diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix index 352ebda0..49ed78cb 100644 --- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix +++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix @@ -1,4 +1,3 @@ -# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix { pkgs, lib, @@ -39,7 +38,55 @@ let ''; numInstances = 2; in + { + _class = "nixos"; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: { + enable = true; + name = config.networking.fqdn; + url = "https://git.fediversity.eu"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + ## This runner supports Docker (with a default Ubuntu image) and native + ## modes. In native mode, it contains a few default packages. + labels = [ + "nix:docker://gitea-runner-nix" + "docker:docker://node:16-bullseye" + "native:host" + ]; + hostPackages = with pkgs; [ + bash + git + nix + nodejs + ]; + settings = { + container = { + options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings + network = "host"; + valid_volumes = [ + "/nix" + "${storeDeps}/bin" + "${storeDeps}/etc/ssl" + ]; + }; + log.level = "info"; + runner = { + file = ".runner"; + # Take only 1 job at a time to avoid clashing NixOS tests, see #362 + capacity = 1; + timeout = "3h"; + insecure = false; + fetch_timeout = "5s"; + fetch_interval = "2s"; + }; + }; + }); + }; + users = { users.nixuser = { group = "nixuser"; @@ -50,42 +97,24 @@ in groups.nixuser = { }; }; virtualisation = { - podman.enable = true; + ## For the Docker mode of the runner. + docker.enable = true; containers.containersConf.settings = { - # podman seems to not work with systemd-resolved + # podman (at least) seems to not work with systemd-resolved containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; }; }; - services.gitea-actions-runner.instances = - lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) - (_: { - enable = true; - name = "nix-runner"; - url = "https://git.fediversity.eu"; - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ "nix:docker://gitea-runner-nix" ]; - settings = { - container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; - # the default network that also respects our dns server settings - container.network = "host"; - container.valid_volumes = [ - "/nix" - "${storeDeps}/bin" - "${storeDeps}/etc/ssl" - ]; - }; - }); systemd.services = { gitea-runner-nix-image = { wantedBy = [ "multi-user.target" ]; - after = [ "podman.service" ]; - requires = [ "podman.service" ]; + after = [ "docker.service" ]; + requires = [ "docker.service" ]; path = [ - config.virtualisation.podman.package + pkgs.docker pkgs.gnutar pkgs.shadow pkgs.getent @@ -124,7 +153,7 @@ in # list the content as it will be imported into the container tar -cv . | tar -tvf - - tar -cv . | podman import - gitea-runner-nix + tar -cv . | docker import - gitea-runner-nix ''; serviceConfig = { RuntimeDirectory = "gitea-runner-nix-image"; @@ -185,7 +214,7 @@ in "~setdomainname" "~sethostname" ]; - SupplementaryGroups = [ "podman" ]; + SupplementaryGroups = [ "docker" ]; RestrictAddressFamilies = [ "AF_INET" "AF_INET6"