 additions and 41 deletions
.forgejo/workflows
deploy-rs.ymldeploy.yml
nixos/common/services
forgejo-runner.nix

2
.forgejo/workflows/deploy-rs.yml
View file

@ -10,7 +10,7 @@ on:
jobs:
deploy-rs:
runs-on: headscale-runner
runs-on: forgejo
container:
image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged

32
.forgejo/workflows/deploy.yml
View file

@ -1,26 +1,25 @@
---
iname: Deploy Systems
on:
workflow_dispatch:
name: Deploy Systems
on: [workflow_dispatch]
jobs:
deploy:
runs-on: nix
steps:
- name: Checkout repository
uses: https://code.forgejo.org/actions/checkout@v4
- uses: https://git.madhouse-project.org/actions/nix/setup@v2
with:
nix_path: nixpkgs=flake:nixpkgs
- name: Validate Flake
run: nix flake check
- uses: https://git.madhouse-project.org/actions/nix/build@v2
with:
flake: .
targets: |
nixosConfigurations
- name: Build Systems
run: nix build .#nixosConfigurations --show-trace
- name: Deploy with deploy-rs
run: nix run .#deploy -- -- --confirm
env:
DEPLOY_SSH_USER: ${{ secrets.SSH_USER }}
DEPLOY_SSH_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
- uses: https://git.madhouse-project.org/actions/nix/deploy-rs@v2
with:
ssh_user: ${{ secrets.SSH_USER }}
ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
confirm: true
- uses: https://git.sysctl.io/actions/gotify-action@master
if: always()
@ -32,3 +31,4 @@ jobs:
notification_message: |
Status: ${{ job.status }}
Commit: ${{ github.sha }}

65
nixos/common/services/forgejo-runner.nix
View file

@ -5,7 +5,7 @@
owner = "root";
mode = "0444"; # gitea-actions-runner uses "DynamicUser"
sopsFile = ../../../secrets/secrets.yaml;
restartUnits = [ "gitea-actions-runner-${hostname}.service" ];
restartUnits = [ "gitea-actions-runner-default.service" ];
};
services.gitea-actions-runner = {
@ -14,34 +14,51 @@
enable = true;
name = "${hostname}";
labels = [
"nix:host://self-hsoted"
"${hostname}:host://self-hosted"
"self-hosted:host://self-hosted"
"alpine:docker://alpine:edge"
"ubuntu:docker://ubuntu:latest"
"headscale-runner:docker://git.sysctl.io/albert/actions-container-images/headscale-runner:latest"
];
# Host runners (direct execution)
"nix:host" # Simplified host label
"${hostname}:host" # Host identifier
"self-hosted:host" # Standard host designation
# Docker wildcards
"docker:docker:*:*"
"forgejo:docker:git.sysctl.io/**/*:*"
];
url = "https://git.sysctl.io";
tokenFile = /run/secrets/services/forgejo_token;
hostPackages = with pkgs; [
nodejs_20 # Explicitly use Node.js 20.x
deploy-rs
coreutils
git
gnutar
gzip
];
hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
settings = {
valid_volumes = [
"/run/podman/podman.sock:/run/podman/podman.sock:rw" # Docker socket
"/dev/net/tun:/dev/net/tun:rw" # Tunnel device mapping
"/nix/store:/nix/store:ro" # Standard Nix requirement
];
container_security = {
allow-privileged = false;
allow-host-namespace = false;
};
docker-opts = [
"--cap-drop=ALL" # Drop all caps first
"--security-opt=no-new-privileges"
"--cap-add=NET_ADMIN" # Required for TUN device access
];
};
};
};
systemd.services.gitea-actions-runner-default = {
serviceConfig = {
CacheDirectory = "gitea-actions-runner-default"; # Add this line
StateDirectory = "gitea-actions-runner-default";
RuntimeDirectory = "gitea-actions-runner-default";
ReadWritePaths = [
"/dev/net/tun"
"/var/lib/gitea-runner"
];
BindReadOnlyPaths = [
"/nix/store"
];
DeviceAllow = [
"char-10-200 rw" # Allow TUN device access
];
};
preStop = ''
rm -rf /var/lib/gitea-runner/default/.cache/act/*
''; # Cache cleanup
};
unitConfig = {
RequiresMountsFor = "/dev/net/tun";
};
};
}