hosts: dmz: remove testpassword

modules/services/dmz/microvm.nix

@@ -42,7 +42,6 @@ in
 
           users.users.${user} = {                   # System User
             isNormalUser = true;
-            initialPassword = "runnertest";
             extraGroups = [ "wheel" ];
             uid = 2000;
             openssh.authorizedKeys.keys = [

modules/services/server/gitea_runner.nix

@@ -6,7 +6,10 @@
         enable = true;
         autoPrune.enable = true;
         dockerCompat = true;
-        #defaultNetwork.settings.dns_enabled = true;
+      };
+      containers.containersConf.settings = {
+        # podman seems to not work with systemd-resolved
+        containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
       };
     };
 
@@ -17,17 +20,35 @@
             name = "Server runner";
             tokenFile = config.age.secrets."services/gitea/serverrunner-token".path;
             labels = [ 
+              "server"
               "debian-latest:docker://node:18-bullseye"
+              "ubuntu-latest:docker://node:16-bullseye"
+              "ubuntu-22.04:docker://node:16-bullseye"
+              "ubuntu-20.04:docker://node:16-bullseye"
+              "ubuntu-18.04:docker://node:16-buster"
               "native:host"
             ];
             hostPackages = with pkgs; [
               bash
-              curl
-              gitMinimal
               coreutils
-              wget
+              curl
+              gawk
+              gitMinimal
               gnused
+              nodejs
+              wget
             ];
+            settings = {
+             # container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm";
+               # the default network that also respects our dns server settings
+              container.network = "host";
+              container.privileged = false;
+             # container.valid_volumes = [
+             #   "/nix"
+             #   "${storeDeps}/bin"
+             #   "${storeDeps}/etc/ssl"
+             # ];
+            };
         };
     };
 

modules/services/server/microvm.nix

@@ -3,7 +3,6 @@ let
   name = "gitea-runner";
 in
 {
-
   microvm = {
     autostart = [
       name
@@ -14,11 +13,6 @@ in
         inherit pkgs;
 
         config = {
-          #pkgs = import nixpkgs {
-          #  system = "x86_64-linux";
-          #  config.allowUnfree = true;
-          #};
-
           imports = 
             [ agenix.nixosModules.default ] ++
             [ impermanence.nixosModules.impermanence ] ++
@@ -46,7 +40,6 @@ in
               };
           };
 
-
           users.users.${user} = {                   # System User
             isNormalUser = true;
             extraGroups = [ "wheel" ];
@@ -77,15 +70,27 @@ in
 
           fileSystems."/persist".neededForBoot = lib.mkForce true;
 
-          environment.persistence."/persist" = {
+          environment = {
+            systemPackages = with pkgs; [           # Default packages install system-wide
+               bash
+               coreutils
+               curl
+               gawk
+               gitMinimal
+               gnused
+               nodejs
+               wget
+            ];
+            persistence."/persist" = {
               directories = [
                 "/var/log"
-                "/var/lib"
+                "/var/lib/private"
               ];
 
               files = [
                 "/etc/machine-id"
               ];
+            };
           };
 
           microvm = {

secrets/services/gitea/serverrunner-token.age

@@ -1,21 +1,21 @@
 age-encryption.org/v1
--> ssh-ed25519 URAPyw JQs3uKo7cvzQEu/AqNfV7aN/TqvA5FNx5BG63ptPECg
-kOfPejoVuW6HRJr7qrOG2ozwcRRcA+cmo3y7Sa5t29E
+-> ssh-ed25519 URAPyw q6GBwPiLV9mwXNkJxMR0HKczC+8UELrc2lFMXYtn4l8
+Fg1LWxdM4A65xlrpuUmtw4sUEzyFWvUiV3SmYToNKNA
 -> ssh-rsa VtjGpQ
-VltuY1KoOB8plcWoRuFl45bYb4HgquALbQDeT3XbsiI3AP4q1+QEfpIJ0ICh2HqD
-IB6hAW7Awl1cmBawZu5NwH56QIVmSLL5vA8dvrY3LRP+m/ahLo1g4G82+p9Crg7s
-dnSp64mgMX/TcbjqRHhi0lyj8hB01iipps2VYvWXuun8kqBstXRyKOc1iiD3UdGC
-9dX3siCn6tiEk4BCbxCc3OxA2Dsl+i0yKZGoe7iXVeM7BkZl+1MaCMY7yPc1oIbG
-3J2kLNcbtMRiq3tfS23nCTll/1f0B05Q5kR0Mz57VmCm/irMRtHUrUCTc2VTVamo
-TgGP2ZY4BQFmNx8GBfTsvL5V/hYjy3Fxh9y0uj+/q5HTDzBsjEaaXLCMJwtB6kD+
-OtfALz0pOt/BeqWwfTlkMvEp/iak/p5ns5xsKWKDDLfDiFa/bf8uaV68xJXAEVby
-PYxg5yJFrt/gAMm6cFfLzrVrvVkq0SqQ3+pmxpBZzdB1ZrMjek39mco1TvCEYCvO
-gLc1h1xyKHzmPk8UjLiLsHMB18dvxbI4Bodf0AVUYCsZun0AHSTLi21vMOf5Yhlg
-vSqS+yM6tTTz9fgGUV4y7HBgo8atYNSMYZ9rHA6VtLfzi7VG45/RedhspOazJRQp
-5eRKtKRrUPrGQ6TBCmaz+z8JabI4yNNDhY9ob5ACayc
--> piv-p256 grR75w AveH9FxNRzVWdwR4PevHqBCkk37b/4Dvs1antAtgmQea
-lwfq0AnKfsOzF1SyhsaIpp5LkpstbcGGfGU8f1RxX8U
--> piv-p256 RQguQQ Aog+1JgXJYipVlfKFY17xd9cBIv+y25hYklOcaZyjWWk
-niOBZVUWnm8sfiO0l4VfIMDFGxgYCwHaBSipnFb1YtI
---- puDx58zDjk0OTX0irQm9zEMM+xuas4i2qlYRewznB54
-QV<¸iü;IZá^~‚$É9FõЙ¶£,$láÙ²|èCQñÄS¶öŽõDªú¯í7¾E’X.÷=°>Fº˜c<CB9C>Õ{¦ƒ°ôñDÈË
+QZLsrgM1xwq9eN+4U+0B5FosDV+uB/ySfXHz4bCeDpN7rGO9TJnKHI99bRWc3XZw
+ooc5FM+jti8/nIU/Gyk4WOHLPYduPe+BOw5xPEGCVd2rn3bm42V/KckDYuAl09FJ
+vP1W1zDkvpHJbFiO7ad8c9iK5kr7KU60AtSN4kJyoIesL9s6K+kCMZ1odbrE3pJ7
+VPCj4HhaV3nL42tHnupsFmWuU6GencUCWWlqi92s0mgWrGsOHqB/qR6eSzBGy4a5
+saNKSE5f7uXOGEtN/bGvulShs77uD801Uc7FCjpvPN84bzIwY+VScE5xlONwIfXV
+ayQAtRDlNdsYcPw7NY5nE+o8TDUT29qH84Xn7c1qeC1/9FygEUoHFJpuqI7zDnw5
+6dyWzSQeOqPJTcOVlKwr2IltTL4MOJdy+u36awNflW5y6wcNakziGoZUqxKm84sz
+UigfilWrzPfOT48IikFG5ToJuvYz2VyUCzq0KgVqkifIljWd0AALotqAxJOdzy+s
+iOycsVQzI5BcaSqtBLXgt2t8OAo+wgZyAjCKTZDF5mPhk7U1QF0z0/NOcIrxSR+D
+otIF+EIttBDC3t2HAdIxglMxM7ibE6bCwebCDuNpnQlLoY0rvfxGuU0f30f1XVyE
+VRSN/icUkMLa1hm1A7W3T4De3N2z+kBN86xBVrpdILM
+-> piv-p256 grR75w A5n1qH04NhMjwh2mNoGOJN9Ofpi0GOzWcTfCW1krNrGe
+8L4b+0n8ufby6d5lzDTLNxgNCtw/mkLyh0aZn4mzo3g
+-> piv-p256 RQguQQ Ayx2cPaemr6ww5LBQW/0fvEkap3iQhpFXgMwBCrYnuhg
+nnUREYSDvSFX6mP8Ml3KuhJQZpkOC81PjYt804WB2Mg
+--- dF24BThWb7swXtgAyxu/B49foT/AAEWVcNimdd1qeSA
+W0e«´ÝQ©el{S”F*Ç09MBégZF|PøzdÙcy¾ûÍ^ßyï$š'áHB
çY<C3A7>÷îLÆC±ÿéÏA‘íȃ—¤\‹