diff --git a/.sops.yaml b/.sops.yaml index 0af6825..ca2f6f0 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -20,6 +20,7 @@ keys: - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4 - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643 + - &ci-runner 20e376b89b30327fb82f12e8e8b72d52c3aa39ee creation_rules: - path_regex: machines/nunotaba/secrets\.yaml$ key_groups: @@ -105,6 +106,13 @@ creation_rules: - *simon-alpha - *simon-beta - *koyomi + - path_regex: machines/ci-runner/secrets\.yaml$ + key_groups: + - pgp: + - *simon + - *simon-alpha + - *simon-beta + - *ci-runner - path_regex: secrets\.yaml$ key_groups: - pgp: diff --git a/keys/machines/ci-runner.asc b/keys/machines/ci-runner.asc new file mode 100644 index 0000000..9e7685d --- /dev/null +++ b/keys/machines/ci-runner.asc @@ -0,0 +1,28 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +xsFNBAAAAAABEADCLQ+QHuf+tfp88c7rUzPPLLsfSNvH4lPw57cIz0hCADDIyBfs +xZH+uSfBDX7EJyCdpRulpKeI+ixoMtpTo1sgLLnXTaiVY024+ZNtbHUtN28CuS5P +O1uBfWn8ska524DobfHsiIfWRlHrrOdQpgoFfNLIalgbDJv84ktkV92e4NXwp9fg +6/KzcR/LOwUr/ps/OV0+nXgWir9Kz7FepDBIu60UnMeqmqrpptFfxyhB9drps9m0 +8wQwaqX+1H4MRNnDVcZEQSdyCHrb3ia7Nc/ysUtguRlhmCuUxRAg1iGoQ4CwDadQ +SgS8eofAmueoV0D0AM6zptFtHydX4U7ZYUeaVdEoKqAcl2IOEydSDg71bDrHDonc +II71WezXY8B76M9W7vvphYjql97x8Eb7HMiDecrqxpaOcnPDeGSy2J9+ENXUhVbk +tak2itzD7FXXpDy15Oam3zNAZV718TfyvsxjOq8xNIDUh1x5iDlR/YAOErro3qF/ +fQWIGaKZDDllOpP6BxTR87x85w56i9yPRJ1jl5UvUYKkU30HrnIo/sScy4s1NeSH +XyIGHemm+8e1S2LYEQ/w2bnwKHHNS5kdfARMnaSpMurD+Pd9UBOHPn+M+ZVjX7hT +wCn8QJSJZiUA0b1lJ8YgbXRodHn9jdpZugQ8frtImcDE3Lq+H/VqzJm0tQARAQAB +zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT +AQgAFgUCAAAAAAkQ6LctUsOqOe4CGw8CGQEAAC2dEAABcy5TinEg/yr40qtrPmdR ++qw+B3CezIZOhkFVXJ5SnKSD6kNmijgJjloSJgpQf9qqDsZ8asWzZN79h5s9fqNa +GBn5jBBqoSLPtnNAvxiLk62iRyCbb7y645I1u5Cmg5eBPLjGpVrxI3rPcGojkBz7 +1LjtxCY94JI7lRYMpN6qOvyQlrTOxlFDE+C/x60UeliNzL3Ld17O9iuqlSGiYpz4 +kellyHF4zHvOcSmURmGmHDzPQvkLop81rCogMZkVoA0tg446U1sPdIo8HJZD+cLt +LXCNlyLU/MK7RCAG25+Z2KE43Z0xuXyNmHc0tpYOWs6oob7+ZmsWFObpyN6v69G/ +rTnZbQCp/H/Rr19UbJhoEhDpB6J+6O1OlJXe5hUDiiIYpC6vtzJV8B0ERQ9Vr1TC +nCo+RaBJoPbkJySSO500G3/psQugsxBcxRtCy78cHV1B4fKEJM4e1Hi3VP2uhCju +gRaiLGikDy4rpQQxasszOO2Yt57OGV5qySnZ9hfDLhtmhmNjL2HazZlVT1um28j4 ++DZQ7JUmjvlmzZPPt2fWG4k2zv6Xy1p2aLiuL+6TrQLjEyIMa41Lxf6bB7hlYo1Y +3Xl5yE94wvBx2+gKEArlqdrn/P8cdktHuGrELBwVaVgvHHtBM3qfzBik2lIRJMIx +haEIuBv/ZtSMbM/ItaAnJA== +=eW+j +-----END PGP PUBLIC KEY BLOCK----- diff --git a/machines/ci-runner/README.md b/machines/ci-runner/README.md new file mode 100644 index 0000000..70e8f30 --- /dev/null +++ b/machines/ci-runner/README.md @@ -0,0 +1,15 @@ + + +# ci-runner + +## Hardware + +QEMU/KVM virtual machine on [koyomi](../koyomi/README.md). + +## Purpose + +It will serve as a CI runner for Forgejo. diff --git a/machines/ci-runner/configuration.nix b/machines/ci-runner/configuration.nix new file mode 100644 index 0000000..2edd072 --- /dev/null +++ b/machines/ci-runner/configuration.nix @@ -0,0 +1,67 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ config, pkgs, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ../../modules + ]; + + sbruder = { + full = false; + }; + + networking.hostName = "ci-runner"; + + system.stateVersion = "24.05"; + + sops.secrets.forgejo-runner-token-personal = { + sopsFile = ./secrets.yaml; + }; + + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances = { + personal = { + enable = true; + name = "koyomi-vm"; + url = "https://git.sbruder.de"; + tokenFile = config.sops.secrets.forgejo-runner-token-personal.path; + labels = [ + "nix:host" + ]; + settings = { + log.level = "warn"; # seems to have little effect + runner = { + capacity = 4; + timeout = "1h"; + }; + }; + hostPackages = with pkgs; [ + bash + coreutils + git + git-lfs + nix + nodejs + podman + ]; + }; + }; + }; + + virtualisation = { + podman = { + enable = true; + defaultNetwork.settings = { + ipv6_enabled = true; + }; + }; + containers.containersConf.settings = { + engine.cgroup_manager = "cgroupfs"; # systemd does not work for system user + }; + }; +} diff --git a/machines/ci-runner/hardware-configuration.nix b/machines/ci-runner/hardware-configuration.nix new file mode 100644 index 0000000..4df2ffd --- /dev/null +++ b/machines/ci-runner/hardware-configuration.nix @@ -0,0 +1,56 @@ +# SPDX-FileCopyrightText: 2024 Simon Bruder +# +# SPDX-License-Identifier: AGPL-3.0-or-later + +{ modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + sbruder.machine.isVm = true; + + boot = { + kernelModules = [ "kvm-intel" ]; + extraModulePackages = [ ]; + kernelParams = [ "console=ttyS0" ]; + initrd = { + availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ]; + kernelModules = [ ]; + }; + loader = { + grub.enable = false; + systemd-boot.enable = true; + efi.canTouchEfiVariables = true; + }; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/e1a9b0bb-9f04-498c-ac2f-aad9da4639f3"; + fsType = "btrfs"; + options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational + }; + "/boot" = { + device = "/dev/disk/by-uuid/7A51-7897"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + }; + + networking = { + useDHCP = false; + usePredictableInterfaceNames = false; + }; + systemd.network = { + enable = true; + networks = { + eth0 = { + name = "eth0"; + DHCP = "yes"; + domains = [ "sbruder.de" ]; + }; + }; + }; +} diff --git a/machines/ci-runner/secrets.yaml b/machines/ci-runner/secrets.yaml new file mode 100644 index 0000000..ed8eddd --- /dev/null +++ b/machines/ci-runner/secrets.yaml @@ -0,0 +1,72 @@ +forgejo-runner-token-personal: ENC[AES256_GCM,data:U2VmQW3mO+3lNBczxU5MmKjseCICXcu1q9g4xctrJMl7Hcau0Hfy2IT8YzaEnTo=,iv:IRf+5sTyx20cMyUCg8jffDiSIuNgVRySD7eqOlzzAXY=,tag:vLEo/E2VUZ4Uu/vTFDomUw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-07-19T10:19:26Z" + mac: ENC[AES256_GCM,data:9btw7oa8ZNJYYW/TmsQYRMdW493PFV0oae/bp3r9mLZ8i272BJmvrsrLjuRTuyo9aMiE4DqtQ217723hMt+p7Q6WHqwgamlDU8PjZVCN3Q6t2dH7oZuTSq3bWxm4MQJH2fB77Bfk1M9YiUdNt4Lm/Mz1pxy8zLHCHWoLqN3XErI=,iv:JybjhZE0czAZhSByPGRJBnWwr/Y1y7D05G1WxiOgWh4=,tag:gT5qRCK+b2Gt7bG8jpl2VQ==,type:str] + pgp: + - created_at: "2024-07-19T10:09:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdAV+XCpuYtwJAQ0tudjofCp9kLhagt3iFPOZxMVm7Wu38w + 7h11CkDL2crHptPFundK0cVC1C149l8fpTRM3w6HzrqrYeSb2rVB3sTJnquWE6vc + hF4Dub78fMESoMASAQdAyxaxQvNwxAVVLs2zfhpaEVJMJTVb2X8Re28T5oyzBTsw + vfLrp2aF9f6aR0rKawCdWCtbkdT84RqjcmFeRFm80aKg/moUOsEGKrJIom8bvzgC + hF4DM6AcvgVUx2MSAQdAkmk2DPVyggHcMG98DGidvPx2lx6f1jUctmu4bgCOCXow + JmC3Navjws1ki32t3AYO18VLzTdJnnoUZsMgKIZjrmTYq1SYEbZF7YkHpFKyD2P/ + 1GgBCQIQznxhAwr2Y1EfOOIurUCAFioUkb00NYurpRtXkwlq6zXj+g3mqy4oIxwE + G8PWC0Gd5DDf3vgY8gu+yIPdQYVtPEmcgdVAuf2URXeZzOYkYdME9aHjmOkZZLgl + q+rcko9nXtgqfQ== + =a7Tl + -----END PGP MESSAGE----- + fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763 + - created_at: "2024-07-19T10:09:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4Dub78fMESoMASAQdAn4gu062b6uphH7aptsB+qJsJvw5j1jeEijaiN3g3HCEw + 7efyFGEXz5Jr3QBkvA86zzzw4uaj6s8jcpGkygPgVxkid+wNPNE7Od2GxwsQ7Rzs + 1GgBCQIQznKTHLTufQbnTxtYWdZ7Vd7d90/hl9ZkGRXCq5llvppaYkuO+RO3HeW1 + Z4hAPFKrvOjNctb/Puh9kbmQ2g02KFdzs1xUvq3+Ma6gI+WeefV/R/VewAVve8+2 + G/CwY+iDECvL1A== + =QVmD + -----END PGP MESSAGE----- + fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0 + - created_at: "2024-07-19T10:09:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DLHeEFiC484ASAQdAwLuRB1t778hUtgsjaQisVwMhBudnSIOtrBFehLU5Smow + AA29mIR2539iMz/Qkdjoumj3IIKGu6a/fBeu0eLUcZqSt5PtpMKMDnF47HeRv/QQ + 1GgBCQIQGjEJcIaQyjBPuHyxUNryt6M72ed5eKsnsHBhe+xmwc8AFliP2rt/kZOn + yJGjhMrFAib5i8rRDQiW+HlDHKZeGxsX3yLGdOSI9KfIFvawcYV8pxDFzIca/3X1 + TcVFed7B2BUIow== + =6bPt + -----END PGP MESSAGE----- + fp: 403215E0F99D2582C7055C512C77841620B8F380 + - created_at: "2024-07-19T10:09:12Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA+i3LVLDqjnuARAArF6aiDcKtyilbZXdBga+6nAqwBdpeYfXlnTMUztFLRYs + cSSe2HKu6J9G1oMqpZuNcGLUXgrdKk8PO3YmivWcPubQ0ruiorgzmSnXDhYvij7+ + b9b3dSWXwe82sdCVlSQZRNeapeb1hW8wcrKSoFDUYyIl3HdlxFcB1Y7hKe3XpzAy + UMxgZ8B+Ne1JOHZw97YhZmr834F7/i4vCUv/US+dGd5Fl4a3bX/8ft43T0uj5JWW + PsbjZa2LIuV6dhXu8URraQHj24Z2xM/PSSmm277MzFiXVT/0jWHe38iXLxsp7/KV + hFYqbH49P7gTC7GWJ0xHJaICWXR9WJKSttc5ue8sMkf4rj3C/ULmxS7uKbUn4FgD + Po4XCOSanZZZos4Tz/KxExLjDioJbCBUSBVQUP07RRDyVjIEe4GlOG7QCVgqty6U + LJk7sQLgFOsCgaMGuA5u5hulWx7YDHqaZxKwWZ4ME8huoP2F7L4HzoWJGK33chCR + 1t+p/cnflcz459bSGmDMjprZAtD2XFD08/GbDqS7rotPy0h+dnbT7TnvHrFFGjd2 + Qw8SIytL0D0KcqKOIXztwtt30RqTMp3CnV22NasGJsbhshAV3zVheI/8dA6UuB4r + kltGrz+O+Z7HMwuYKKTUzz3C29VJYYhPlf4uq3kF+JJZC6ZQUNAoD5rgVDeZDyDS + WAEqbel5S7ImX3oAsIF21iI11jsbWHS1/PjHdsBQdSeBzVXooiRfVa/e4ixgk8S1 + tbJl8GcvK4vdDxW689A86w7DoquocXRzJIYsKB/GVfsrTlTofAwPjHY= + =bQn7 + -----END PGP MESSAGE----- + fp: 20e376b89b30327fb82f12e8e8b72d52c3aa39ee + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/machines/default.nix b/machines/default.nix index c9ff626..af84020 100644 --- a/machines/default.nix +++ b/machines/default.nix @@ -85,4 +85,9 @@ in targetHost = "koyomi.sbruder.de"; }; + ci-runner = { + system = "x86_64-linux"; + + targetHost = "ci-runner.sbruder.de"; + }; }