.forgejo/workflows/ci.yaml

@@ -12,7 +12,7 @@ jobs:
   check-pre-commit:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests
@@ -20,7 +20,7 @@ jobs:
   check-data-model:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
@@ -28,7 +28,7 @@ jobs:
   check-peertube:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build services -A tests.peertube
@@ -36,7 +36,7 @@ jobs:
   check-panel:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build panel -A tests
@@ -44,7 +44,7 @@ jobs:
   check-deployment-basic:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-basic -L
@@ -52,7 +52,7 @@ jobs:
   check-deployment-cli:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-cli -L
@@ -60,7 +60,7 @@ jobs:
   check-deployment-panel:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -1,218 +1,104 @@
-# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
 {
   pkgs,
-  lib,
   config,
+  # sources,
   ...
 }:
 let
-  system = builtins.currentSystem;
+  sources = import ../../../npins;
-  packages =
-    let
-      sources = import ../../../npins;
-      inherit (import sources.flake-inputs) import-flake;
-      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
-    in
-    [
-      pkgs.coreutils
-      pkgs.findutils
-      pkgs.gnugrep
-      pkgs.gawk
-      pkgs.git
-      pkgs.nix
-      pkgs.bash
-      pkgs.jq
-      pkgs.nodejs
-      pkgs.npins
-      nixops4.packages.${system}.default
-    ];
-  storeDeps = pkgs.runCommand "store-deps" { } ''
-    mkdir -p $out/bin
-    for dir in ${toString packages}; do
-      for bin in "$dir"/bin/*; do
-        ln -s "$bin" "$out/bin/$(basename "$bin")"
-      done
-    done
-    # Add SSL CA certs
-    mkdir -p $out/etc/ssl/certs
-    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
-  '';
-  numInstances = 2;
 in
+
 {
-  users = {
+  _class = "nixos";
-    users.nixuser = {
+
-      group = "nixuser";
+  services.gitea-actions-runner = {
-      description = "Used for running nix ci jobs";
+    package = pkgs.forgejo-actions-runner;
-      home = "/var/empty";
+
-      isSystemUser = true;
+    instances.default = {
-    };
+      enable = true;
-    groups.nixuser = { };
+
-  };
+      name = config.networking.fqdn;
-  virtualisation = {
+      url = "https://git.fediversity.eu";
-    podman.enable = true;
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
-    containers.containersConf.settings = {
+
-      # podman seems to not work with systemd-resolved
+      settings = {
-      containers.dns_servers = [
+        log.level = "info";
-        "8.8.8.8"
+        runner = {
-        "8.8.4.4"
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
       ];
     };
   };
-  services.gitea-actions-runner.instances =
+
-    lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
+  ## For the Docker mode of the runner.
-      (_: {
+  virtualisation.docker.enable = true;
-        enable = true;
+  virtualisation.oci-containers.containers."buildResult" =
-        name = "nix-runner";
+    let
-        url = "https://git.fediversity.eu";
+      name = "nix-runner";
-        tokenFile = config.age.secrets.forgejo-runner-token.path;
+      tag = "latest";
-        labels = [ "nix:docker://gitea-runner-nix" ];
+      base = import (sources.nix + "/docker.nix") {
-        settings = {
+        inherit pkgs;
-          container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+        name = "nix-ci-base";
-          # the default network that also respects our dns server settings
+        maxLayers = 10;
-          container.network = "host";
+        extraPkgs = with pkgs; [
-          container.valid_volumes = [
+          nodejs_20 # nodejs is needed for running most 3rdparty actions
-            "/nix"
+          # add any other pre-installed packages here
-            "${storeDeps}/bin"
-            "${storeDeps}/etc/ssl"
-          ];
-        };
-      });
-  systemd.services =
-    {
-      gitea-runner-nix-image = {
-        wantedBy = [ "multi-user.target" ];
-        after = [ "podman.service" ];
-        requires = [ "podman.service" ];
-        path = [
-          config.virtualisation.podman.package
-          pkgs.gnutar
-          pkgs.shadow
-          pkgs.getent
         ];
-        # we also include etc here because the cleanup job also wants the nixuser to be present
+        # change this is you want
-        script = ''
+        channelURL = "https://nixos.org/channels/nixpkgs-23.05";
-          set -eux -o pipefail
+        nixConf = {
-          mkdir -p etc/nix
+          substituters = [
-
+            "https://cache.nixos.org/"
-          # Create an unpriveleged user that we can use also without the run-as-user.sh script
+            "https://nix-community.cachix.org"
-          touch etc/passwd etc/group
+            # insert any other binary caches here
-          groupid=$(cut -d: -f3 < <(getent group nixuser))
+          ];
-          userid=$(cut -d: -f3 < <(getent passwd nixuser))
+          trusted-public-keys = [
-          groupadd --prefix $(pwd) --gid "$groupid" nixuser
+            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
-          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
+            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
+            # insert the public keys for those binary caches here
-
+          ];
-          cat <<NIX_CONFIG > etc/nix/nix.conf
+          # allow using the new flake commands in our workflows
-          accept-flake-config = true
+          experimental-features = [
-          experimental-features = nix-command flakes
+            "nix-command"
-          NIX_CONFIG
+            "flakes"
-
+          ];
-          cat <<NSSWITCH > etc/nsswitch.conf
-          passwd:    files mymachines systemd
-          group:     files mymachines systemd
-          shadow:    files
-
-          hosts:     files mymachines dns myhostname
-          networks:  files
-
-          ethers:    files
-          services:  files
-          protocols: files
-          rpc:       files
-          NSSWITCH
-
-          # list the content as it will be imported into the container
-          tar -cv . | tar -tvf -
-          tar -cv . | podman import - gitea-runner-nix
-        '';
-        serviceConfig = {
-          RuntimeDirectory = "gitea-runner-nix-image";
-          WorkingDirectory = "/run/gitea-runner-nix-image";
-          Type = "oneshot";
-          RemainAfterExit = true;
         };
       };
-    }
+    in
-    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
+    {
-      _:
+      devices = [ "/dev/kvm:/dev/kvm" ];
-      let
+      image = "${name}:${tag}";
-        requires = [ "gitea-runner-nix-image.service" ];
+      # https://icewind.nl/entry/gitea-actions-nix/
-      in
+      imageFile = pkgs.dockerTools.buildImage {
-      {
+        inherit name tag;
-        inherit requires;
+        fromImage = base;
-        after = requires;
+        fromImageName = null;
-        # TODO: systemd confinement
+        fromImageTag = "latest";
-        serviceConfig = {
+        copyToRoot = pkgs.buildEnv {
-          # Hardening (may overlap with DynamicUser=)
+          name = "image-root";
-          # The following options are only for optimizing output of systemd-analyze
+          paths = [ pkgs.coreutils-full ];
-          AmbientCapabilities = "";
+          pathsToLink = [ "/bin" ]; # add coreutils (which includes sleep) to /bin
-          CapabilityBoundingSet = "";
-          # ProtectClock= adds DeviceAllow=char-rtc r
-          DeviceAllow = "";
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectSystem = "strict";
-          RemoveIPC = true;
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          UMask = "0066";
-          ProtectProc = "invisible";
-          SystemCallFilter = [
-            "~@clock"
-            "~@cpu-emulation"
-            "~@module"
-            "~@mount"
-            "~@obsolete"
-            "~@raw-io"
-            "~@reboot"
-            "~@swap"
-            # needed by go?
-            #"~@resources"
-            "~@privileged"
-            "~capset"
-            "~setdomainname"
-            "~sethostname"
-          ];
-          SupplementaryGroups = [ "podman" ];
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-            "AF_NETLINK"
-          ];
-
-          # Needs network access
-          PrivateNetwork = false;
-          # Cannot be true due to Node
-          MemoryDenyWriteExecute = false;
-
-          # The more restrictive "pid" option makes `nix` commands in CI emit
-          # "GC Warning: Couldn't read /proc/stat"
-          # You may want to set this to "pid" if not using `nix` commands
-          ProcSubset = "all";
-          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
-          # ASLR (address space layout randomization) which requires the
-          # `personality` syscall
-          # You may want to set this to `true` if not using coverage tooling on
-          # compiled code
-          LockPersonality = false;
-
-          # Note that this has some interactions with the User setting; so you may
-          # want to consult the systemd docs if using both.
-          DynamicUser = true;
         };
-      }
+      };
-    );
+    };
 }

machines/dev/vm02116/forgejo.nix

@@ -110,8 +110,4 @@ in
       };
     };
   };
-
-  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
-  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
-  users.users.forgejo.isNormalUser = true;
 }