diff --git a/.sops.yaml b/.sops.yaml index fba0489..0980410 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,6 +5,7 @@ keys: - &ci age1tmlx45s4f6qp929839yd5y5vxkj2z4z8wmhqsnne9j8j5uwx6p8qssun8l - &frigate age1gtzlyyxdnt23xzyq6lq5ye645egxl7up25agxw23nuhjl6ax0dmqrlqvpf - &gitea age1mh39yv2j3ltl50tjnqqgjctxth3nxa74ggwn29dpvcv08qd0psnssajsmd + - &gitea-runner age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2 - &heimdall age1z94c897pvq4tx0xwsj6wr8emnlpmk6u0xks75rydga6r33dlapjqyqqacc - &mimir age192a3nepaclecjjkxssszueak6rxar49prceplvvxc5m4f3ww7g5qpfgdqj - &minio age1cjxe2e7zemvs0jacjawug6k2qnmcpvnka3e04mfzp939h7hppydqrlp6l5 @@ -41,6 +42,12 @@ creation_rules: - *erwin - *erwin_horus - *gitea + - path_regex: machines/gitea-runner/[^/]+\.yaml$ + key_groups: + - age: + - *erwin + - *erwin_horus + - *gitea-runner - path_regex: machines/heimdall/[^/]+\.yaml$ key_groups: - age: diff --git a/machines/default.nix b/machines/default.nix index e06317d..cd5564f 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -32,6 +32,17 @@ inputs: { tags = [ "container" ]; }; }; + gitea-runner = { + config = import ./gitea-runner/configuration.nix inputs; + deploy = { + # host = "10.0.0.210"; + host = "gitea-runner.barn-beaver.ts.net"; + sshUser = "erwin"; + buildOn = "local"; + substituteOnTarget = true; + tags = [ "container" ]; + }; + }; heimdall = { config = import ./heimdall/configuration.nix inputs; deploy = { diff --git a/machines/gitea-runner/configuration.nix b/machines/gitea-runner/configuration.nix new file mode 100644 index 0000000..3e9fc16 --- /dev/null +++ b/machines/gitea-runner/configuration.nix @@ -0,0 +1,78 @@ +{ self, ... }: +{ modulesPath, ... }: { + imports = [ + (modulesPath + "/virtualisation/lxc-container.nix") + + ../../users/root + ../../users/erwin + + ./gitea-runner + ]; + + eboskma = { + users.erwin = { + enable = true; + server = true; + }; + nix-common = { + enable = true; + remote-builders = true; + }; + podman.enable = true; + tailscale.enable = true; + }; + + boot.isContainer = true; + + time.timeZone = "Europe/Amsterdam"; + + system.configurationRevision = self.inputs.nixpkgs.lib.mkIf (self ? rev) self.rev; + + networking = { + hostName = "gitea-runner"; + useDHCP = false; + useHostResolvConf = false; + networkmanager.enable = false; + useNetworkd = true; + nftables.enable = false; + + firewall = { + trustedInterfaces = [ "tailscale0" ]; + }; + }; + + systemd.network = { + enable = true; + + networks = { + "40-eth0" = { + matchConfig = { + Name = "eth0"; + }; + + networkConfig = { + Address = "10.0.0.210/24"; + Gateway = "10.0.0.1"; + DNS = "10.0.0.206"; + DHCP = "no"; + }; + }; + }; + }; + + security = { + sudo-rs = { + enable = true; + execWheelOnly = true; + wheelNeedsPassword = false; + }; + sudo.enable = false; + }; + + sops.defaultSopsFile = ./secrets.yaml; + sops.secrets = { + runner-nix-token = { }; + }; + + system.stateVersion = "24.05"; +} diff --git a/machines/gitea-runner/gitea-runner/default.nix b/machines/gitea-runner/gitea-runner/default.nix new file mode 100644 index 0000000..b5026ac --- /dev/null +++ b/machines/gitea-runner/gitea-runner/default.nix @@ -0,0 +1,31 @@ +{ pkgs, config, ... }: { + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + + instances = { + nix = { + name = "nix"; + enable = true; + url = "https://git.datarift.nl"; + tokenFile = config.sops.secrets.runner-nix-token.path; + labels = [ + "nix:docker://ghcr.io/eboskma/forgejo-nix-runner:latest" + ]; + settings = { + runner = { + capacity = 1; + }; + container = { + privileged = true; + valid_volumes = [ + "/nix" + "/run/podman/podman.sock" + "/etc/containers/policy.json" + ]; + docker_host = "-"; + }; + }; + }; + }; + }; +} diff --git a/machines/gitea-runner/secrets.yaml b/machines/gitea-runner/secrets.yaml new file mode 100644 index 0000000..437d9cd --- /dev/null +++ b/machines/gitea-runner/secrets.yaml @@ -0,0 +1,39 @@ +runner-nix-token: ENC[AES256_GCM,data:jZjs3RGr7Ga0Vf+O40o0PggDMD7T1y/zOEiOgD9quDo7u7Xce5sJxxl+Wzu0nw==,iv:to+r5Q0xO3TKtgWYF47Jur5Os93mfkCOXyXWkLfhG3c=,tag:kVbSOLCbxCgEhYZoXDM65g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1h7ddyj66gcqt5vnzphjfn6y5tul79q0glcdl0et9w44z2evl999qe02wht + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRVhralpxUDBGZ1FXdllT + Z0dZYnErZDZmdlpuUTIzUVY3dndvWmNURlhJCnd4WEkwUE5RY2lBL0RwbzZ4VHFj + T2g2a01kbmF6RjE2bUNobVJ1ejdVREEKLS0tIFBGd2VHTkxIYVRNb3ZTMGtpZVM4 + NjEwUUI4RWtleU10d1hmaFp4cXNZdHMKM/HEhoyImQ+VI+is4ylOixEZLqaVkVJd + O3MYXhRYT+ZpxqfIjVgV/eKSiLQp4S6rrYaFu/2Fxrqs3SahUkKStQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1435gxhlpu55pp86r8pullhc6wg43nv6qm5l3g2vl5000xhn8apdqtlf8cg + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5OElSUDBCbzRNOGU2VDhG + dEo4WEFvZWM3dDc0ZlhRdGVNZnBjRWFHbUJJClhWZ2pBWHNBb0VobVhHbTU0Tko4 + bVMwNEphNDR1QVRtT3RLNHJsZFRkL0UKLS0tIEdjcVYzMW1IWlJBM0Fnc2ZSMXFu + UWZ3VDg1WFlCbnZZU3hMUVpUeFVaMVUKgGsTLinuI1dfAhZmLrbWLYf0tp0NYeu3 + q1o53uBuMSyHZbS7RSxXuq6BdudHaNNZaQJJps2tdMpfvuC3YQnvdw== + -----END AGE ENCRYPTED FILE----- + - recipient: age19jrte20w4e5u83m5s8m8c2ca6sha6e2l2k66g28jz4mpkfs0f3jq26rdp2 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOTGhSLzFyaFR1cUZHb3Ez + K01oMEpEazNhOENTSzB4bUxhZE9XN29NUzJZCkxNdzQvUVB6Nlk4bHVPMUpNODdI + T3dmMlZQOWM3Wk9NazBwcWJmamI1M00KLS0tIG9qclJXaVA2SEthODkxRGIrTm4w + ZnlXMVd2OThCVmRnb1NWK1VWdTJndk0K41fiD0QsAorIZ6wuIty4+U22ET0+pGla + sAUGsOtBZ/vGSkCwc3lBHtdPKBWwY6J4B/ytS/H6Dnauw4RvOzjgbQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-24T11:13:17Z" + mac: ENC[AES256_GCM,data:R6r0IhmAXGlqQeo0A5beEbgolOX5rrXx32MlPjpPjybarB+0S6Jfu0tEWuMLy60sQ9j1xvkV7zF9HVfS+O+HLBVqTHolQ0HmFn6KmtK1bajXKSzOloRkKkooDvSvZJBlomRKPBsSNeXr0zqh2KbJzMRPIblnEXhq//hYWF8Q64A=,iv:iF1lDC/xPU145rbcslRDD3399h33TQe/XSmQah19XhY=,tag:n35gtrKF6eDyldAGl3rcZw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/modules/podman/default.nix b/modules/podman/default.nix index 98cccc4..3f72194 100644 --- a/modules/podman/default.nix +++ b/modules/podman/default.nix @@ -13,6 +13,11 @@ in enable = mkEnableOption "podman"; enableNvidia = mkEnableOption "podman NVidia support"; # enableTcpSocket = mkEnableOption "podman TCP socket"; + insecureRegistries = mkOption { + description = "List of insecure registries that don't have a (valid) certificate"; + type = types.listOf types.str; + default = [ ]; + }; }; config = mkIf cfg.enable { @@ -33,25 +38,21 @@ in }; virtualisation.containers = { + enable = true; registries = { - insecure = [ "containers.internal.horus.nu" ]; - search = [ - "docker.io" - "quay.io" - "containers.internal.horus.nu" - ]; - }; - containersConf.settings = { - engine = { - helper_binaries_dir = [ - "${pkgs.podman}/libexec/podman" - ]; - }; - containers = { - log_driver = "k8s-file"; - events_logger = "journald"; - }; + insecure = cfg.insecureRegistries; }; + # containersConf.settings = { + # engine = { + # helper_binaries_dir = [ + # "${pkgs.podman}/libexec/podman" + # ]; + # }; + # containers = { + # log_driver = "k8s-file"; + # events_logger = "journald"; + # }; + # }; }; users.extraUsers.${config.eboskma.var.mainUser}.extraGroups = [ "podman" ]; @@ -59,7 +60,6 @@ in # Make DNS work in containers networking.firewall.interfaces.${podmanInterfaces} = { allowedUDPPorts = [ 53 ]; - allowedTCPPorts = [ 53 ]; }; # services.ghostunnel = mkIf cfg.enableTcpSocket {