ci: run from hswaw forgejo on our own hosts

2023-10-15 01:29:23 +02:00 · 2023-10-15 01:29:23 +02:00 · 01a04d7759
commit 01a04d7759
parent ba4aff00f2
6 changed files with 90 additions and 29 deletions
--- a/.ci.sh
+++ b/.ci.sh
@ -2,17 +2,14 @@

 set -eou pipefail

-export NIX_CONFIG="use-xdg-base-directories = true"
+compgen -c

-nix profile install nixpkgs#nixos-rebuild
+for hostOutput in $(nix eval --raw --impure --expr '
+    with import <nixpkgs> { };
+    (lib.mapAttrsToList (n: v: n)
+      (lib.attrsets.filterAttrs (n: v: v.pkgs.system == pkgs.system)
+        (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations))
+'); do
+  nixos-rebuild build --flake ".#${hostOutput}"
+done

-~/.local/state/nix/profile/bin/nixos-rebuild build --flake ".#ciTest"
-
-# for hostOutput in $(nix eval --raw --impure --expr '
-#     with import <nixpkgs> { };
-#     (lib.mapAttrsToList (name: value: value)
-#         (builtins.getFlake(builtins.toString ./.)).outputs.nixosConfigurations)[0]'
-# ); do
-#     ~/.local/state/nix/profile/bin/nixos-rebuild build --flake ".#${hostOutput}"
-# done
-# 
--- a/.forgejo/workflows/ci.yml
+++ b/.forgejo/workflows/ci.yml
@ -0,0 +1,15 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches: [main]
+
+jobs:
+  nixos:
+    runs-on: nixos:host
+    steps:
+      - uses: actions/checkout@v4
+      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+      - run: ./.ci.sh
--- a/flake.nix
+++ b/flake.nix
@ -26,7 +26,8 @@
  outputs = { self, nixpkgs, nix-formatter-pack, nix-index-database, deploy-rs
    , agenix, lanzaboote, microvm, simple-nixos-mailserver, ... }:
    let
-      forAllSystems = nixpkgs.lib.genAttrs [ "x86_64-linux" "aarch64-linux" ];
+      systems = [ "x86_64-linux" "aarch64-linux" ];
+      forAllSystems = nixpkgs.lib.genAttrs systems;
      pkgsForDeploy =
        forAllSystems (system: import nixpkgs { inherit system; });
      deployPkgs = forAllSystems (system:
@ -113,29 +114,61 @@
        nibylandia-gaming.imports = [ ./modules/gaming.nix ];

        nibylandia-monitoring.imports = [ ./modules/monitoring.nix ];
+
+        nibylandia-ci-runners.imports = [
+          ({ config, pkgs, lib, ... }:
+            let gitea-runner-directory = "/var/lib/gitea-runner";
+            in {
+              age.secrets.gitea-runner-token = {
+                file = ./secrets/gitea-runner-token-${config.networking.hostName}.age;
+                group = "docker";
+              };
+              
+              virtualisation.docker.enable = true;
+
+              services.gitea-actions-runner.package =
+                pkgs.forgejo-actions-runner;
+
+              services.gitea-actions-runner.instances.nix = {
+                enable = true;
+                name = config.networking.hostName;
+                tokenFile = config.age.secrets.gitea-runner-token.path;
+                labels = [ "nixos-${pkgs.system}:host" "nixos:host" "nix:docker://nix-runner" ];
+                url = "https://code.hackerspace.pl";
+                settings = {
+                  cache.enabled = true;
+                  host.workdir_parent =
+                    "${gitea-runner-directory}/action-cache-dir";
+                };
+
+                hostPackages = with pkgs; [
+                  bash
+                  coreutils
+                  curl
+                  gawk
+                  git-lfs
+                  nixFlakes
+                  gitFull
+                  gnused
+                  nodejs
+                  wget
+                ];
+              };
+
+              systemd.services.gitea-runner-nix.environment = {
+                XDG_CONFIG_HOME = gitea-runner-directory;
+                XDG_CACHE_HOME = "${gitea-runner-directory}/.cache";
+              };
+            })
+        ];
      };

      nixosConfigurations = with self.nixosModules; {
-        ciTest = nixpkgs.lib.nixosSystem {
-          system = "x86_64-linux";
-          modules = [
-            nibylandia-common
-
-            {
-              nibylandia-boot.uefi.enable = true;
-              fileSystems."/" = {
-                device = "none";
-                fsType = "tmpfs";
-                options = [ "defaults" "size=8G" "mode=755" ];
-              };
-            }
-          ];
-        };
-
        scylla = nixpkgs.lib.nixosSystem {
          system = "aarch64-linux";
          modules = [
            nibylandia-common
+            nibylandia-ci-runners

            ./nixos/scylla
          ];
@ -191,6 +224,8 @@
            nibylandia-common
            nibylandia-secureboot
            nibylandia-monitoring
+            nibylandia-ci-runners
+
            simple-nixos-mailserver.nixosModule

            ./nixos/zorigami
--- a/secrets.nix
+++ b/secrets.nix
@ -49,6 +49,8 @@ in {
  "secrets/mail/keycloakPlain.age".publicKeys = ar ++ [ zorigami ];
  "secrets/keycloakDatabase.age".publicKeys = ar ++ [ zorigami ];
  "secrets/synapseExtraConfig.age".publicKeys = ar ++ [ zorigami ];
+  "secrets/gitea-runner-token-zorigami.age".publicKeys = ar ++ [ zorigami ];
+  "secrets/gitea-runner-token-scylla.age".publicKeys = ar ++ [ scylla ];

  inherit ar;
 }
--- a/secrets/gitea-runner-token-scylla.age
+++ b/secrets/gitea-runner-token-scylla.age
@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 kY4Rgg GlH9wNkjx7qy7J/jbQv4qfacW6iz33its6tH1f9bkAk
+MI+wMI59DcBfnKDYEc6EbjeSbOU2XEQdqsYjxzaLxVI
+-> ssh-ed25519 grc4Uw +PBc3OBfou+hHNQsYFkGi2/RkQoFQ8Gmwzm12XJuNhM
+AeSiCItTdeR7SDYZefR8mzD3HV10hWTMSndtoEoJ3Ok
+-> ssh-ed25519 CJl5MQ uQPbCrToxNIUa4z/OD06qKNK7oVDOnBq1iQ1MaIhVWQ
+4KmL1OHWm7KHv47/T7WT3DCaWQCKCI/8fnFBN8M69iY
+-> cFj-grease mw<;B=c +zP
+PSu98aSDwCWyIbLhj5oDMeXDRLDh6Dlbh0a0I8bOf02smiFzbJBFfuTYNA0ioZTu
+qACwWD2Rg8PT15NRpQgjn2KFMA
+--- XP+tudENbYfalUUPY75weoXDwzFmCGdku4LKMG+UhqI
+Cv³.žt±ó\Ïî¯ñƒxËÆÚµÖcÂd¥óÇ€˜œ“?,¨£g<ß'Ï P"@£W%OY/Ýu1ºè>óü`Ò)úñÉÞÆ!s
--- a/secrets/gitea-runner-token-zorigami.age
+++ b/secrets/gitea-runner-token-zorigami.age