From 9ee26c983e4d82c6b4d11e7b0b5eca09edb2c79c Mon Sep 17 00:00:00 2001 From: Kabbone Date: Sat, 13 Apr 2024 12:00:44 +0200 Subject: [PATCH] hosts: server: fix gitea runner --- modules/services/server/gitea_runner.nix | 29 ++++++++++++-- modules/services/server/microvm.nix | 23 ++++++----- secrets/services/gitea/serverrunner-token.age | 38 +++++++++---------- 3 files changed, 58 insertions(+), 32 deletions(-) diff --git a/modules/services/server/gitea_runner.nix b/modules/services/server/gitea_runner.nix index 0cc7f71..0380ec4 100644 --- a/modules/services/server/gitea_runner.nix +++ b/modules/services/server/gitea_runner.nix @@ -6,7 +6,10 @@ enable = true; autoPrune.enable = true; dockerCompat = true; - #defaultNetwork.settings.dns_enabled = true; + }; + containers.containersConf.settings = { + # podman seems to not work with systemd-resolved + containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ]; }; }; @@ -17,17 +20,35 @@ name = "Server runner"; tokenFile = config.age.secrets."services/gitea/serverrunner-token".path; labels = [ + "server" "debian-latest:docker://node:18-bullseye" + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" "native:host" ]; hostPackages = with pkgs; [ bash - curl - gitMinimal coreutils - wget + curl + gawk + gitMinimal gnused + nodejs + wget ]; + settings = { + # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings + container.network = "host"; + container.privileged = false; + # container.valid_volumes = [ + # "/nix" + # "${storeDeps}/bin" + # "${storeDeps}/etc/ssl" + # ]; + }; }; }; diff --git a/modules/services/server/microvm.nix b/modules/services/server/microvm.nix index e586ba9..75f6c7d 100644 --- a/modules/services/server/microvm.nix +++ b/modules/services/server/microvm.nix @@ -3,7 +3,6 @@ let name = "gitea-runner"; in { - microvm = { autostart = [ name @@ -14,11 +13,6 @@ in inherit pkgs; config = { - #pkgs = import nixpkgs { - # system = "x86_64-linux"; - # config.allowUnfree = true; - #}; - imports = [ agenix.nixosModules.default ] ++ [ impermanence.nixosModules.impermanence ] ++ @@ -46,7 +40,6 @@ in }; }; - users.users.${user} = { # System User isNormalUser = true; extraGroups = [ "wheel" ]; @@ -77,15 +70,27 @@ in fileSystems."/persist".neededForBoot = lib.mkForce true; - environment.persistence."/persist" = { + environment = { + systemPackages = with pkgs; [ # Default packages install system-wide + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + ]; + persistence."/persist" = { directories = [ "/var/log" - "/var/lib" + "/var/lib/private" ]; files = [ "/etc/machine-id" ]; + }; }; microvm = { diff --git a/secrets/services/gitea/serverrunner-token.age b/secrets/services/gitea/serverrunner-token.age index 9053314..3bf67e8 100644 --- a/secrets/services/gitea/serverrunner-token.age +++ b/secrets/services/gitea/serverrunner-token.age @@ -1,21 +1,21 @@ age-encryption.org/v1 --> ssh-ed25519 URAPyw JQs3uKo7cvzQEu/AqNfV7aN/TqvA5FNx5BG63ptPECg -kOfPejoVuW6HRJr7qrOG2ozwcRRcA+cmo3y7Sa5t29E +-> ssh-ed25519 URAPyw q6GBwPiLV9mwXNkJxMR0HKczC+8UELrc2lFMXYtn4l8 +Fg1LWxdM4A65xlrpuUmtw4sUEzyFWvUiV3SmYToNKNA -> ssh-rsa VtjGpQ -VltuY1KoOB8plcWoRuFl45bYb4HgquALbQDeT3XbsiI3AP4q1+QEfpIJ0ICh2HqD -IB6hAW7Awl1cmBawZu5NwH56QIVmSLL5vA8dvrY3LRP+m/ahLo1g4G82+p9Crg7s -dnSp64mgMX/TcbjqRHhi0lyj8hB01iipps2VYvWXuun8kqBstXRyKOc1iiD3UdGC -9dX3siCn6tiEk4BCbxCc3OxA2Dsl+i0yKZGoe7iXVeM7BkZl+1MaCMY7yPc1oIbG -3J2kLNcbtMRiq3tfS23nCTll/1f0B05Q5kR0Mz57VmCm/irMRtHUrUCTc2VTVamo -TgGP2ZY4BQFmNx8GBfTsvL5V/hYjy3Fxh9y0uj+/q5HTDzBsjEaaXLCMJwtB6kD+ -OtfALz0pOt/BeqWwfTlkMvEp/iak/p5ns5xsKWKDDLfDiFa/bf8uaV68xJXAEVby -PYxg5yJFrt/gAMm6cFfLzrVrvVkq0SqQ3+pmxpBZzdB1ZrMjek39mco1TvCEYCvO -gLc1h1xyKHzmPk8UjLiLsHMB18dvxbI4Bodf0AVUYCsZun0AHSTLi21vMOf5Yhlg -vSqS+yM6tTTz9fgGUV4y7HBgo8atYNSMYZ9rHA6VtLfzi7VG45/RedhspOazJRQp -5eRKtKRrUPrGQ6TBCmaz+z8JabI4yNNDhY9ob5ACayc --> piv-p256 grR75w AveH9FxNRzVWdwR4PevHqBCkk37b/4Dvs1antAtgmQea -lwfq0AnKfsOzF1SyhsaIpp5LkpstbcGGfGU8f1RxX8U --> piv-p256 RQguQQ Aog+1JgXJYipVlfKFY17xd9cBIv+y25hYklOcaZyjWWk -niOBZVUWnm8sfiO0l4VfIMDFGxgYCwHaBSipnFb1YtI ---- puDx58zDjk0OTX0irQm9zEMM+xuas4i2qlYRewznB54 -Q VFc{D \ No newline at end of file +QZLsrgM1xwq9eN+4U+0B5FosDV+uB/ySfXHz4bCeDpN7rGO9TJnKHI99bRWc3XZw +ooc5FM+jti8/nIU/Gyk4WOHLPYduPe+BOw5xPEGCVd2rn3bm42V/KckDYuAl09FJ +vP1W1zDkvpHJbFiO7ad8c9iK5kr7KU60AtSN4kJyoIesL9s6K+kCMZ1odbrE3pJ7 +VPCj4HhaV3nL42tHnupsFmWuU6GencUCWWlqi92s0mgWrGsOHqB/qR6eSzBGy4a5 +saNKSE5f7uXOGEtN/bGvulShs77uD801Uc7FCjpvPN84bzIwY+VScE5xlONwIfXV +ayQAtRDlNdsYcPw7NY5nE+o8TDUT29qH84Xn7c1qeC1/9FygEUoHFJpuqI7zDnw5 +6dyWzSQeOqPJTcOVlKwr2IltTL4MOJdy+u36awNflW5y6wcNakziGoZUqxKm84sz +UigfilWrzPfOT48IikFG5ToJuvYz2VyUCzq0KgVqkifIljWd0AALotqAxJOdzy+s +iOycsVQzI5BcaSqtBLXgt2t8OAo+wgZyAjCKTZDF5mPhk7U1QF0z0/NOcIrxSR+D +otIF+EIttBDC3t2HAdIxglMxM7ibE6bCwebCDuNpnQlLoY0rvfxGuU0f30f1XVyE +VRSN/icUkMLa1hm1A7W3T4De3N2z+kBN86xBVrpdILM +-> piv-p256 grR75w A5n1qH04NhMjwh2mNoGOJN9Ofpi0GOzWcTfCW1krNrGe +8L4b+0n8ufby6d5lzDTLNxgNCtw/mkLyh0aZn4mzo3g +-> piv-p256 RQguQQ Ayx2cPaemr6ww5LBQW/0fvEkap3iQhpFXgMwBCrYnuhg +nnUREYSDvSFX6mP8Ml3KuhJQZpkOC81PjYt804WB2Mg +--- dF24BThWb7swXtgAyxu/B49foT/AAEWVcNimdd1qeSA +W0eQel{SF*09MBgZF|Pzdcy^y$'HBYL CÿA‘ȃ\ \ No newline at end of file