Add forgejo-ci machine to our infrastructure (#389)

picked up from https://git.fediversity.eu/Fediversity/Fediversity/compare/main...niols:forgejo-ci. closes #356. Co-authored-by: Nicolas “Niols” Jeannerod <nicolas.jeannerod@moduscreate.com> Reviewed-on: Fediversity/Fediversity#389 Reviewed-by: Nicolas Jeannerod <nicolas.jeannerod@moduscreate.com> Co-authored-by: Kiara Grouwstra <kiara@procolix.eu> Co-committed-by: Kiara Grouwstra <kiara@procolix.eu>
2025-07-02 17:43:09 +02:00 · 2025-07-02 17:43:09 +02:00 · 871672d447
commit 871672d447
parent 6da42936e7
9 changed files with 122 additions and 6 deletions
--- a/infra/common/nixos/default.nix
+++ b/infra/common/nixos/default.nix
@ -23,4 +23,9 @@ in
  nix.extraOptions = ''
    experimental-features = nix-command flakes
  '';
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
 }
--- a/infra/common/proxmox-qemu-vm.nix
+++ b/infra/common/proxmox-qemu-vm.nix
@ -6,11 +6,6 @@
  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];

  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
    initrd = {
      availableKernelModules = [
        "ata_piix"
--- a/keys/systems/forgejo-ci.pub
+++ b/keys/systems/forgejo-ci.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A
--- a/machines/dev/forgejo-ci/default.nix
+++ b/machines/dev/forgejo-ci/default.nix
@ -0,0 +1,66 @@
+{
+  lib,
+  ...
+}:
+{
+  _class = "nixops4Resource";
+
+  # XXX this needs an SSH config entry `forgejo-ci` to locate and access the machine. also needs `HostKeyAlias`.
+  ssh.host = lib.mkForce "forgejo-ci";
+
+  fediversityVm = {
+    domain = "procolix.com";
+
+    ipv4 = {
+      interface = "enp1s0f0";
+      address = "192.168.201.65";
+      prefixLength = 24;
+      gateway = "192.168.201.1";
+    };
+    ipv6.enable = false;
+  };
+
+  nixos.module =
+    {
+      config,
+      lib,
+      ...
+    }:
+    let
+      inherit (lib) mkDefault mkForce;
+    in
+    {
+      _class = "nixos";
+
+      imports = [
+        ./forgejo-actions-runner.nix
+      ];
+
+      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+
+      networking = {
+        nftables.enable = mkForce false;
+        hostId = "1d6ea552";
+      };
+
+      ## NOTE: This is a physical machine, so is not covered by disko
+      fileSystems."/" = {
+        device = "rpool/root";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/50B2-DD3F";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+}
--- a/machines/dev/forgejo-ci/forgejo-actions-runner.nix
+++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix
@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+
+{
+  _class = "nixos";
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+}
--- a/machines/machines.md
+++ b/machines/machines.md
@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./dev/fedi201) | fediversity | FediPanel
 [`vm02116`](./dev/vm02116) | procolix | Forgejo
 [`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |

 This table excludes all machines with names starting with `test`.
--- a/machines/machines.md.sh
+++ b/machines/machines.md.sh
@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done

 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |

 This table excludes all machines with names starting with `test`.
 EOF
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,7 +26,7 @@ concatMapAttrs
    {
      forgejo-database-password = [ vm02116 ];
      forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
      panel-secret-key = [ fedi201 ];
      panel-ssh-key = [ fedi201 ];
      wiki-basicauth-htpasswd = [ vm02187 ];
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A`