Add a deployment for forgejo-ci

2025-07-02 12:27:07 +02:00 · 2025-07-02 12:27:07 +02:00 · 447cbbcdd8
commit 447cbbcdd8
parent aa36402bbc
5 changed files with 65 additions and 0 deletions
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -167,6 +167,10 @@ in
 {
  _class = "flake";

+  # NOTE: `forgejo-ci`, being a physical machine and not a Proxmox VM, gets
+  # custom treatment.
+  imports = [ ./forgejo-ci/flake-part.nix ];
+
  ## - Each normal or test machine gets a NixOS configuration.
  ## - Each normal or test machine gets a VM options entry.
  ## - Each normal machine gets a deployment.
--- a/infra/forgejo-ci/flake-part.nix
+++ b/infra/forgejo-ci/flake-part.nix
@ -0,0 +1,58 @@
+{
+  lib,
+  inputs,
+  sources,
+  keys,
+  secrets,
+  ...
+}:
+
+## NOTE: Hackish solution mostly taken from `../common/resource.nix`.
+## Eventually, `forgejo-ci` should move to a datacentre somewhere and this code
+## should be integrated with the code for other machines (in particular VMs).
+
+let
+  inherit (lib) attrValues elem;
+  inherit (lib.attrsets) concatMapAttrs optionalAttrs;
+  inherit (lib.strings) removeSuffix;
+
+  hostPublicKey = keys.systems.forgejo-ci;
+in
+{
+  _class = "flake";
+
+  nixops4Deployments.forgejo-ci =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4.modules.nixops4Provider.local;
+
+      resources.forgejo-ci = {
+        type = providers.local.exec;
+        imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+
+        ssh = {
+          host = "forgejo-ci";
+          hostPublicKey = hostPublicKey;
+        };
+
+        nixpkgs = inputs.nixpkgs;
+
+        nixos.module = {
+          imports = with sources; [
+            "${agenix}/modules/age.nix"
+            "${disko}/module.nix"
+            ./configuration.nix
+          ];
+
+          age.secrets = concatMapAttrs (
+            name: secret:
+            optionalAttrs (elem hostPublicKey secret.publicKeys) {
+              ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
+            }
+          ) secrets.mapping;
+
+          users.users.root.openssh.authorizedKeys.keys = attrValues keys.contributors;
+        };
+      };
+    };
+}
--- a/keys/systems/forgejo-ci.pub
+++ b/keys/systems/forgejo-ci.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
--- a/machines/machines.md
+++ b/machines/machines.md
@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./dev/fedi201) | fediversity | FediPanel
 [`vm02116`](./dev/vm02116) | procolix | Forgejo
 [`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |

 This table excludes all machines with names starting with `test`.
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done

 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |

 This table excludes all machines with names starting with `test`.
 EOF
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A`