From 1ff3ab8af92874a4bda1a8557a1f60f3fe555941 Mon Sep 17 00:00:00 2001 From: Kabbone Date: Sat, 20 Jan 2024 17:09:55 +0100 Subject: [PATCH] hosts: server: get runner up and running --- hosts/default.nix | 1 + modules/services/dmz/gitea_runner.nix | 7 +- modules/services/dmz/microvm.nix | 3 +- modules/services/server/default.nix | 1 + modules/services/server/gitea_runner.nix | 29 +++-- modules/services/server/microvm.nix | 122 ++++++++++++++++++ secrets/secrets.nix | 3 +- secrets/services/gitea/homerunner-token.age | 21 +++ secrets/services/gitea/serverrunner-token.age | 22 ++++ 9 files changed, 191 insertions(+), 18 deletions(-) create mode 100644 modules/services/server/microvm.nix create mode 100644 secrets/services/gitea/homerunner-token.age create mode 100644 secrets/services/gitea/serverrunner-token.age diff --git a/hosts/default.nix b/hosts/default.nix index 38294d5..77fcab2 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -115,6 +115,7 @@ in specialArgs = { inherit inputs user location nixos-hardware nur agenix; }; modules = [ agenix.nixosModules.default + microvm.nixosModules.host nur.nixosModules.nur ./server ./configuration_server.nix diff --git a/modules/services/dmz/gitea_runner.nix b/modules/services/dmz/gitea_runner.nix index cec042b..f5a29f1 100644 --- a/modules/services/dmz/gitea_runner.nix +++ b/modules/services/dmz/gitea_runner.nix @@ -13,7 +13,7 @@ enable = true; url = "https://git.kabtop.de"; name = "Homerunner"; - tokenFile = config.age.secrets."services/gitea/runner-token".path; + tokenFile = config.age.secrets."services/gitea/homerunner-token".path; labels = [ "debian-latest:docker://node:18-bullseye" "native:host" @@ -25,13 +25,12 @@ coreutils wget gnused -# agenix.packages.x86_64-linux.default ]; }; }; - age.secrets."services/gitea/runner-token" = { - file = ../../../secrets/services/gitea/runner-token.age; + age.secrets."services/gitea/homerunner-token" = { + file = ../../../secrets/services/gitea/homerunner-token.age; owner = "gitea-runner"; }; } diff --git a/modules/services/dmz/microvm.nix b/modules/services/dmz/microvm.nix index c673e0b..259b698 100644 --- a/modules/services/dmz/microvm.nix +++ b/modules/services/dmz/microvm.nix @@ -114,7 +114,8 @@ in #writableStoreOverlay = "/nix/.rw-store"; #storeOnDisk = true; }; - system.stateVersion = "23.05"; + + system.stateVersion = "23.05"; }; }; }; diff --git a/modules/services/server/default.nix b/modules/services/server/default.nix index c593745..27ebdee 100644 --- a/modules/services/server/default.nix +++ b/modules/services/server/default.nix @@ -13,6 +13,7 @@ [ ./postgresql.nix ./gitea.nix + ./microvm.nix ./nextcloud.nix ./matrix.nix ./coturn.nix diff --git a/modules/services/server/gitea_runner.nix b/modules/services/server/gitea_runner.nix index d9544d5..c2a8548 100644 --- a/modules/services/server/gitea_runner.nix +++ b/modules/services/server/gitea_runner.nix @@ -1,31 +1,36 @@ { lib, config, pkgs, ... }: -let - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; # Nix Packages -in { - imports = [ ]; virtualisation = { podman ={ enable = true; autoPrune.enable = true; }; - memorySize = 4096; - diskSize = 10240; }; services.gitea-actions-runner.instances = { - nixrunner-test = { + serverrunner = { enable = true; url = "https://git.kabtop.de"; - name = "nix_runner_test"; - #tokenFile = "./gitea_token"; - token = "vlUBkX5IbJKTBO3HAGqFM1fEOw2UqXpX87LcdJRY"; + name = "Server runner"; + tokenFile = config.age.secrets."services/gitea/serverrunner-token".path; labels = [ "debian-latest:docker://node:18-bullseye" + "native:host" + ]; + hostPackages = with pkgs; [ + bash + curl + gitMinimal + coreutils + wget + gnused ]; }; }; - users.users.root.initialPassword = "babablup"; - system.stateVersion = "23.11"; + + age.secrets."services/gitea/serverrunner-token" = { + file = ../../../secrets/services/gitea/serverrunner-token.age; + owner = "gitea-runner"; + }; } diff --git a/modules/services/server/microvm.nix b/modules/services/server/microvm.nix new file mode 100644 index 0000000..c3b9485 --- /dev/null +++ b/modules/services/server/microvm.nix @@ -0,0 +1,122 @@ +{ config, microvm, nixpkgs, user, agenix, impermanence, ... }: +let + name = "gitea-runner"; +in +{ + microvm = { + autostart = [ + name + ]; + vms = { + ${name} = { + + pkgs = import nixpkgs { + system = "x86_64-linux"; + config.allowUnfree = true; + }; + + config = { + imports = + [ agenix.nixosModules.default ] ++ + [ impermanence.nixosModules.impermanence ] ++ + [( ./gitea_runner.nix )]; + + networking = { + hostName = "${name}"; + + firewall = { + enable = true; + allowedUDPPorts = [ ]; + allowedTCPPorts = [ ]; + }; + }; + systemd.network = { + enable = true; + networks = { + "10-lan" = { + matchConfig.Name = "*"; + networkConfig = { + DHCP = "yes"; + IPv6AcceptRA = true; + }; + }; + }; + }; + + users.users.${user} = { # System User + isNormalUser = true; + extraGroups = [ "wheel" ]; + uid = 2000; + openssh.authorizedKeys.keys = [ + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de" + "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de" + ]; + }; + services = { + openssh = { + enable = true; + settings.PasswordAuthentication = false; + hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + }]; + }; + }; + + fileSystems."/persist".neededForBoot = nixpkgs.lib.mkForce true; + + environment.persistence."/persist" = { + directories = [ + "/var/lib/nixos" + "/var/log" + ]; + + files = [ + "/etc/machine-id" + ]; + }; + + microvm = { + hypervisor = "cloud-hypervisor"; + vcpu = 4; + mem = 4096; + interfaces = [ + { + type = "macvtap"; + id = "vm-${name}"; + mac = "04:00:00:00:00:01"; + macvtap = { + link = "enp6s18"; + mode = "bridge"; + }; + } ]; + shares = [{ + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/etc/vm-persist/${name}"; + mountPoint = "/persist"; + tag = "persist"; + proto = "virtiofs"; + }]; + #writableStoreOverlay = "/nix/.rw-store"; + #storeOnDisk = true; + }; + + system.stateVersion = "23.05"; + }; + }; + }; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3455b70..f9d0ea9 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -67,7 +67,8 @@ in "services/nextcloud/onlyofficedb.age".publicKeys = servers ++ users; "services/gitea/databasePassword.age".publicKeys = servers ++ users; "services/gitea/mailerPassword.age".publicKeys = servers ++ users; - "services/gitea/runner-token.age".publicKeys = runners ++ users; + "services/gitea/homerunner-token.age".publicKeys = runners ++ users; + "services/gitea/serverrunner-token.age".publicKeys = servers ++ users; "keys/nixremote.age".publicKeys = buildClients ++ users; "keys/nixservepriv.age".publicKeys = buildServer ++ users; } diff --git a/secrets/services/gitea/homerunner-token.age b/secrets/services/gitea/homerunner-token.age new file mode 100644 index 0000000..bbf591a --- /dev/null +++ b/secrets/services/gitea/homerunner-token.age @@ -0,0 +1,21 @@ +age-encryption.org/v1 +-> ssh-ed25519 1fxDZw TDpxzsr/x1p3WR7SKVetYVlKqdIxMI6w98tM5MIHC30 +HmWHgsw11pqILyvSl0FjeOokMuxlA9u128aAECK0Qvc +-> ssh-rsa VtjGpQ +XTL+rQuSTsY42cuFi2HKBo/6xRa+5Aw0NJafCDg4PBYbNvZf8Q4EFtrX3k3JzUcE +fgzJI81h/ijl6FzvnAsfB0oMR/RIxHNdheIMxilsiaVGDS6ATnq8Mk7Ca67MtM5Y +Uc9XQ6I4qtL3rdpvnp3BjR3d1KfmwsTBeYJrl03vltLBN8twgD7mBabtjcl38u1A +emcgc8qAhz45n+07yVnqRqdMUY3VntqyL2DzasaPhpQHqV0jwWATNMGJilpvOSpn +it5VGZWGVjjHiGtwEGvuWBRi2+4jt02WwrDmlrqoSZxiqXW42XCa9pPn/X+U1UYE +dBJ1iPNc9EEQhr3sIewDAvjy2m4T/4wzY1gpgfiAY1FzgObZXOM3cv11yIAJU0ZX +nnDTgJmRysxvp/at1dEDbza8krIGcBW0tWYvKQdm2kh3m+nTZWI2Btmm+hT60qYX +4pLNkz0WR1nwdzzw0mSYXbPLlFAb8OrKP8fGJKvC6VM8C/Tofp+gWbfGnAFIq0um +hBcCK3hlg/QDdBV3jrIQyX+Vk+W3xe5QMjI8Oem9Jzy/y4MmMjUV7x8X5hd6KiK9 +wc5Dt0VL1KgwomYLvrNnl32TAGK+tOVXPRLaFiR9jwsrJZ3GXlsxJO0W2hFjp3wk +GGX/CFqRy228of9ujc+yPi6r9SO4BNT0eelwEbp0Kfs +-> piv-p256 grR75w A4dwZqBbpqrb3KcacC1mupb7Nka8s7RlHfVcc07L1ApC +5xM0zPEnRoA08LEdQDl3qcsOaNXPHgyDJxfRV3ar8cA +-> piv-p256 RQguQQ AgC34mS9BXHs3UM7Xp7e66oMUKAJ7VASdxRCJuWnzZcz +oOFQFWLUkQyGvHvmq2dZHDiE9J4J/wE3NBT1ASHtKRE +--- fbj8iFIYKQvjNminxZ0TLt7S2RSdozKUhq2ARdI1L9s +>H&3L<,Dv܍cBIdJi%gK׳`g9kNCPb as="S \ No newline at end of file diff --git a/secrets/services/gitea/serverrunner-token.age b/secrets/services/gitea/serverrunner-token.age new file mode 100644 index 0000000..5675396 --- /dev/null +++ b/secrets/services/gitea/serverrunner-token.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 neExcQ kkb+2hSKM3QJqBqiBy6znWP4TLqlj4YOwh1l/7bTrSU +HLSXj+cqZPfTka1CHTaZQWiscFgrbMMnNnyG7g6b3yM +-> ssh-rsa VtjGpQ +LLGaBOCsmw34k0q4kjaiH5/ZEOg6PcY8mnO7lUKTgC2Qu6A8czF7APbWx+DtGxQV +nc8Q22KUAEIyonZLiW+txuVCefUmMwLVBopcArDLFG6Nher8693zXXShejNxdbaA +l00gIt1hbXGsw6CLtExPXPKQwAzc23Qg1o/wHgILX9euxyOH5wOCXsFT5nf9q5v2 +kkFwRT/R4VTO6GZCDM+EeiOyQIpSA2L/vT1D4hLNQGheTTvsJNKWFLzkZ5RLabww +bezeXy/bvujvgLuBRaGz7/MaZ1sf4HEIUVydkuEapwkXHq45Gc2Pc6u5N7j0Kzmg +WgKOe99ojXmlucDYNKvH1veHZ7NZa4hVS0ZeKpvJr3r1s22w7zIBgp8sP2REWVEj +R6Oz1+4HSIfOYkRuwj7NrR4DoGYXHPDqz0ucOWxfRwBE1jkGejzR2B+qC60SNlR0 +1EWEvB0strFWavx3YxSL6qYcr66whoXx37NL8Ix5IFyYYyJHViegwBM3EvA2O4Zf +O7MOzw2pkFrkF7AxYM7VjyidBCeQVjrBvObFxquDT7qOtWBVHPWbcpLM94gdQSym +cUzUcjtR+u9nrisIKnDhmW52JKrROfj9hbkQnSWMbQdMwpi9o+j5hGr7yPiuNp55 +mjvKaCunL369uPcgueith6b6BDUlOcneCRYe2z36r5A +-> piv-p256 grR75w AoreZEXslTqbyt+5ElaLnezouPXFgxUF2g479nks8v+x +XZL5bpQJhDfbHJMVCMmsWQJFUq18O8OBG5VrxKMm/FQ +-> piv-p256 RQguQQ AqkXjc6iVWJpbLDsZ8DQJooirpXwEPKNIrb5/Q3tCA2f +HIR9Baoz97Dq10Gfp6AxxMAqkHNrWqbvZWDYdo/yGKQ +--- h/88hd84A0UjdH5+AxoztaH2Now4HPK5KgfEib3ipk0 +ѣ_S +1iů4mwɳ\5*ft{˜a fl=P8 jے 兕y5Yu \ No newline at end of file