hosts: server: get runner up and running

hosts/default.nix

@@ -115,6 +115,7 @@ in
     specialArgs = { inherit inputs user location nixos-hardware nur agenix; };
     modules = [
       agenix.nixosModules.default
+      microvm.nixosModules.host
       nur.nixosModules.nur
       ./server
       ./configuration_server.nix

modules/services/dmz/gitea_runner.nix

@@ -13,7 +13,7 @@
             enable = true;
             url = "https://git.kabtop.de";
             name = "Homerunner";
-            tokenFile = config.age.secrets."services/gitea/runner-token".path;
+            tokenFile = config.age.secrets."services/gitea/homerunner-token".path;
             labels = [ 
               "debian-latest:docker://node:18-bullseye"
               "native:host"
@@ -25,13 +25,12 @@
               coreutils
               wget
               gnused
-#              agenix.packages.x86_64-linux.default
             ];
         };
     };
 
-    age.secrets."services/gitea/runner-token" = {
+    age.secrets."services/gitea/homerunner-token" = {
-      file = ../../../secrets/services/gitea/runner-token.age;
+      file = ../../../secrets/services/gitea/homerunner-token.age;
       owner = "gitea-runner";
     };
 }

modules/services/dmz/microvm.nix

@@ -114,7 +114,8 @@ in
             #writableStoreOverlay = "/nix/.rw-store";
             #storeOnDisk = true;
           };
-        system.stateVersion = "23.05";
+
+          system.stateVersion = "23.05";
         };
       };
     };

modules/services/server/default.nix

@@ -13,6 +13,7 @@
 [
   ./postgresql.nix
   ./gitea.nix
+  ./microvm.nix
   ./nextcloud.nix
   ./matrix.nix
   ./coturn.nix

modules/services/server/gitea_runner.nix

@@ -1,31 +1,36 @@
 { lib, config, pkgs, ... }:
 
-let
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";                  # Nix Packages
-in
 {
-    imports = [ <nixpkgs/nixos/modules/virtualisation/qemu-vm.nix> ];
     virtualisation = {
       podman ={
         enable = true;
         autoPrune.enable = true;
       };
-      memorySize = 4096;
-      diskSize = 10240;
     };
 
     services.gitea-actions-runner.instances = {
-        nixrunner-test = {
+        serverrunner = {
             enable = true;
             url = "https://git.kabtop.de";
-            name = "nix_runner_test";
+            name = "Server runner";
-            #tokenFile = "./gitea_token";
+            tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
-            token = "vlUBkX5IbJKTBO3HAGqFM1fEOw2UqXpX87LcdJRY";
             labels = [ 
               "debian-latest:docker://node:18-bullseye"
+              "native:host"
+            ];
+            hostPackages = with pkgs; [
+              bash
+              curl
+              gitMinimal
+              coreutils
+              wget
+              gnused
             ];
         };
     };
-    users.users.root.initialPassword = "babablup";
+
-    system.stateVersion = "23.11";
+    age.secrets."services/gitea/serverrunner-token" = {
+      file = ../../../secrets/services/gitea/serverrunner-token.age;
+      owner = "gitea-runner";
+    };
 }

modules/services/server/microvm.nix

@@ -0,0 +1,122 @@
+{ config, microvm, nixpkgs, user, agenix, impermanence, ... }:
+let
+  name = "gitea-runner";
+in
+{
+  microvm = {
+    autostart = [
+      name
+    ];
+    vms = {
+      ${name} = {
+
+        pkgs = import nixpkgs {
+          system = "x86_64-linux";
+          config.allowUnfree = true;
+        };
+
+        config = {
+          imports = 
+            [ agenix.nixosModules.default ] ++
+            [ impermanence.nixosModules.impermanence ] ++
+            [( ./gitea_runner.nix )];
+
+          networking = {
+            hostName = "${name}";
+
+            firewall = {
+              enable = true;
+                allowedUDPPorts = [  ];
+                allowedTCPPorts = [  ];
+            };
+          };
+          systemd.network = {
+              enable = true;
+              networks = {
+                  "10-lan" = {
+                      matchConfig.Name = "*";
+                      networkConfig = {
+                        DHCP = "yes";
+                        IPv6AcceptRA = true;
+                      };
+                  };
+              };
+          };
+
+          users.users.${user} = {                   # System User
+            isNormalUser = true;
+            extraGroups = [ "wheel" ];
+            uid = 2000;
+            openssh.authorizedKeys.keys = [
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIANmaraVJ/o20c4dqVnGLp/wGck9QNHFPvO9jcEbKS29AAAABHNzaDo= kabbone@kabc"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIIgo4IP8ISUohyAMiDc3zEe6ESUE3un7eN5FhVtxZHmcAAAABHNzaDo= kabbone@kabc"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIKVDApb3vZ+i97V4xLJh8rUF6z5OVYfORlXYbLhdQO15AAAABHNzaDo= kabbone@hades.home.opel-online.de"
+              "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIB0q++epdX7feQxvmC2m/CJEoJbkqtAJy6Ml6WKHxryZAAAABHNzaDo= kabbone@hades.home.opel-online.de"
+            ];
+          };
+          services = {
+            openssh = {
+              enable = true;
+              settings.PasswordAuthentication = false;
+              hostKeys = [
+              {
+                  path = "/persist/etc/ssh/ssh_host_ed25519_key";
+                  type = "ed25519";
+              }
+              {
+                  path = "/persist/etc/ssh/ssh_host_rsa_key";
+                  type = "rsa";
+                  bits = 4096;
+              }];
+            };
+          };
+
+          fileSystems."/persist".neededForBoot = nixpkgs.lib.mkForce true;
+
+          environment.persistence."/persist" = {
+              directories = [
+                "/var/lib/nixos"
+                "/var/log"
+              ];
+
+              files = [
+                "/etc/machine-id"
+              ];
+          };
+
+          microvm = {
+            hypervisor = "cloud-hypervisor";
+            vcpu = 4;
+            mem = 4096;
+            interfaces = [
+            {
+              type = "macvtap";
+              id = "vm-${name}";
+              mac = "04:00:00:00:00:01";
+              macvtap = {
+                  link = "enp6s18";
+                  mode = "bridge";
+              };
+            } ];
+             shares = [{
+              source = "/nix/store";
+              mountPoint = "/nix/.ro-store";
+              tag = "ro-store";
+              proto = "virtiofs";
+            }
+            {
+              source = "/etc/vm-persist/${name}";
+              mountPoint = "/persist";
+              tag = "persist";
+              proto = "virtiofs";
+            }];
+            #writableStoreOverlay = "/nix/.rw-store";
+            #storeOnDisk = true;
+          };
+
+          system.stateVersion = "23.05";
+        };
+      };
+    };
+  };
+}

secrets/secrets.nix

@@ -67,7 +67,8 @@ in
         "services/nextcloud/onlyofficedb.age".publicKeys = servers ++ users;
         "services/gitea/databasePassword.age".publicKeys = servers ++ users;
         "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
-        "services/gitea/runner-token.age".publicKeys = runners ++ users;
+        "services/gitea/homerunner-token.age".publicKeys = runners ++ users;
+        "services/gitea/serverrunner-token.age".publicKeys = servers ++ users;
         "keys/nixremote.age".publicKeys = buildClients ++ users;
         "keys/nixservepriv.age".publicKeys = buildServer ++ users;
     }

secrets/services/gitea/homerunner-token.age

@@ -0,0 +1,21 @@
+age-encryption.org/v1
+-> ssh-ed25519 1fxDZw TDpxzsr/x1p3WR7SKVetYVlKqdIxMI6w98tM5MIHC30
+HmWHgsw11pqILyvSl0FjeOokMuxlA9u128aAECK0Qvc
+-> ssh-rsa VtjGpQ
+XTL+rQuSTsY42cuFi2HKBo/6xRa+5Aw0NJafCDg4PBYbNvZf8Q4EFtrX3k3JzUcE
+fgzJI81h/ijl6FzvnAsfB0oMR/RIxHNdheIMxilsiaVGDS6ATnq8Mk7Ca67MtM5Y
+Uc9XQ6I4qtL3rdpvnp3BjR3d1KfmwsTBeYJrl03vltLBN8twgD7mBabtjcl38u1A
+emcgc8qAhz45n+07yVnqRqdMUY3VntqyL2DzasaPhpQHqV0jwWATNMGJilpvOSpn
+it5VGZWGVjjHiGtwEGvuWBRi2+4jt02WwrDmlrqoSZxiqXW42XCa9pPn/X+U1UYE
+dBJ1iPNc9EEQhr3sIewDAvjy2m4T/4wzY1gpgfiAY1FzgObZXOM3cv11yIAJU0ZX
+nnDTgJmRysxvp/at1dEDbza8krIGcBW0tWYvKQdm2kh3m+nTZWI2Btmm+hT60qYX
+4pLNkz0WR1nwdzzw0mSYXbPLlFAb8OrKP8fGJKvC6VM8C/Tofp+gWbfGnAFIq0um
+hBcCK3hlg/QDdBV3jrIQyX+Vk+W3xe5QMjI8Oem9Jzy/y4MmMjUV7x8X5hd6KiK9
+wc5Dt0VL1KgwomYLvrNnl32TAGK+tOVXPRLaFiR9jwsrJZ3GXlsxJO0W2hFjp3wk
+GGX/CFqRy228of9ujc+yPi6r9SO4BNT0eelwEbp0Kfs
+-> piv-p256 grR75w A4dwZqBbpqrb3KcacC1mupb7Nka8s7RlHfVcc07L1ApC
+5xM0zPEnRoA08LEdQDl3qcsOaNXPHgyDJxfRV3ar8cA
+-> piv-p256 RQguQQ AgC34mS9BXHs3UM7Xp7e66oMUKAJ7VASdxRCJuWnzZcz
+oOFQFWLUkQyGvHvmq2dZHDiE9J4J/wE3NBT1ASHtKRE
+--- fbj8iFIYKQvjNminxZ0TLt7S2RSdozKUhq2ARdI1L9s
+á>H¿ôý&‡3§LÈÊ<,DvÜ<76>c¨ìá†ïBIñdJÐi%þgK׳`úª³…g<>9kN¹CPºžÁù«öb›ï	ÒÜêáa<1A>œés=áÏ"S

secrets/services/gitea/serverrunner-token.age

@@ -0,0 +1,22 @@
+age-encryption.org/v1
+-> ssh-ed25519 neExcQ kkb+2hSKM3QJqBqiBy6znWP4TLqlj4YOwh1l/7bTrSU
+HLSXj+cqZPfTka1CHTaZQWiscFgrbMMnNnyG7g6b3yM
+-> ssh-rsa VtjGpQ
+LLGaBOCsmw34k0q4kjaiH5/ZEOg6PcY8mnO7lUKTgC2Qu6A8czF7APbWx+DtGxQV
+nc8Q22KUAEIyonZLiW+txuVCefUmMwLVBopcArDLFG6Nher8693zXXShejNxdbaA
+l00gIt1hbXGsw6CLtExPXPKQwAzc23Qg1o/wHgILX9euxyOH5wOCXsFT5nf9q5v2
+kkFwRT/R4VTO6GZCDM+EeiOyQIpSA2L/vT1D4hLNQGheTTvsJNKWFLzkZ5RLabww
+bezeXy/bvujvgLuBRaGz7/MaZ1sf4HEIUVydkuEapwkXHq45Gc2Pc6u5N7j0Kzmg
+WgKOe99ojXmlucDYNKvH1veHZ7NZa4hVS0ZeKpvJr3r1s22w7zIBgp8sP2REWVEj
+R6Oz1+4HSIfOYkRuwj7NrR4DoGYXHPDqz0ucOWxfRwBE1jkGejzR2B+qC60SNlR0
+1EWEvB0strFWavx3YxSL6qYcr66whoXx37NL8Ix5IFyYYyJHViegwBM3EvA2O4Zf
+O7MOzw2pkFrkF7AxYM7VjyidBCeQVjrBvObFxquDT7qOtWBVHPWbcpLM94gdQSym
+cUzUcjtR+u9nrisIKnDhmW52JKrROfj9hbkQnSWMbQdMwpi9o+j5hGr7yPiuNp55
+mjvKaCunL369uPcgueith6b6BDUlOcneCRYe2z36r5A
+-> piv-p256 grR75w AoreZEXslTqbyt+5ElaLnezouPXFgxUF2g479nks8v+x
+XZL5bpQJhDfbHJMVCMmsWQJFUq18O8OBG5VrxKMm/FQ
+-> piv-p256 RQguQQ AqkXjc6iVWJpbLDsZ8DQJooirpXwEPKNIrb5/Q3tCA2f
+HIR9Baoz97Dq10Gfp6AxxMAqkHNrWqbvZWDYdo/yGKQ
+--- h/88hd84A0UjdH5+AxoztaH2Now4HPK5KgfEib3ipk0
+Ñ£_üµS
+°’ü1ÇÆœiçů4mwØɳ\<5C>5*õÄf¨Ìût{˜a Ô÷fl¼=­P8³Ÿ…—jŠÛ’ðå…•ø
¼Œµy5¡Yõu¸