Enter fedi300 as a new CI runner (#59)

2024-12-16 14:07:08 +01:00 · 2024-12-16 14:07:08 +01:00 · 79730bfd38
parent 8b9e9e96ba 49a98c6066
commit 79730bfd38
11 changed files with 110 additions and 96 deletions
--- a/infra/README.org
+++ b/infra/README.org
@ -18,6 +18,7 @@ nixops4 apply <deployment>
 - ~git~ :: Machines hosting our Git infrastructure, eg. Forgejo and its actions
  runners
 - ~web~ :: Machines hosting our online content, eg. the website or the wiki
+- ~other~ :: Machines without a specific purpose

 * Procolix machines

@ -25,9 +26,10 @@ These machines are hosted on the Procolix Proxmox instance, to which
 non-Procolix members of the project do not have access. They host our stable
 infrastructure.

-| Machine | Description            | Deployment |
-|---------+------------------------+------------|
-| vm02116 | Forgejo                | ~git~        |
-| vm02179 | Forgejo actions runner | ~git~        |
-| vm02186 | Forgejo actions runner | ~git~        |
-| vm02187 | Wiki                   | ~web~        |
+| Machine | Proxmox     | Description            | Deployment |
+|---------+-------------+------------------------+------------|
+| vm02116 | Procolix    | Forgejo                | ~git~      |
+| vm02179 | Procolix    | /unused/               | ~other~    |
+| vm02186 | Procolix    | /unused/               | ~other~    |
+| vm02187 | Procolix    | Wiki                   | ~web~      |
+| fedi300 | Fediversity | Forgejo actions runner | ~git~      |
--- a/infra/common/default.nix
+++ b/infra/common/default.nix
@ -16,6 +16,13 @@ in
  system.stateVersion = "24.05"; # do not change
  nixpkgs.hostPlatform = mkDefault "x86_64-linux";

+  ## This is just nice to have, but it is also particularly important for the
+  ## Forgejo CI runners because the Nix configuration in the actions is directly
+  ## taken from here.
+  nix.extraOptions = ''
+    experimental-features = nix-command flakes
+  '';
+
  environment.systemPackages = with pkgs; [
    (pkgs.vim_configurable.customize {
      name = "vim";
--- a/infra/fedi300/default.nix
+++ b/infra/fedi300/default.nix
@ -0,0 +1,34 @@
+{ lib, ... }:
+
+{
+  imports = [
+    ../common
+    ./forgejo-actions-runner.nix
+  ];
+
+  procolix.vm = {
+    name = "fedi300";
+    ip4 = "95.215.187.30";
+    ip6 = "2a00:51c0:12:1305::30";
+  };
+
+  ## FIXME: We should just have an option under `procolix.vm` to distinguish
+  ## between Procolix VMs and Fediversity ones.
+  networking.domain = lib.mkForce "fediversity.eu";
+  networking.defaultGateway.address = lib.mkForce "95.215.187.1";
+  networking.defaultGateway6.address = lib.mkForce "2a00:51c0:13:1305::1";
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/cbcfaf6b-39bd-4328-9f53-dea8a9d32ecc";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/1A4E-07F4";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+}
--- a/infra/fedi300/forgejo-actions-runner.nix
+++ b/infra/fedi300/forgejo-actions-runner.nix
@ -29,6 +29,7 @@
        "docker:docker://node:16-bullseye"
        "native:host"
      ];
+
      hostPackages = with pkgs; [
        bash
        git
@ -40,10 +41,4 @@

  ## For the Docker mode of the runner.
  virtualisation.docker.enable = true;
-
-  ## The Nix configuration of the system influences the Nix configuration
-  ## in the workflow, and our workflows are often flake-based.
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
 }
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@ -25,6 +25,58 @@
          };
        };

+        fedi300 = {
+          type = providers.local.exec;
+          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+          ssh = {
+            host = "95.215.187.30";
+            opts = "";
+            hostPublicKey = self.keys.systems.fedi300;
+          };
+          nixpkgs = inputs.nixpkgs;
+          nixos.module = {
+            imports = [
+              ./fedi300
+              self.nixosModules.ageSecrets
+              { fediversity.hostPublicKey = self.keys.systems.fedi300; }
+            ];
+          };
+        };
+      };
+    };
+
+  nixops4Deployments.web =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
+
+      resources = {
+        vm02187 = {
+          type = providers.local.exec;
+          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
+          ssh = {
+            host = "185.206.232.187";
+            opts = "";
+            hostPublicKey = self.keys.systems.vm02187;
+          };
+          nixpkgs = inputs.nixpkgs;
+          nixos.module = {
+            imports = [
+              ./vm02187
+              self.nixosModules.ageSecrets
+              { fediversity.hostPublicKey = self.keys.systems.vm02187; }
+            ];
+          };
+        };
+      };
+    };
+
+  nixops4Deployments.other =
+    { providers, ... }:
+    {
+      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
+
+      resources = {
        vm02179 = {
          type = providers.local.exec;
          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
@ -62,30 +114,4 @@
        };
      };
    };
-
-  nixops4Deployments.web =
-    { providers, ... }:
-    {
-      providers.local = inputs.nixops4-nixos.modules.nixops4Provider.local;
-
-      resources = {
-        vm02187 = {
-          type = providers.local.exec;
-          imports = [ inputs.nixops4-nixos.modules.nixops4Resource.nixos ];
-          ssh = {
-            host = "185.206.232.187";
-            opts = "";
-            hostPublicKey = self.keys.systems.vm02187;
-          };
-          nixpkgs = inputs.nixpkgs;
-          nixos.module = {
-            imports = [
-              ./vm02187
-              self.nixosModules.ageSecrets
-              { fediversity.hostPublicKey = self.keys.systems.vm02187; }
-            ];
-          };
-        };
-      };
-    };
 }
--- a/infra/vm02179/default.nix
+++ b/infra/vm02179/default.nix
@ -1,7 +1,6 @@
 {
  imports = [
    ../common
-    ./gitea-runner.nix
  ];

  procolix.vm = {
--- a/infra/vm02179/gitea-runner.nix
+++ b/infra/vm02179/gitea-runner.nix
@ -1,42 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  virtualisation.docker.enable = true;
-
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
-    instances.default = {
-      enable = true;
-      name = "vm02179.procolix.com";
-      url = "https://git.fediversity.eu";
-      tokenFile = config.age.secrets.forgejo-runner-token.path;
-      labels = [
-        "docker:docker://node:16-bullseye"
-        "native:host"
-      ];
-      hostPackages = with pkgs; [
-        bash
-        git
-        nix
-        nodejs
-      ];
-      settings = {
-        log.level = "info";
-        runner = {
-          file = ".runner";
-          capacity = 8;
-          timeout = "3h";
-          insecure = false;
-          fetch_timeout = "5s";
-          fetch_interval = "2s";
-        };
-      };
-    };
-  };
-
-  ## The Nix configuration of the system influences the Nix configuration
-  ## in the workflow, and our workflows are often flake-based.
-  nix.extraOptions = ''
-    experimental-features = nix-command flakes
-  '';
-}
--- a/infra/vm02186/default.nix
+++ b/infra/vm02186/default.nix
@ -1,7 +1,6 @@
 {
  imports = [
    ../common
-    ./gitea-runner.nix
  ];

  procolix.vm = {
--- a/keys/systems/fedi300.pub
+++ b/keys/systems/fedi300.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFH/Kvye5It8FojdjpsuyZQiU0kxj2wq7Zq/+61vxNn
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -1,11 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 1MUEqQ 5Bvi8UvLbifM2vlDOr4NRaZLRfIg6kAPY0oiwiSy50o
-TnbS5BHO4hmjs7Ux9rRMzK9ahsIkU9GpmAx59MzIpI0
-> ssh-ed25519 h0QWFg 4Cu85VZM6zyysIYwMFccXUWUGejkylHiytJA4+2nN1Q
-e8XuOUfrOZ6xoWNK4gvVgs0H5pgtqUfrv/DBeh1WIsU
-> ssh-ed25519 pJV4iw JQgQMTxfDZ/26In72UHPU+k0ZGBK1DRQWoOwfxS0xwI
-8De1c3d95ySwjqjQn9rHlYDfMDTHct1kbyjVx+8EZyA
--- neht26C0cEHeTGVa+epEwoO+oqXvyO94xwp25zAX6wY
-ˇDčNŻ+ŰVâU8©ŘĽQv©Ň<C2A9>ľţAđ‹~Ž+űáÄ<C3A1>łL©wŞ`<60>óŤüE©XfV®ż©Ą0@ůqHj
-Î˛RGOY
-.?Dĺ9<C4BA>ŹO[%\
+-> ssh-ed25519 1MUEqQ QbrQLCnwsw79a0fjmKK0nSHl6n/+qRGg9E2vwufiCDM
+z7SiyeLgJK7ueDyox4eXLxYNjJUPD2N4V+2IyV6Yibc
+-> ssh-ed25519 rJoYaw jn0foZgtavsFhVVoXKHkp+1ZU1SeFqkff2D89I5k3iQ
+YA58TNYkEhBvNHuSBfZv1uxaeJoQ1T4Wb+VswWgi5ck
+--- crnhqJNO+eMBMgAgJjQsS0EOxee/UazYlssOXxlcp1g
+—šU$1ÓÈ±{²Ëôil©Î_èâÖyŸG´äå)(·<1D>ñ“D\òY÷ã`ß¿³ð2<C3B0>½/lÆ¢w–å•‚Ân¸ŸO«C³
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,10 +26,7 @@ concatMapAttrs
    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [
-        vm02179
-        vm02186
-      ];
+      forgejo-runner-token = [ fedi300 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
      wiki-password = [ vm02187 ];
      wiki-smtp-password = [ vm02187 ];
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFH/Kvye5It8FojdjpsuyZQiU0kxj2wq7Zq/+61vxNn`