Testing
This commit is contained in:
parent
ebbba413e7
commit
884a255970
GPG key ID:
3895DD267CA11BA9
3 changed files with 58 additions and 41 deletions
|
|
@ -10,7 +10,7 @@ on:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
deploy-rs:
|
deploy-rs:
|
||||||
runs-on: headscale-runner
|
runs-on: forgejo
|
||||||
container:
|
container:
|
||||||
image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
|
image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
|
||||||
options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
|
options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
|
||||||
|
|
|
||||||
|
|
@ -1,26 +1,25 @@
|
||||||
---
|
name: Deploy Systems
|
||||||
iname: Deploy Systems
|
on: [workflow_dispatch]
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
deploy:
|
deploy:
|
||||||
runs-on: nix
|
runs-on: nix
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- uses: https://git.madhouse-project.org/actions/nix/setup@v2
|
||||||
uses: https://code.forgejo.org/actions/checkout@v4
|
with:
|
||||||
|
nix_path: nixpkgs=flake:nixpkgs
|
||||||
|
|
||||||
- name: Validate Flake
|
- uses: https://git.madhouse-project.org/actions/nix/build@v2
|
||||||
run: nix flake check
|
with:
|
||||||
|
flake: .
|
||||||
|
targets: |
|
||||||
|
nixosConfigurations
|
||||||
|
|
||||||
- name: Build Systems
|
- uses: https://git.madhouse-project.org/actions/nix/deploy-rs@v2
|
||||||
run: nix build .#nixosConfigurations --show-trace
|
with:
|
||||||
|
ssh_user: ${{ secrets.SSH_USER }}
|
||||||
- name: Deploy with deploy-rs
|
ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
|
||||||
run: nix run .#deploy -- -- --confirm
|
confirm: true
|
||||||
env:
|
|
||||||
DEPLOY_SSH_USER: ${{ secrets.SSH_USER }}
|
|
||||||
DEPLOY_SSH_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
|
|
||||||
|
|
||||||
- uses: https://git.sysctl.io/actions/gotify-action@master
|
- uses: https://git.sysctl.io/actions/gotify-action@master
|
||||||
if: always()
|
if: always()
|
||||||
|
|
@ -32,3 +31,4 @@ jobs:
|
||||||
notification_message: |
|
notification_message: |
|
||||||
Status: ${{ job.status }}
|
Status: ${{ job.status }}
|
||||||
Commit: ${{ github.sha }}
|
Commit: ${{ github.sha }}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@
|
||||||
owner = "root";
|
owner = "root";
|
||||||
mode = "0444"; # gitea-actions-runner uses "DynamicUser"
|
mode = "0444"; # gitea-actions-runner uses "DynamicUser"
|
||||||
sopsFile = ../../../secrets/secrets.yaml;
|
sopsFile = ../../../secrets/secrets.yaml;
|
||||||
restartUnits = [ "gitea-actions-runner-${hostname}.service" ];
|
restartUnits = [ "gitea-actions-runner-default.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.gitea-actions-runner = {
|
services.gitea-actions-runner = {
|
||||||
|
|
@ -14,34 +14,51 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
name = "${hostname}";
|
name = "${hostname}";
|
||||||
labels = [
|
labels = [
|
||||||
"nix:host://self-hsoted"
|
# Host runners (direct execution)
|
||||||
"${hostname}:host://self-hosted"
|
"nix:host" # Simplified host label
|
||||||
"self-hosted:host://self-hosted"
|
"${hostname}:host" # Host identifier
|
||||||
"alpine:docker://alpine:edge"
|
"self-hosted:host" # Standard host designation
|
||||||
"ubuntu:docker://ubuntu:latest"
|
# Docker wildcards
|
||||||
"headscale-runner:docker://git.sysctl.io/albert/actions-container-images/headscale-runner:latest"
|
"docker:docker:*:*"
|
||||||
];
|
"forgejo:docker:git.sysctl.io/**/*:*"
|
||||||
|
];
|
||||||
url = "https://git.sysctl.io";
|
url = "https://git.sysctl.io";
|
||||||
tokenFile = /run/secrets/services/forgejo_token;
|
tokenFile = /run/secrets/services/forgejo_token;
|
||||||
hostPackages = with pkgs; [
|
hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
|
||||||
nodejs_20 # Explicitly use Node.js 20.x
|
settings = {
|
||||||
deploy-rs
|
valid_volumes = [
|
||||||
coreutils
|
"/run/podman/podman.sock:/run/podman/podman.sock:rw" # Docker socket
|
||||||
git
|
"/dev/net/tun:/dev/net/tun:rw" # Tunnel device mapping
|
||||||
gnutar
|
"/nix/store:/nix/store:ro" # Standard Nix requirement
|
||||||
gzip
|
];
|
||||||
];
|
container_security = {
|
||||||
|
allow-privileged = false;
|
||||||
|
allow-host-namespace = false;
|
||||||
|
};
|
||||||
|
docker-opts = [
|
||||||
|
"--cap-drop=ALL" # Drop all caps first
|
||||||
|
"--security-opt=no-new-privileges"
|
||||||
|
"--cap-add=NET_ADMIN" # Required for TUN device access
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.gitea-actions-runner-default = {
|
systemd.services.gitea-actions-runner-default = {
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
CacheDirectory = "gitea-actions-runner-default"; # Add this line
|
ReadWritePaths = [
|
||||||
StateDirectory = "gitea-actions-runner-default";
|
"/dev/net/tun"
|
||||||
RuntimeDirectory = "gitea-actions-runner-default";
|
"/var/lib/gitea-runner"
|
||||||
|
];
|
||||||
|
BindReadOnlyPaths = [
|
||||||
|
"/nix/store"
|
||||||
|
];
|
||||||
|
DeviceAllow = [
|
||||||
|
"char-10-200 rw" # Allow TUN device access
|
||||||
|
];
|
||||||
};
|
};
|
||||||
preStop = ''
|
unitConfig = {
|
||||||
rm -rf /var/lib/gitea-runner/default/.cache/act/*
|
RequiresMountsFor = "/dev/net/tun";
|
||||||
''; # Cache cleanup
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue