gitea-runner: Init system

.sops.yaml

@@ -5,6 +5,7 @@ keys:
   - &ci age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l
   - &frigate age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf
   - &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd
+  - &gitea-runner age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2
   - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc
   - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj
   - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5
@@ -41,6 +42,12 @@ creation_rules:
           - *erwin
           - *erwin_horus
           - *gitea
+  - path_regex: machines/gitea-runner/[^/]+\.yaml$
+    key_groups:
+      - age:
+        - *erwin
+        - *erwin_horus
+        - *gitea-runner
   - path_regex: machines/heimdall/[^/]+\.yaml$
     key_groups:
       - age:

machines/default.nix

@@ -32,6 +32,17 @@ inputs: {
       tags = [ "container" ];
     };
   };
+  gitea-runner = {
+    config = import ./gitea-runner/configuration.nix inputs;
+    deploy = {
+      # host = "10.0.0.210";
+      host = "gitea-runner.barn-beaver.ts.net";
+      sshUser = "erwin";
+      buildOn = "local";
+      substituteOnTarget = true;
+      tags = [ "container" ];
+    };
+  };
   heimdall = {
     config = import ./heimdall/configuration.nix inputs;
     deploy = {

machines/gitea-runner/configuration.nix

@@ -0,0 +1,78 @@
+{ self, ... }:
+{ modulesPath, ... }: {
+  imports = [
+    (modulesPath + "/virtualisation/lxc-container.nix")
+
+    ../../users/root
+    ../../users/erwin
+
+    ./gitea-runner
+  ];
+
+  eboskma = {
+    users.erwin = {
+      enable = true;
+      server = true;
+    };
+    nix-common = {
+      enable = true;
+      remote-builders = true;
+    };
+    podman.enable = true;
+    tailscale.enable = true;
+  };
+
+  boot.isContainer = true;
+
+  time.timeZone = "Europe/Amsterdam";
+
+  system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev;
+
+  networking = {
+    hostName = "gitea-runner";
+    useDHCP = false;
+    useHostResolvConf = false;
+    networkmanager.enable = false;
+    useNetworkd = true;
+    nftables.enable = false;
+
+    firewall = {
+      trustedInterfaces = [ "tailscale0" ];
+    };
+  };
+
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "40-eth0" = {
+        matchConfig = {
+          Name = "eth0";
+        };
+
+        networkConfig = {
+          Address = "10.0.0.210/24";
+          Gateway = "10.0.0.1";
+          DNS = "10.0.0.206";
+          DHCP = "no";
+        };
+      };
+    };
+  };
+
+  security = {
+    sudo-rs = {
+      enable = true;
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+    sudo.enable = false;
+  };
+
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets = {
+    runner-nix-token = { };
+  };
+
+  system.stateVersion = "24.05";
+}

machines/gitea-runner/gitea-runner/default.nix

@@ -0,0 +1,31 @@
+{ pkgs, config, ... }: {
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances = {
+      nix = {
+        name = "nix";
+        enable = true;
+        url = "https://git.datarift.nl";
+        tokenFile = config.sops.secrets.runner-nix-token.path;
+        labels = [
+          "nix:docker://ghcr.io/eboskma/forgejo-nix-runner:latest"
+        ];
+        settings = {
+          runner = {
+            capacity = 1;
+          };
+          container = {
+            privileged = true;
+            valid_volumes = [
+              "/nix"
+              "/run/podman/podman.sock"
+              "/etc/containers/policy.json"
+            ];
+            docker_host = "-";
+          };
+        };
+      };
+    };
+  };
+}

machines/gitea-runner/secrets.yaml

@@ -0,0 +1,39 @@
+runner-nix-token: ENC[AES256_GCM,data:jZjs3RGr7Ga0Vf+O40o0PggDMD7T1y/zOEiOgD9quDo7u7Xce5sJxxl+Wzu0nw==,iv:to+r5Q0xO3TKtgWYF47Jur5Os93mfkCOXyXWkLfhG3c=,tag:kVbSOLCbxCgEhYZoXDM65g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRVhralpxUDBGZ1FXdllT
+            Z0dZYnErZDZmdlpuUTIzUVY3dndvWmNURlhJCnd4WEkwUE5RY2lBL0RwbzZ4VHFj
+            T2g2a01kbmF6RjE2bUNobVJ1ejdVREEKLS0tIFBGd2VHTkxIYVRNb3ZTMGtpZVM4
+            NjEwUUI4RWtleU10d1hmaFp4cXNZdHMKM/HEhoyImQ+VI+is4ylOixEZLqaVkVJd
+            O3MYXhRYT+ZpxqfIjVgV/eKSiLQp4S6rrYaFu/2Fxrqs3SahUkKStQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OElSUDBCbzRNOGU2VDhG
+            dEo4WEFvZWM3dDc0ZlhRdGVNZnBjRWFHbUJJClhWZ2pBWHNBb0VobVhHbTU0Tko4
+            bVMwNEphNDR1QVRtT3RLNHJsZFRkL0UKLS0tIEdjcVYzMW1IWlJBM0Fnc2ZSMXFu
+            UWZ3VDg1WFlCbnZZU3hMUVpUeFVaMVUKgGsTLinuI1dfAhZmLrbWLYf0tp0NYeu3
+            q1o53uBuMSyHZbS7RSxXuq6BdudHaNNZaQJJps2tdMpfvuC3YQnvdw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGhSLzFyaFR1cUZHb3Ez
+            K01oMEpEazNhOENTSzB4bUxhZE9XN29NUzJZCkxNdzQvUVB6Nlk4bHVPMUpNODdI
+            T3dmMlZQOWM3Wk9NazBwcWJmamI1M00KLS0tIG9qclJXaVA2SEthODkxRGIrTm4w
+            ZnlXMVd2OThCVmRnb1NWK1VWdTJndk0K41fiD0QsAorIZ6wuIty4+U22ET0+pGla
+            sAUGsOtBZ/vGSkCwc3lBHtdPKBWwY6J4B/ytS/H6Dnauw4RvOzjgbQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-24T11:13:17Z"
+    mac: ENC[AES256_GCM,data:R6r0IhmAXGlqQeo0A5beEbgolOX5rrXx32MlPjpPjybarB+0S6Jfu0tEWuMLy60sQ9j1xvkV7zF9HVfS+O+HLBVqTHolQ0HmFn6KmtK1bajXKSzOloRkKkooDvSvZJBlomRKPBsSNeXr0zqh2KbJzMRPIblnEXhq//hYWF8Q64A=,iv:iF1lDC/xPU145rbcslRDD3399h33TQe/XSmQah19XhY=,tag:n35gtrKF6eDyldAGl3rcZw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

modules/podman/default.nix

@@ -13,6 +13,11 @@ in
     enable = mkEnableOption "podman";
     enableNvidia = mkEnableOption "podman NVidia support";
     # enableTcpSocket = mkEnableOption "podman TCP socket";
+    insecureRegistries = mkOption {
+      description = "List of insecure registries that don't have a (valid) certificate";
+      type = types.listOf types.str;
+      default = [ ];
+    };
   };
 
   config = mkIf cfg.enable {
@@ -33,25 +38,21 @@ in
     };
 
     virtualisation.containers = {
+      enable = true;
       registries = {
-        insecure = [ "containers.internal.horus.nu" ];
-        search = [
-          "docker.io"
-          "quay.io"
-          "containers.internal.horus.nu"
-        ];
-      };
-      containersConf.settings = {
-        engine = {
-          helper_binaries_dir = [
-            "${pkgs.podman}/libexec/podman"
-          ];
-        };
-        containers = {
-          log_driver = "k8s-file";
-          events_logger = "journald";
-        };
+        insecure = cfg.insecureRegistries;
       };
+      # containersConf.settings = {
+      #   engine = {
+      #     helper_binaries_dir = [
+      #       "${pkgs.podman}/libexec/podman"
+      #     ];
+      #   };
+      #   containers = {
+      #     log_driver = "k8s-file";
+      #     events_logger = "journald";
+      #   };
+      # };
     };
 
     users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ];
@@ -59,7 +60,6 @@ in
     # Make DNS work in containers
     networking.firewall.interfaces.${podmanInterfaces} = {
       allowedUDPPorts = [ 53 ];
-      allowedTCPPorts = [ 53 ];
     };
 
     # services.ghostunnel = mkIf cfg.enableTcpSocket {