forked from Fediversity/Fediversity
reconciliate old/new runners
This commit is contained in:
parent
14a5e057b9
commit
2cef9589db
SSH key fingerprint:
SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
1 changed files with 56 additions and 27 deletions
|
|
@ -1,4 +1,3 @@
|
||||||
# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
|
|
||||||
{
|
{
|
||||||
pkgs,
|
pkgs,
|
||||||
lib,
|
lib,
|
||||||
|
|
@ -39,7 +38,55 @@ let
|
||||||
'';
|
'';
|
||||||
numInstances = 2;
|
numInstances = 2;
|
||||||
in
|
in
|
||||||
|
|
||||||
{
|
{
|
||||||
|
_class = "nixos";
|
||||||
|
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
package = pkgs.forgejo-actions-runner;
|
||||||
|
instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
|
||||||
|
enable = true;
|
||||||
|
name = config.networking.fqdn;
|
||||||
|
url = "https://git.fediversity.eu";
|
||||||
|
tokenFile = config.age.secrets.forgejo-runner-token.path;
|
||||||
|
## This runner supports Docker (with a default Ubuntu image) and native
|
||||||
|
## modes. In native mode, it contains a few default packages.
|
||||||
|
labels = [
|
||||||
|
"nix:docker://gitea-runner-nix"
|
||||||
|
"docker:docker://node:16-bullseye"
|
||||||
|
"native:host"
|
||||||
|
];
|
||||||
|
hostPackages = with pkgs; [
|
||||||
|
bash
|
||||||
|
git
|
||||||
|
nix
|
||||||
|
nodejs
|
||||||
|
];
|
||||||
|
settings = {
|
||||||
|
container = {
|
||||||
|
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
||||||
|
# the default network that also respects our dns server settings
|
||||||
|
network = "host";
|
||||||
|
valid_volumes = [
|
||||||
|
"/nix"
|
||||||
|
"${storeDeps}/bin"
|
||||||
|
"${storeDeps}/etc/ssl"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
log.level = "info";
|
||||||
|
runner = {
|
||||||
|
file = ".runner";
|
||||||
|
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
|
||||||
|
capacity = 1;
|
||||||
|
timeout = "3h";
|
||||||
|
insecure = false;
|
||||||
|
fetch_timeout = "5s";
|
||||||
|
fetch_interval = "2s";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
};
|
||||||
|
|
||||||
users = {
|
users = {
|
||||||
users.nixuser = {
|
users.nixuser = {
|
||||||
group = "nixuser";
|
group = "nixuser";
|
||||||
|
|
@ -50,42 +97,24 @@ in
|
||||||
groups.nixuser = { };
|
groups.nixuser = { };
|
||||||
};
|
};
|
||||||
virtualisation = {
|
virtualisation = {
|
||||||
podman.enable = true;
|
## For the Docker mode of the runner.
|
||||||
|
docker.enable = true;
|
||||||
containers.containersConf.settings = {
|
containers.containersConf.settings = {
|
||||||
# podman seems to not work with systemd-resolved
|
# podman (at least) seems to not work with systemd-resolved
|
||||||
containers.dns_servers = [
|
containers.dns_servers = [
|
||||||
"8.8.8.8"
|
"8.8.8.8"
|
||||||
"8.8.4.4"
|
"8.8.4.4"
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.gitea-actions-runner.instances =
|
|
||||||
lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
|
|
||||||
(_: {
|
|
||||||
enable = true;
|
|
||||||
name = "nix-runner";
|
|
||||||
url = "https://git.fediversity.eu";
|
|
||||||
tokenFile = config.age.secrets.forgejo-runner-token.path;
|
|
||||||
labels = [ "nix:docker://gitea-runner-nix" ];
|
|
||||||
settings = {
|
|
||||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
|
|
||||||
# the default network that also respects our dns server settings
|
|
||||||
container.network = "host";
|
|
||||||
container.valid_volumes = [
|
|
||||||
"/nix"
|
|
||||||
"${storeDeps}/bin"
|
|
||||||
"${storeDeps}/etc/ssl"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
});
|
|
||||||
systemd.services =
|
systemd.services =
|
||||||
{
|
{
|
||||||
gitea-runner-nix-image = {
|
gitea-runner-nix-image = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "podman.service" ];
|
after = [ "docker.service" ];
|
||||||
requires = [ "podman.service" ];
|
requires = [ "docker.service" ];
|
||||||
path = [
|
path = [
|
||||||
config.virtualisation.podman.package
|
pkgs.docker
|
||||||
pkgs.gnutar
|
pkgs.gnutar
|
||||||
pkgs.shadow
|
pkgs.shadow
|
||||||
pkgs.getent
|
pkgs.getent
|
||||||
|
|
@ -124,7 +153,7 @@ in
|
||||||
|
|
||||||
# list the content as it will be imported into the container
|
# list the content as it will be imported into the container
|
||||||
tar -cv . | tar -tvf -
|
tar -cv . | tar -tvf -
|
||||||
tar -cv . | podman import - gitea-runner-nix
|
tar -cv . | docker import - gitea-runner-nix
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
RuntimeDirectory = "gitea-runner-nix-image";
|
RuntimeDirectory = "gitea-runner-nix-image";
|
||||||
|
|
@ -185,7 +214,7 @@ in
|
||||||
"~setdomainname"
|
"~setdomainname"
|
||||||
"~sethostname"
|
"~sethostname"
|
||||||
];
|
];
|
||||||
SupplementaryGroups = [ "podman" ];
|
SupplementaryGroups = [ "docker" ];
|
||||||
RestrictAddressFamilies = [
|
RestrictAddressFamilies = [
|
||||||
"AF_INET"
|
"AF_INET"
|
||||||
"AF_INET6"
|
"AF_INET6"
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue