runs-on: docker

.forgejo/workflows/ci.yaml

@@ -12,7 +12,7 @@ jobs:
   check-pre-commit:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build -A tests
@@ -20,7 +20,7 @@ jobs:
   check-data-model:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
@@ -28,7 +28,7 @@ jobs:
   check-peertube:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build services -A tests.peertube
@@ -36,7 +36,7 @@ jobs:
   check-panel:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix-build panel -A tests
@@ -44,7 +44,7 @@ jobs:
   check-deployment-basic:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-basic -L
@@ -52,7 +52,7 @@ jobs:
   check-deployment-cli:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-cli -L
@@ -60,7 +60,7 @@ jobs:
   check-deployment-panel:
     runs-on: docker
     container:
-      image: nix
+      image: icewind1991/nix-runner
     steps:
       - uses: actions/checkout@v4
       - run: nix build .#checks.x86_64-linux.deployment-panel -L

deployment/check/common/deployerNode.nix

@@ -54,12 +54,13 @@ in
 
     system.extraDependencies =
       [
-        inputs.flake-parts
+        "${inputs.flake-parts}"
-        inputs.flake-parts.inputs.nixpkgs-lib
+        "${inputs.flake-parts.inputs.nixpkgs-lib}"
-        inputs.nixops4
+        "${inputs.nixops4}"
-        inputs.nixops4-nixos
+        "${inputs.nixops4-nixos}"
-        inputs.nixpkgs
+        "${inputs.nixpkgs}"
-        sources.flake-inputs
+
+        "${sources.flake-inputs}"
 
         pkgs.stdenv
         pkgs.stdenvNoCC

infra/common/resource.nix

@@ -48,9 +48,9 @@ in
     ## the secret's file.
     age.secrets = concatMapAttrs (
       name: secret:
-      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) {
+      optionalAttrs (elem config.fediversityVm.hostPublicKey secret.publicKeys) ({
         ${removeSuffix ".age" name}.file = secrets.rootPath + "/${name}";
-      }
+      })
     ) secrets.mapping;
 
     ## FIXME: Remove direct root authentication once the NixOps4 NixOS provider

infra/makeInstallerIso.nix

@@ -15,6 +15,7 @@ let
 
   installer =
     {
+      config,
       pkgs,
       lib,
       ...

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -1,218 +1,47 @@
-# source: https://git.clan.lol/clan/clan-infra/src/branch/main/modules/web01/gitea/actions-runner.nix
+{ pkgs, config, ... }:
+
 {
-  pkgs,
+  _class = "nixos";
-  lib,
+
-  config,
+  services.gitea-actions-runner = {
-  ...
+    package = pkgs.forgejo-actions-runner;
-}:
+
-let
+    instances.default = {
-  system = builtins.currentSystem;
-  packages =
-    let
-      sources = import ../../../npins;
-      inherit (import sources.flake-inputs) import-flake;
-      inherit ((import-flake { src = ../../..; }).inputs) nixops4;
-    in
-    [
-      pkgs.coreutils
-      pkgs.findutils
-      pkgs.gnugrep
-      pkgs.gawk
-      pkgs.git
-      pkgs.nix
-      pkgs.bash
-      pkgs.jq
-      pkgs.nodejs
-      pkgs.npins
-      nixops4.packages.${system}.default
-    ];
-  storeDeps = pkgs.runCommand "store-deps" { } ''
-    mkdir -p $out/bin
-    for dir in ${toString packages}; do
-      for bin in "$dir"/bin/*; do
-        ln -s "$bin" "$out/bin/$(basename "$bin")"
-      done
-    done
-    # Add SSL CA certs
-    mkdir -p $out/etc/ssl/certs
-    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
-  '';
-  numInstances = 2;
-in
-{
-  users = {
-    users.nixuser = {
-      group = "nixuser";
-      description = "Used for running nix ci jobs";
-      home = "/var/empty";
-      isSystemUser = true;
-    };
-    groups.nixuser = { };
-  };
-  virtualisation = {
-    podman.enable = true;
-    containers.containersConf.settings = {
-      # podman seems to not work with systemd-resolved
-      containers.dns_servers = [
-        "8.8.8.8"
-        "8.8.4.4"
-      ];
-    };
-  };
-  services.gitea-actions-runner.instances =
-    lib.genAttrs (builtins.genList (n: "nix${builtins.toString n}") numInstances)
-      (_: {
       enable = true;
-        name = "nix-runner";
+
+      name = config.networking.fqdn;
       url = "https://git.fediversity.eu";
       tokenFile = config.age.secrets.forgejo-runner-token.path;
-        labels = [ "nix:docker://gitea-runner-nix" ];
+
       settings = {
-          container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+        log.level = "info";
-          # the default network that also respects our dns server settings
+        runner = {
-          container.network = "host";
+          file = ".runner";
-          container.valid_volumes = [
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
-            "/nix"
+          capacity = 1;
-            "${storeDeps}/bin"
+          timeout = "3h";
-            "${storeDeps}/etc/ssl"
+          insecure = false;
-          ];
+          fetch_timeout = "5s";
-        };
+          fetch_interval = "2s";
-      });
-  systemd.services =
-    {
-      gitea-runner-nix-image = {
-        wantedBy = [ "multi-user.target" ];
-        after = [ "podman.service" ];
-        requires = [ "podman.service" ];
-        path = [
-          config.virtualisation.podman.package
-          pkgs.gnutar
-          pkgs.shadow
-          pkgs.getent
-        ];
-        # we also include etc here because the cleanup job also wants the nixuser to be present
-        script = ''
-          set -eux -o pipefail
-          mkdir -p etc/nix
-
-          # Create an unpriveleged user that we can use also without the run-as-user.sh script
-          touch etc/passwd etc/group
-          groupid=$(cut -d: -f3 < <(getent group nixuser))
-          userid=$(cut -d: -f3 < <(getent passwd nixuser))
-          groupadd --prefix $(pwd) --gid "$groupid" nixuser
-          emptypassword='$6$1ero.LwbisiU.h3D$GGmnmECbPotJoPQ5eoSTD6tTjKnSWZcjHoVTkxFLZP17W9hRi/XkmCiAMOfWruUwy8gMjINrBMNODc7cYEo4K.'
-          useradd --prefix $(pwd) -p "$emptypassword" -m -d /tmp -u "$userid" -g "$groupid" -G nixuser nixuser
-
-          cat <<NIX_CONFIG > etc/nix/nix.conf
-          accept-flake-config = true
-          experimental-features = nix-command flakes
-          NIX_CONFIG
-
-          cat <<NSSWITCH > etc/nsswitch.conf
-          passwd:    files mymachines systemd
-          group:     files mymachines systemd
-          shadow:    files
-
-          hosts:     files mymachines dns myhostname
-          networks:  files
-
-          ethers:    files
-          services:  files
-          protocols: files
-          rpc:       files
-          NSSWITCH
-
-          # list the content as it will be imported into the container
-          tar -cv . | tar -tvf -
-          tar -cv . | podman import - gitea-runner-nix
-        '';
-        serviceConfig = {
-          RuntimeDirectory = "gitea-runner-nix-image";
-          WorkingDirectory = "/run/gitea-runner-nix-image";
-          Type = "oneshot";
-          RemainAfterExit = true;
         };
       };
-    }
+
-    // lib.genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") numInstances) (
+      ## This runner supports Docker (with a default Ubuntu image) and native
-      _:
+      ## modes. In native mode, it contains a few default packages.
-      let
+      labels = [
-        requires = [ "gitea-runner-nix-image.service" ];
+        "docker:docker://node:16-bullseye"
-      in
+        "native:host"
-      {
-        inherit requires;
-        after = requires;
-        # TODO: systemd confinement
-        serviceConfig = {
-          # Hardening (may overlap with DynamicUser=)
-          # The following options are only for optimizing output of systemd-analyze
-          AmbientCapabilities = "";
-          CapabilityBoundingSet = "";
-          # ProtectClock= adds DeviceAllow=char-rtc r
-          DeviceAllow = "";
-          NoNewPrivileges = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          PrivateTmp = true;
-          PrivateUsers = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          ProtectSystem = "strict";
-          RemoveIPC = true;
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-          UMask = "0066";
-          ProtectProc = "invisible";
-          SystemCallFilter = [
-            "~@clock"
-            "~@cpu-emulation"
-            "~@module"
-            "~@mount"
-            "~@obsolete"
-            "~@raw-io"
-            "~@reboot"
-            "~@swap"
-            # needed by go?
-            #"~@resources"
-            "~@privileged"
-            "~capset"
-            "~setdomainname"
-            "~sethostname"
-          ];
-          SupplementaryGroups = [ "podman" ];
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-            "AF_NETLINK"
       ];
 
-          # Needs network access
+      hostPackages = with pkgs; [
-          PrivateNetwork = false;
+        bash
-          # Cannot be true due to Node
+        git
-          MemoryDenyWriteExecute = false;
+        nix
-
+        nodejs
-          # The more restrictive "pid" option makes `nix` commands in CI emit
+      ];
-          # "GC Warning: Couldn't read /proc/stat"
-          # You may want to set this to "pid" if not using `nix` commands
-          ProcSubset = "all";
-          # Coverage programs for compiled code such as `cargo-tarpaulin` disable
-          # ASLR (address space layout randomization) which requires the
-          # `personality` syscall
-          # You may want to set this to `true` if not using coverage tooling on
-          # compiled code
-          LockPersonality = false;
-
-          # Note that this has some interactions with the User setting; so you may
-          # want to consult the systemd docs if using both.
-          DynamicUser = true;
     };
-      }
+  };
-    );
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
 }

machines/dev/vm02116/forgejo.nix

@@ -110,8 +110,4 @@ in
       };
     };
   };
-
-  # needed to imperatively run forgejo commands e.g. to generate runner tokens.
-  # example: `sudo su - forgejo -c 'nix-shell -p forgejo --run "gitea actions generate-runner-token -C /var/lib/forgejo/custom"'`
-  users.users.forgejo.isNormalUser = true;
 }

npins/sources.json

@@ -125,22 +125,6 @@
       "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
       "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
     },
-    "nix": {
-      "type": "GitRelease",
-      "repository": {
-        "type": "GitHub",
-        "owner": "nixos",
-        "repo": "nix"
-      },
-      "pre_releases": false,
-      "version_upper_bound": null,
-      "release_prefix": null,
-      "submodules": false,
-      "version": "2.29.1",
-      "revision": "82debf3b591578eb2e7b151d2589626fad1679a2",
-      "url": "https://api.github.com/repos/nixos/nix/tarball/2.29.1",
-      "hash": "1xj5wawjw99qsyqfm3x02aydcg39rjksphnqg163plknifbzf8mc"
-    },
     "nix-unit": {
       "type": "Git",
       "repository": {

panel/nix/configuration.nix

@@ -202,8 +202,11 @@ in
       };
     };
 
-    # needed to place a config file with home-manager
+    users.users.${name} = {
-    users.users.${name}.isNormalUser = true;
+      # TODO[Niols]: change to system user or document why we specifically
+      # need a normal user.
+      isNormalUser = true;
+    };
 
     users.groups.${name} = { };
     systemd.services.${name} = {