kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

set up ci container from clan

Browse source 
credit:
https://discourse.nixos.org/t/gitea-nix-actions-runner-setup/35279
This commit is contained in:
Kiara Grouwstra 2025-07-06 21:25:21 +02:00
parent 5cb6f03e4e
commit d2f9c3cb55
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
1 changed files with 201 additions and 87 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

288
machines/dev/forgejo-ci/forgejo-actions-runner.nix
View file

@ -1,104 +1,218 @@
# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
{ {
pkgs, pkgs,
lib,
config, config,
# sources,
... ...
}: }:
let let
sources = import ../../../npins; system = builtins.currentSystem;
packages =
let
sources = import ../../../npins;
inherit (import sources.flake-inputs) import-flake;
inherit ((import-flake { src = ../../..; }).inputs) nixops4;
in
[
pkgs.coreutils
pkgs.findutils
pkgs.gnugrep
pkgs.gawk
pkgs.git
pkgs.nix
pkgs.bash
pkgs.jq
pkgs.nodejs
pkgs.npins
nixops4.packages.${system}.default
];
storeDeps = pkgs.runCommand "store-deps" { } ''
mkdir -p $out/bin
for dir in ${toString packages}; do
for bin in "$dir"/bin/*; do
ln -s "$bin" "$out/bin/$(basename "$bin")"
done
done
# Add SSL CA certs
mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
'';
numInstances = 2;
in in
{ {
_class = "nixos"; users = {
users.nixuser = {
services.gitea-actions-runner = { group = "nixuser";
package = pkgs.forgejo-actions-runner; description = "Used for running nix ci jobs";
home = "/var/empty";
instances.default = { isSystemUser = true;
enable = true; };
groups.nixuser = { };
name = config.networking.fqdn; };
url = "https://git.fediversity.eu"; virtualisation = {
tokenFile = config.age.secrets.forgejo-runner-token.path; podman.enable = true;
containers.containersConf.settings = {
settings = { # podman seems to not work with systemd-resolved
log.level = "info"; containers.dns_servers = [
runner = { "8.8.8.8"
file = ".runner"; "8.8.4.4"
# Take only 1 job at a time to avoid clashing NixOS tests, see #362
capacity = 1;
timeout = "3h";
insecure = false;
fetch_timeout = "5s";
fetch_interval = "2s";
};
};
## This runner supports Docker (with a default Ubuntu image) and native
## modes. In native mode, it contains a few default packages.
labels = [
"docker:docker://node:16-bullseye"
"native:host"
];
hostPackages = with pkgs; [
bash
git
nix
nodejs
]; ];
}; };
}; };
services.gitea-actions-runner.instances =
## For the Docker mode of the runner. lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
virtualisation.docker.enable = true; (_: {
virtualisation.oci-containers.containers."buildResult" = enable = true;
let name = "nix-runner";
name = "nix-runner"; url = "https://git.fediversity.eu";
tag = "latest"; tokenFile = config.age.secrets.forgejo-runner-token.path;
base = import (sources.nix + "/docker.nix") { labels = [ "nix:docker://gitea-runner-nix" ];
inherit pkgs; settings = {
name = "nix-ci-base"; container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
maxLayers = 10; # the default network that also respects our dns server settings
extraPkgs = with pkgs; [ container.network = "host";
nodejs_20 # nodejs is needed for running most 3rdparty actions container.valid_volumes = [
# add any other pre-installed packages here "/nix"
]; "${storeDeps}/bin"
# change this is you want "${storeDeps}/etc/ssl"
channelURL = "https://nixos.org/channels/nixpkgs-23.05";
nixConf = {
substituters = [
"https://cache.nixos.org/"
"https://nix-community.cachix.org"
# insert any other binary caches here
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
# insert the public keys for those binary caches here
];
# allow using the new flake commands in our workflows
experimental-features = [
"nix-command"
"flakes"
]; ];
}; };
}; });
in systemd.services =
{ {
devices = [ "/dev/kvm:/dev/kvm" ]; gitea-runner-nix-image = {
image = "${name}:${tag}"; wantedBy = [ "multi-user.target" ];
# https://icewind.nl/entry/gitea-actions-nix/ after = [ "podman.service" ];
imageFile = pkgs.dockerTools.buildImage { requires = [ "podman.service" ];
inherit name tag; path = [
fromImage = base; config.virtualisation.podman.package
fromImageName = null; pkgs.gnutar
fromImageTag = "latest"; pkgs.shadow
copyToRoot = pkgs.buildEnv { pkgs.getent
name = "image-root"; ];
paths = [ pkgs.coreutils-full ]; # we also include etc here because the cleanup job also wants the nixuser to be present
pathsToLink = [ "/bin" ]; # add coreutils (which includes sleep) to /bin script = ''
set -eux -o pipefail
mkdir -p etc/nix
# Create an unpriveleged user that we can use also without the run-as-user.sh script
touch etc/passwd etc/group
groupid=$(cut -d: -f3 < <(getent group nixuser))
userid=$(cut -d: -f3 < <(getent passwd nixuser))
groupadd --prefix $(pwd) --gid "$groupid" nixuser
emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
NIX_CONFIG
cat <<NSSWITCH > etc/nsswitch.conf
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files
NSSWITCH
# list the content as it will be imported into the container
tar -cv . | tar -tvf -
tar -cv . | podman import - gitea-runner-nix
'';
serviceConfig = {
RuntimeDirectory = "gitea-runner-nix-image";
WorkingDirectory = "/run/gitea-runner-nix-image";
Type = "oneshot";
RemainAfterExit = true;
}; };
}; };
}; }
// lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
_:
let
requires = [ "gitea-runner-nix-image.service" ];
in
{
inherit requires;
after = requires;
# TODO: systemd confinement
serviceConfig = {
# Hardening (may overlap with DynamicUser=)
# The following options are only for optimizing output of systemd-analyze
AmbientCapabilities = "";
CapabilityBoundingSet = "";
# ProtectClock= adds DeviceAllow=char-rtc r
DeviceAllow = "";
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectControlGroups = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectSystem = "strict";
RemoveIPC = true;
RestrictNamespaces = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
UMask = "0066";
ProtectProc = "invisible";
SystemCallFilter = [
"~@clock"
"~@cpu-emulation"
"~@module"
"~@mount"
"~@obsolete"
"~@raw-io"
"~@reboot"
"~@swap"
# needed by go?
#"~@resources"
"~@privileged"
"~capset"
"~setdomainname"
"~sethostname"
];
SupplementaryGroups = [ "podman" ];
RestrictAddressFamilies = [
"AF_INET"
"AF_INET6"
"AF_UNIX"
"AF_NETLINK"
];
# Needs network access
PrivateNetwork = false;
# Cannot be true due to Node
MemoryDenyWriteExecute = false;
# The more restrictive "pid" option makes `nix` commands in CI emit
# "GC Warning: Couldn't read /proc/stat"
# You may want to set this to "pid" if not using `nix` commands
ProcSubset = "all";
# Coverage programs for compiled code such as `cargo-tarpaulin` disable
# ASLR (address space layout randomization) which requires the
# `personality` syscall
# You may want to set this to `true` if not using coverage tooling on
# compiled code
LockPersonality = false;
# Note that this has some interactions with the User setting; so you may
# want to consult the systemd docs if using both.
DynamicUser = true;
};
}
);
} }