increase further timeouts

This reverts commit 60e7b841a9.

.forgejo/workflows/ci.yaml

@@ -10,13 +10,13 @@ on:
 
 jobs:
   check-pre-commit:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests
 
   check-data-model:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
@@ -28,31 +28,31 @@ jobs:
       - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
 
   check-peertube:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.test-peertube-service -L
 
   check-panel:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests.panel
 
   check-deployment-basic:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-basic -L
 
   check-deployment-cli:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-cli -L
 
   check-deployment-panel:
-    runs-on: native
+    runs-on: nix
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L

.forgejo/workflows/update.yaml

@@ -8,7 +8,7 @@ on:
 
 jobs:
   lockfile:
-    runs-on: native
+    runs-on: nix
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

infra/common/nixos/users.nix

@@ -1,7 +1,13 @@
+{
+  config,
+  ...
+}:
 {
   _class = "nixos";
 
   users.users = {
+    root.openssh.authorizedKeys.keys = config.user.users.procolix.openssh.authorizedKeys.keys;
+
     procolix = {
       isNormalUser = true;
       extraGroups = [ "wheel" ];

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -1,47 +1,252 @@
-{ pkgs, config, ... }:
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}:
+let
+  system = builtins.currentSystem;
+  packages =
+    let
+      sources = import ../../../npins;
+      inherit (import sources.flake-inputs) import-flake;
+      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
+    in
+    [
+      pkgs.coreutils
+      pkgs.findutils
+      pkgs.gnugrep
+      pkgs.gawk
+      pkgs.git
+      pkgs.nix
+      pkgs.bash
+      pkgs.jq
+      pkgs.nodejs
+      pkgs.npins
+      nixops4.packages.${system}.default
+    ];
+  storeDeps = pkgs.runCommand "store-deps" { } ''
+    mkdir -p $out/bin
+    for dir in ${toString packages}; do
+      for bin in "$dir"/bin/*; do
+        ln -s "$bin" "$out/bin/$(basename "$bin")"
+      done
+    done
+    # Add SSL CA certs
+    mkdir -p $out/etc/ssl/certs
+    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+  '';
+  numInstances = 5;
+in
 
 {
   _class = "nixos";
 
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
-
+    instances = lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances) (_: {
-    instances.default = {
       enable = true;
-
       name = config.networking.fqdn;
       url = "https://git.fediversity.eu";
       tokenFile = config.age.secrets.forgejo-runner-token.path;
-
-      settings = {
-        log.level = "info";
-        runner = {
-          file = ".runner";
-          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
-          capacity = 1;
-          timeout = "3h";
-          insecure = false;
-          fetch_timeout = "5s";
-          fetch_interval = "2s";
-        };
-      };
-
       ## This runner supports Docker (with a default Ubuntu image) and native
       ## modes. In native mode, it contains a few default packages.
       labels = [
+        "nix:docker://gitea-runner-nix"
         "docker:docker://node:16-bullseye"
         "native:host"
       ];
-
       hostPackages = with pkgs; [
         bash
         git
         nix
         nodejs
       ];
-    };
+      settings = {
+        container = {
+          options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+          # the default network that also respects our dns server settings
+          network = "host";
+          valid_volumes = [
+            "/nix"
+            "${storeDeps}/bin"
+            "${storeDeps}/etc/ssl"
+          ];
+        };
+        log.level = "trace";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5m";
+          fetch_interval = "2m";
+        };
+      };
+    });
   };
 
-  ## For the Docker mode of the runner.
+  users = {
-  virtualisation.docker.enable = true;
+    users.nixuser = {
+      group = "nixuser";
+      description = "Used for running nix ci jobs";
+      home = "/var/empty";
+      isSystemUser = true;
+    };
+    groups.nixuser = { };
+  };
+  virtualisation = {
+    ## For the Docker mode of the runner.
+    ## Podman seemed to get stuck on the checkout step
+    docker = {
+      enable = true;
+      daemon.settings.shutdown-timeout = 300;
+    };
+    containers.containersConf.settings = {
+      service_timeout = 300;
+      # podman (at least) seems to not work with systemd-resolved
+      containers.dns_servers = [
+        "8.8.8.8"
+        "8.8.4.4"
+      ];
+    };
+  };
+  systemd.services =
+    {
+      gitea-runner-nix-image = {
+        wantedBy = [ "multi-user.target" ];
+        after = [ "docker.service" ];
+        requires = [ "docker.service" ];
+        path = [
+          pkgs.docker
+          pkgs.gnutar
+          pkgs.shadow
+          pkgs.getent
+        ];
+        # we also include etc here because the cleanup job also wants the nixuser to be present
+        script = ''
+          set -eux -o pipefail
+          mkdir -p etc/nix
+
+          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+          touch etc/passwd etc/group
+          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+
+          cat <<NIX_CONFIG > etc/nix/nix.conf
+          accept-flake-config = true
+          experimental-features = nix-command flakes
+          NIX_CONFIG
+
+          cat <<NSSWITCH > etc/nsswitch.conf
+          passwd:    files mymachines systemd
+          group:     files mymachines systemd
+          shadow:    files
+
+          hosts:     files mymachines dns myhostname
+          networks:  files
+
+          ethers:    files
+          services:  files
+          protocols: files
+          rpc:       files
+          NSSWITCH
+
+          # list the content as it will be imported into the container
+          tar -cv . | tar -tvf -
+          tar -cv . | docker import - gitea-runner-nix
+        '';
+        serviceConfig = {
+          RuntimeDirectory = "gitea-runner-nix-image";
+          WorkingDirectory = "/run/gitea-runner-nix-image";
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+      };
+    }
+    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
+      _:
+      let
+        requires = [ "gitea-runner-nix-image.service" ];
+      in
+      {
+        inherit requires;
+        after = requires;
+        # TODO: systemd confinement
+        serviceConfig = {
+          # Hardening (may overlap with DynamicUser=)
+          # The following options are only for optimizing output of systemd-analyze
+          AmbientCapabilities = "";
+          CapabilityBoundingSet = "";
+          # ProtectClock= adds DeviceAllow=char-rtc r
+          DeviceAllow = "";
+          NoNewPrivileges = true;
+          PrivateDevices = true;
+          PrivateMounts = true;
+          PrivateTmp = true;
+          PrivateUsers = true;
+          ProtectClock = true;
+          ProtectControlGroups = true;
+          ProtectHome = true;
+          ProtectHostname = true;
+          ProtectKernelLogs = true;
+          ProtectKernelModules = true;
+          ProtectKernelTunables = true;
+          ProtectSystem = "strict";
+          RemoveIPC = true;
+          RestrictNamespaces = true;
+          RestrictRealtime = true;
+          RestrictSUIDSGID = true;
+          UMask = "0066";
+          ProtectProc = "invisible";
+          SystemCallFilter = [
+            "~@clock"
+            "~@cpu-emulation"
+            "~@module"
+            "~@mount"
+            "~@obsolete"
+            "~@raw-io"
+            "~@reboot"
+            "~@swap"
+            # needed by go?
+            #"~@resources"
+            "~@privileged"
+            "~capset"
+            "~setdomainname"
+            "~sethostname"
+          ];
+          SupplementaryGroups = [ "docker" ];
+          RestrictAddressFamilies = [
+            "AF_INET"
+            "AF_INET6"
+            "AF_UNIX"
+            "AF_NETLINK"
+          ];
+
+          # Needs network access
+          PrivateNetwork = false;
+          # Cannot be true due to Node
+          MemoryDenyWriteExecute = false;
+
+          # The more restrictive "pid" option makes `nix` commands in CI emit
+          # "GC Warning: Couldn't read /proc/stat"
+          # You may want to set this to "pid" if not using `nix` commands
+          ProcSubset = "all";
+          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
+          # ASLR (address space layout randomization) which requires the
+          # `personality` syscall
+          # You may want to set this to `true` if not using coverage tooling on
+          # compiled code
+          LockPersonality = false;
+
+          # Note that this has some interactions with the User setting; so you may
+          # want to consult the systemd docs if using both.
+          DynamicUser = true;
+        };
+      }
+    );
 }

machines/dev/vm02116/forgejo.nix

@@ -110,4 +110,8 @@ in
       };
     };
   };
+
+  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
+  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
+  users.users.forgejo.isNormalUser = true;
 }

npins/sources.json

@@ -125,6 +125,22 @@
       "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
       "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
+    "nix": {
+      "type": "GitRelease",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nixos",
+        "repo": "nix"
+      },
+      "pre_releases": false,
+      "version_upper_bound": null,
+      "release_prefix": null,
+      "submodules": false,
+      "version": "2.29.1",
+      "revision": "82debf3b591578eb2e7b151d2589626fad1679a2",
+      "url": "https://api.github.com/repos/nixos/nix/tarball/2.29.1",
+      "hash": "1xj5wawjw99qsyqfm3x02aydcg39rjksphnqg163plknifbzf8mc"
+    },
     "nix-unit": {
       "type": "Git",
       "repository": {