add qemu import

flesh out attic

TODO keys nginx-port testing

fix key

fix key

infra/common/nixos/default.nix

@@ -23,4 +23,9 @@ in
   nix.extraOptions = ''
     experimental-features = nix-command flakes
   '';
+
+  boot.loader = {
+    systemd-boot.enable = true;
+    efi.canTouchEfiVariables = true;
+  };
 }

infra/common/proxmox-qemu-vm.nix

@@ -6,11 +6,6 @@
   imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
 
   boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
     initrd = {
       availableKernelModules = [
         "ata_piix"

keys/systems/forgejo-ci.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFXQW5fxJoNY9wtTMsNExgbAbvyljIRGBLjY+USh/0A

machines/dev/fedi201/fedipanel.nix

@@ -1,5 +1,6 @@
 {
   config,
+  sources,
   ...
 }:
 let
@@ -10,6 +11,7 @@ in
 
   imports = [
     (import ../../../panel { }).module
+    (import "${sources.home-manager}/nixos")
   ];
 
   security.acme = {

machines/dev/forgejo-ci/default.nix

@@ -0,0 +1,70 @@
+{ lib, ... }:
+
+let
+  inherit (lib) mkDefault mkForce;
+in
+
+{
+  _class = "nixops4Resource";
+
+  # NOTE: This needs an SSH config entry `forgejo-ci` to locate and access the
+  # machine. This is because different people access the machine in different
+  # way (eg. via a proxy vs. via Procolix's VPN). This might look like:
+  #
+  #     Host forgejo-ci
+  #          HostName 45.142.234.216
+  #          HostKeyAlias forgejo-ci
+  #
+  # The `HostKeyAlias` statement is crucial. Without it, deployment will fail
+  # with the SSH error “Host key verification failed”.
+  ssh.host = mkForce "forgejo-ci";
+
+  fediversityVm = {
+    domain = "procolix.com";
+
+    ipv4 = {
+      interface = "enp1s0f0";
+      address = "192.168.201.65";
+      prefixLength = 24;
+      gateway = "192.168.201.1";
+    };
+    ipv6.enable = false;
+  };
+
+  nixos.module =
+    { config, ... }:
+    {
+      _class = "nixos";
+
+      imports = [
+        ./forgejo-actions-runner.nix
+      ];
+
+      hardware.cpu.intel.updateMicrocode = mkDefault config.hardware.enableRedistributableFirmware;
+
+      networking = {
+        nftables.enable = mkForce false;
+        hostId = "1d6ea552";
+      };
+
+      ## NOTE: This is a physical machine, so is not covered by disko
+      fileSystems."/" = {
+        device = "rpool/root";
+        fsType = "zfs";
+      };
+
+      fileSystems."/home" = {
+        device = "rpool/home";
+        fsType = "zfs";
+      };
+
+      fileSystems."/boot" = {
+        device = "/dev/disk/by-uuid/50B2-DD3F";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+}

machines/dev/forgejo-ci/forgejo-actions-runner.nix

@@ -0,0 +1,47 @@
+{ pkgs, config, ... }:
+
+{
+  _class = "nixos";
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.default = {
+      enable = true;
+
+      name = config.networking.fqdn;
+      url = "https://git.fediversity.eu";
+      tokenFile = config.age.secrets.forgejo-runner-token.path;
+
+      settings = {
+        log.level = "info";
+        runner = {
+          file = ".runner";
+          # Take only 1 job at a time to avoid clashing NixOS tests, see #362
+          capacity = 1;
+          timeout = "3h";
+          insecure = false;
+          fetch_timeout = "5s";
+          fetch_interval = "2s";
+        };
+      };
+
+      ## This runner supports Docker (with a default Ubuntu image) and native
+      ## modes. In native mode, it contains a few default packages.
+      labels = [
+        "docker:docker://node:16-bullseye"
+        "native:host"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        git
+        nix
+        nodejs
+      ];
+    };
+  };
+
+  ## For the Docker mode of the runner.
+  virtualisation.docker.enable = true;
+}

machines/machines.md

@@ -11,5 +11,6 @@ Machine | Proxmox | Description
 [`fedi201`](./dev/fedi201) | fediversity | FediPanel
 [`vm02116`](./dev/vm02116) | procolix | Forgejo
 [`vm02187`](./dev/vm02187) | procolix | Wiki
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.

machines/machines.md.sh

@@ -37,6 +37,7 @@ for machine in $(echo "$vmOptions" | jq -r 'keys[]'); do
 done
 
 cat <<\EOF
+| `forgejo-ci` | n/a (physical) | Forgejo actions runner |
 
 This table excludes all machines with names starting with `test`.
 EOF

npins/sources.json

@@ -96,6 +96,19 @@
       "url": "https://github.com/hercules-ci/gitignore.nix/archive/637db329424fd7e46cf4185293b9cc8c88c95394.tar.gz",
       "hash": "02wxkdpbhlm3yk5mhkhsp3kwakc16xpmsf2baw57nz1dg459qv8w"
     },
+    "home-manager": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "863842639722dd12ae9e37ca83bcb61a63b36f6c",
+      "url": "https://github.com/nix-community/home-manager/archive/863842639722dd12ae9e37ca83bcb61a63b36f6c.tar.gz",
+      "hash": "0rw9n8d4v87pzlmw7ws15f0sldb51fd9528skpbzmrzl4pinsgij"
+    },
     "htmx": {
       "type": "GitRelease",
       "repository": {

secrets/secrets.nix

@@ -26,7 +26,7 @@ concatMapAttrs
     {
       forgejo-database-password = [ vm02116 ];
       forgejo-email-password = [ vm02116 ];
-      forgejo-runner-token = [ ];
+      forgejo-runner-token = [ forgejo-ci ];
       panel-secret-key = [ fedi201 ];
       panel-ssh-key = [ fedi201 ];
       wiki-basicauth-htpasswd = [ vm02187 ];