From 871672d447766eedcd63ae97f5f3d60f4f8825be Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Wed, 2 Jul 2025 17:43:09 +0200 Subject: [PATCH] Add `forgejo-ci` machine to our infrastructure (#389) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit picked up from https://git.fediversity.eu/Fediversity/Fediversity/compare/main...niols:forgejo-ci. closes #356. Co-authored-by: Nicolas “Niols” Jeannerod Reviewed-on: https://git.fediversity.eu/Fediversity/Fediversity/pulls/389 Reviewed-by: Nicolas Jeannerod Co-authored-by: Kiara Grouwstra Co-committed-by: Kiara Grouwstra --- infra/common/nixos/default.nix | 5 ++ infra/common/proxmox-qemu-vm.nix | 5 -- keys/systems/forgejo-ci.pub | 1 + machines/dev/forgejo-ci/default.nix | 66 ++++++++++++++++++ .../dev/forgejo-ci/forgejo-actions-runner.nix | 47 +++++++++++++ machines/machines.md | 1 + machines/machines.md.sh | 1 + secrets/forgejo-runner-token.age | Bin 809 -> 699 bytes secrets/secrets.nix | 2 +- 9 files changed, 122 insertions(+), 6 deletions(-) create mode 100644 keys/systems/forgejo-ci.pub create mode 100644 machines/dev/forgejo-ci/default.nix create mode 100644 machines/dev/forgejo-ci/forgejo-actions-runner.nix diff --git a/infra/common/nixos/default.nix b/infra/common/nixos/default.nix index 54b1dff3..71b08426 100644 --- a/infra/common/nixos/default.nix +++ b/infra/common/nixos/default.nix @@ -23,4 +23,9 @@ in nix.extraOptions = '' experimental-features = nix-command flakes ''; + + boot.loader = { + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; } diff --git a/infra/common/proxmox-qemu-vm.nix b/infra/common/proxmox-qemu-vm.nix index 06d05e87..b100a6d5 100644 --- a/infra/common/proxmox-qemu-vm.nix +++ b/infra/common/proxmox-qemu-vm.nix @@ -6,11 +6,6 @@ imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; boot = { - loader = { - systemd-boot.enable = true; - efi.canTouchEfiVariables = true; - }; - initrd = { availableKernelModules = [ "ata_piix" diff --git a/keys/systems/forgejo-ci.pub b/keys/systems/forgejo-ci.pub new file mode 100644 index 00000000..d783c4b6 --- /dev/null +++ b/keys/systems/forgejo-ci.pub @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A diff --git a/machines/dev/forgejo-ci/default.nix b/machines/dev/forgejo-ci/default.nix new file mode 100644 index 00000000..569cbb4b --- /dev/null +++ b/machines/dev/forgejo-ci/default.nix @@ -0,0 +1,66 @@ +{ + lib, + ... +}: +{ + _class = "nixops4Resource"; + + # XXX this needs an SSH config entry `forgejo-ci` to locate and access the machine. also needs `HostKeyAlias`. + ssh.host = lib.mkForce "forgejo-ci"; + + fediversityVm = { + domain = "procolix.com"; + + ipv4 = { + interface = "enp1s0f0"; + address = "192.168.201.65"; + prefixLength = 24; + gateway = "192.168.201.1"; + }; + ipv6.enable = false; + }; + + nixos.module = + { + config, + lib, + ... + }: + let + inherit (lib) mkDefault mkForce; + in + { + _class = "nixos"; + + imports = [ + ./forgejo-actions-runner.nix + ]; + + hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware; + + networking = { + nftables.enable = mkForce false; + hostId = "1d6ea552"; + }; + + ## NOTE: This is a physical machine, so is not covered by disko + fileSystems."/" = { + device = "rpool/root"; + fsType = "zfs"; + }; + + fileSystems."/home" = { + device = "rpool/home"; + fsType = "zfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/50B2-DD3F"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + }; +} diff --git a/machines/dev/forgejo-ci/forgejo-actions-runner.nix b/machines/dev/forgejo-ci/forgejo-actions-runner.nix new file mode 100644 index 00000000..bb6928cc --- /dev/null +++ b/machines/dev/forgejo-ci/forgejo-actions-runner.nix @@ -0,0 +1,47 @@ +{ pkgs, config, ... }: + +{ + _class = "nixos"; + + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + + instances.default = { + enable = true; + + name = config.networking.fqdn; + url = "https://git.fediversity.eu"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + + settings = { + log.level = "info"; + runner = { + file = ".runner"; + # Take only 1 job at a time to avoid clashing NixOS tests, see #362 + capacity = 1; + timeout = "3h"; + insecure = false; + fetch_timeout = "5s"; + fetch_interval = "2s"; + }; + }; + + ## This runner supports Docker (with a default Ubuntu image) and native + ## modes. In native mode, it contains a few default packages. + labels = [ + "docker:docker://node:16-bullseye" + "native:host" + ]; + + hostPackages = with pkgs; [ + bash + git + nix + nodejs + ]; + }; + }; + + ## For the Docker mode of the runner. + virtualisation.docker.enable = true; +} diff --git a/machines/machines.md b/machines/machines.md index fd3d6978..72204328 100644 --- a/machines/machines.md +++ b/machines/machines.md @@ -11,5 +11,6 @@ Machine | Proxmox | Description [`fedi201`](./dev/fedi201) | fediversity | FediPanel [`vm02116`](./dev/vm02116) | procolix | Forgejo [`vm02187`](./dev/vm02187) | procolix | Wiki +| `forgejo-ci` | n/a (physical) | Forgejo actions runner | This table excludes all machines with names starting with `test`. diff --git a/machines/machines.md.sh b/machines/machines.md.sh index a095ed82..c5584b4b 100644 --- a/machines/machines.md.sh +++ b/machines/machines.md.sh @@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do done cat <<\EOF +| `forgejo-ci` | n/a (physical) | Forgejo actions runner | This table excludes all machines with names starting with `test`. EOF diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age index 7b99e67340ab38693f6e19b533a1bf039c6469de..82e8efcbad04a5750ce1d7c8a8107caf752adb1a 100644 GIT binary patch literal 699 zcmZY5JB!nB003|iM93F7kRsvSuGA)J`p6=rd9+QMCTT8x#3@PhYM%e3P4e%4yMy2h z&ecIj9UT;x8(ajz-AOpO?KoWA&rk4!pXoU*C$V#w?SeFUoaSD;#F5q$v?%mJdoJDYB=lJmHyXxLsOAct7nOm~`<&==?x z5aF^ps+ZrPmSxKXd$jb@bh~>mDfmFov12^ifEsYyy zQXKf82E-!vMKcI!1aeNHVOEVxgxHKgN|LIelnj)MDeW&@-dc7>nvsX?-G3S`=^Ri| zpA=Qs&2=j0vjBKAem`suIdFQANVgq#SG%!?=bl@#BN`zY!v;dHqF72B6jlb5u6U@s zePL&Dy6HvJ!7>>p#I~gW({dqQn-%I-(BH4qaUyeJXo+hZ6MG59%9JYE1uevU;U$)g zhagIkEj*BWQJ)3PY3WXa#YElWOW3YmBPF7-FG&?O0|922&EodtfS+(36%Bbyf!TOp z9X9(RtF!a0-!?+}kal*RiMClgY~M*ZIW_nKFyT)sO# zyEr<#zrXQ5-<#e&XP*E5D!o5`b?4`&8{_i)TjNJ#!Cap-=%=sWe1Oj$99_)+etdC# a#(lX;U%r(z`PWsw{d1x`&p2@Vea0p6^ji@2%7fuM8eXLvjm4#U!~yW=UrP!>E56Py9 zhhYF1hMtr1(FZg~>XgMw-m2Ww<5ez4eV8XqY4*%9;EkoVp5D=$nL7b1$-EHNWK8c* z4GxUCj(o>Ti|t6cPB`lVg(E1lVxUPO>$%q6zTJ4PnHd~8fVPB+9$;OZsy1GtgBK(G^x?DvumYI6}2#vT>vm>6>5|2)Uw+raS!nVvX#QSliLkP zMwuhh=c8cGtm^R?p%X3B8(?LEX{$A8cN^GtwZXW@l)o;W5n(w3ln&Uf=Zr5DOqUug zD%m(aYzxRoJT(vUpuxza=Em)|SU1NrN1B>57xKFzG3=K0(I`@qnqgp7-cq2&Sbj(#e52#=33> zM#2o7Y~)|#%C6}SrQ(J7@$}jHr?-E3_QkKi?f!ZA^_%Z}_vG8v-w$8f&(n|ocvjn5yvdU4-;^=On2UVrg#`SAyl^UeK# D`nwVA diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 167234d4..88d1bb03 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -26,7 +26,7 @@ concatMapAttrs { forgejo-database-password = [ vm02116 ]; forgejo-email-password = [ vm02116 ]; - forgejo-runner-token = [ ]; + forgejo-runner-token = [ forgejo-ci ]; panel-secret-key = [ fedi201 ]; panel-ssh-key = [ fedi201 ]; wiki-basicauth-htpasswd = [ vm02187 ];