From f655e43ec728b764b0222ec84a2b615454d24d78 Mon Sep 17 00:00:00 2001 From: Daniel Flanagan Date: Wed, 24 Jul 2024 11:21:31 -0500 Subject: [PATCH] Runner --- nixos/beefcake.nix | 31 ++++++++++++++++++++----------- secrets/beefcake/secrets.yml | 6 ++++-- 2 files changed, 24 insertions(+), 13 deletions(-) diff --git a/nixos/beefcake.nix b/nixos/beefcake.nix index 267f159..5d8cd0f 100644 --- a/nixos/beefcake.nix +++ b/nixos/beefcake.nix @@ -111,14 +111,11 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 owner = config.systemd.services.plausible.serviceConfig.User; group = config.systemd.services.plausible.serviceConfig.Group; }; - nextcloud-admin-password = { - path = "/var/lib/nextcloud/admin-password"; - mode = "0440"; - # owner = config.services.nextcloud.serviceConfig.User; - # group = config.services.nextcloud.serviceConfig.Group; - }; + nextcloud-admin-password.path = "/var/lib/nextcloud/admin-password"; + "forgejo-runner.env" = {mode = "0400";}; }; }; + systemd.services.gitea-runner-beefcake.serviceConfig.after = ["sops-nix.service"]; } { # nix binary cache @@ -745,11 +742,23 @@ sudo nix run nixpkgs#ipmitool -- raw 0x30 0x30 0x02 0xff 0x00 type = "sqlite3"; }; }; - # services.forgejo-actions-runner.instances.main = { - # # TODO: simple git-based automation would be dope? maybe especially for - # # mirroring to github super easy? - # enable = false; - # }; + services.gitea-actions-runner = { + # TODO: simple git-based automation would be dope? maybe especially for + # mirroring to github super easy? + # enable = true; + package = pkgs.forgejo-runner; + instances."beefcake" = { + enable = true; + name = "beefcake"; + url = "https://git.lyte.dev"; + labels = [ + # type ":host" does not depend on docker/podman/lxc + "native:host" + "podman" + ]; + tokenFile = config.sops.secrets."forgejo-runner.env".path; + }; + }; services.caddy.virtualHosts."git.lyte.dev" = { extraConfig = '' reverse_proxy :${toString config.services.forgejo.settings.server.HTTP_PORT} diff --git a/secrets/beefcake/secrets.yml b/secrets/beefcake/secrets.yml index 74273da..c65946a 100644 --- a/secrets/beefcake/secrets.yml +++ b/secrets/beefcake/secrets.yml @@ -12,6 +12,8 @@ plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str] plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str] nextcloud-admin-password: ENC[AES256_GCM,data:QaoSZyommeGED3nWNru92UVO2tjk24HE9fWX7ExYT101o4ZL411TmV1TXHSyfwjmE7yLIm1K/j4xpEbIY3zvFg==,iv:xC5EZVPHumVPOob5jiiXMFAmdFQcFSUPtZgioAgGDDs=,tag:Q/kY38XWkGsqcmCkd2lodg==,type:str] +#ENC[AES256_GCM,data:f5xW/hXVcnVP10SOoNMu1Hi7JNbssHnd/79EoMZmt0IrFK+F3ajO+LBqApEJD+L+kQBZmGn3zuo=,iv:1ISDxi5wlfYvd6J3o6LRlCl9w/uwyU40Ge2Uj/qDHcQ=,tag:jK4aEIGzLZ4d9JdFmiUd1w==,type:comment] +forgejo-runner.env: ENC[AES256_GCM,data:yYLdrYJaDR4FMODLaWnzptaDCV5Nbu1PdcxVl302WbF5/9Ly5sEytTY+g5VcwH8=,iv:Lz9LiF3/fcNYNLhvczFufRnHMPQ9A2ycZRQs//ZB34Q=,tag:w48rGAtYsbZv0qy1S//GIA==,type:str] jland.env: ENC[AES256_GCM,data:u+QKwKWG9NFduuofhe3aatof3KoC0N4ZpNOD8E/7l0BTSoTe5Tqmz5/33EOcBUw99+YLFR4kTJwdUmLWHk4UD87aGsJ4liPCtXnBsToAzBGg0I3mhGQ/QM8iKXMW9oKb3ciapitQBuJa1WIp5/bHNtCXWQ==,iv:iZDET5EWM4DnAoQqLP9+Ll4S+mFHt2wZ3ENtN79Dbqw=,tag:qVpocN3FxlHfte2hAmtGPA==,type:str] dawncraft.env: ENC[AES256_GCM,data:8n1ymQZpMeVwTyoHhccV+W5diMLcsZw5zZQy4Z4eaMcLFk8ey3SeXkCf9+GnqpIU5xIZfCP1ZqeSxR03kJx3TPbQeBLZeN/QAYBxHOg/tjXIE6jdIGv0INkVLkExKPlvGN8F+ijwYkwgfqlhKPBf+Q==,iv:EMGlqUxcfvxqn1G1NohrAtJP/fLdolP++zcvaxIvVR4=,tag:1+ueIDCJTxmM586Z7i0aUA==,type:str] api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] @@ -39,8 +41,8 @@ sops: b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-07T04:00:34Z" - mac: ENC[AES256_GCM,data:e7v7J2QM6p4ljrdEX6uM7PHWb0/DKt1aWIro+YkQct1ym772WKtWFzzm+mV2wqBLLXCAKy7MJ7Y89iTysFO3pdGX1zdw3wMbNfmTCCXCKAUcIih4O0hLHqrfwcoVOuQ0SALESshDmUew/Gqu6NSrL6Wo+jNo7LEAHZ7kFtkP8rQ=,iv:0fmHOKlBzIhKQ4G6DDwlIW2WpLjIS/OAWLexND+/HAQ=,tag:FSqO8/14JwhobpIKaHk77w==,type:str] + lastmodified: "2024-07-24T16:17:32Z" + mac: ENC[AES256_GCM,data:eYtkbwkzLvQ5OYNBEIgWYCjK1CbVd6khyS1MZ9NzY7XAVHEvxqpPI5HPAWMJfk07FuY70X6DV0TNvQEkR7fB4tmawu+Hn3Rc6C/HILSm+zvjWW1t3smIOzvU8l1lPN/Jl/kQZVg1NdVGExCtRf9BuOkaACPPbDCM8uExXsCwstA=,iv:8TnpUBX3HWOzZogpdvsZ2m4b04HJt2nzd0VLrZw9K2w=,tag:pQUBD26+++W25z5pDVkrxw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1