kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

reconciliate old/new runners

Browse source
This commit is contained in:
Kiara Grouwstra 2025-07-07 09:29:38 +02:00
parent 180dbfcea6
commit 498e5a17b4
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
1 changed files with 56 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
machines/dev/forgejo-ci/forgejo-actions-runner.nix
View file

@ -1,4 +1,3 @@
# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
{
pkgs,
lib,
@ -39,7 +38,55 @@ let
'';
numInstances = 2;
in
{
_class = "nixos";
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
enable = true;
name = config.networking.fqdn;
url = "https://git.fediversity.eu";
tokenFile = config.age.secrets.forgejo-runner-token.path;
## This runner supports Docker (with a default Ubuntu image) and native
## modes. In native mode, it contains a few default packages.
labels = [
"nix:docker://gitea-runner-nix"
"docker:docker://node:16-bullseye"
"native:host"
];
hostPackages = with pkgs; [
bash
git
nix
nodejs
];
settings = {
container = {
options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
network = "host";
valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
};
log.level = "info";
runner = {
file = ".runner";
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
capacity = 1;
timeout = "3h";
insecure = false;
fetch_timeout = "5s";
fetch_interval = "2s";
};
};
});
};
users = {
users.nixuser = {
group = "nixuser";
@ -50,42 +97,24 @@ in
groups.nixuser = { };
};
virtualisation = {
podman.enable = true;
## For the Docker mode of the runner.
docker.enable = true;
containers.containersConf.settings = {
# podman seems to not work with systemd-resolved
# podman (at least) seems to not work with systemd-resolved
containers.dns_servers = [
"8.8.8.8"
"8.8.4.4"
];
};
};
services.gitea-actions-runner.instances =
lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
(_: {
enable = true;
name = "nix-runner";
url = "https://git.fediversity.eu";
tokenFile = config.age.secrets.forgejo-runner-token.path;
labels = [ "nix:docker://gitea-runner-nix" ];
settings = {
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
# the default network that also respects our dns server settings
container.network = "host";
container.valid_volumes = [
"/nix"
"${storeDeps}/bin"
"${storeDeps}/etc/ssl"
];
};
});
systemd.services =
{
gitea-runner-nix-image = {
wantedBy = [ "multi-user.target" ];
after = [ "podman.service" ];
requires = [ "podman.service" ];
after = [ "docker.service" ];
requires = [ "docker.service" ];
path = [
config.virtualisation.podman.package
pkgs.docker
pkgs.gnutar
pkgs.shadow
pkgs.getent
@ -124,7 +153,7 @@ in
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
tar -cv . | docker import - gitea-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "gitea-runner-nix-image";
@ -185,7 +214,7 @@ in
"~setdomainname"
"~sethostname"
];
SupplementaryGroups = [ "podman" ];
SupplementaryGroups = [ "docker" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"