ci-runner: Init

.sops.yaml

@@ -20,6 +20,7 @@ keys:
   - &nazuna 0b8be5d87a10a0e68dda97212c4befad1f9e915c
   - &yuzuru a1ee5bc0249163a047440ef2649e770ec6ea16e4
   - &koyomi a53d4ca8d2cf54613822c81d660e69babee42643
+  - &ci-runner 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
 creation_rules:
   - path_regex: machines/nunotaba/secrets\.yaml$
     key_groups:
@@ -105,6 +106,13 @@ creation_rules:
       - *simon-alpha
       - *simon-beta
       - *koyomi
+  - path_regex: machines/ci-runner/secrets\.yaml$
+    key_groups:
+    - pgp:
+      - *simon
+      - *simon-alpha
+      - *simon-beta
+      - *ci-runner
   - path_regex: secrets\.yaml$
     key_groups:
     - pgp:

keys/machines/ci-runner.asc

@@ -0,0 +1,28 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+xsFNBAAAAAABEADCLQ+QHuf+tfp88c7rUzPPLLsfSNvH4lPw57cIz0hCADDIyBfs
+xZH+uSfBDX7EJyCdpRulpKeI+ixoMtpTo1sgLLnXTaiVY024+ZNtbHUtN28CuS5P
+O1uBfWn8ska524DobfHsiIfWRlHrrOdQpgoFfNLIalgbDJv84ktkV92e4NXwp9fg
+6/KzcR/LOwUr/ps/OV0+nXgWir9Kz7FepDBIu60UnMeqmqrpptFfxyhB9drps9m0
+8wQwaqX+1H4MRNnDVcZEQSdyCHrb3ia7Nc/ysUtguRlhmCuUxRAg1iGoQ4CwDadQ
+SgS8eofAmueoV0D0AM6zptFtHydX4U7ZYUeaVdEoKqAcl2IOEydSDg71bDrHDonc
+II71WezXY8B76M9W7vvphYjql97x8Eb7HMiDecrqxpaOcnPDeGSy2J9+ENXUhVbk
+tak2itzD7FXXpDy15Oam3zNAZV718TfyvsxjOq8xNIDUh1x5iDlR/YAOErro3qF/
+fQWIGaKZDDllOpP6BxTR87x85w56i9yPRJ1jl5UvUYKkU30HrnIo/sScy4s1NeSH
+XyIGHemm+8e1S2LYEQ/w2bnwKHHNS5kdfARMnaSpMurD+Pd9UBOHPn+M+ZVjX7hT
+wCn8QJSJZiUA0b1lJ8YgbXRodHn9jdpZugQ8frtImcDE3Lq+H/VqzJm0tQARAQAB
+zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
+AQgAFgUCAAAAAAkQ6LctUsOqOe4CGw8CGQEAAC2dEAABcy5TinEg/yr40qtrPmdR
++qw+B3CezIZOhkFVXJ5SnKSD6kNmijgJjloSJgpQf9qqDsZ8asWzZN79h5s9fqNa
+GBn5jBBqoSLPtnNAvxiLk62iRyCbb7y645I1u5Cmg5eBPLjGpVrxI3rPcGojkBz7
+1LjtxCY94JI7lRYMpN6qOvyQlrTOxlFDE+C/x60UeliNzL3Ld17O9iuqlSGiYpz4
+kellyHF4zHvOcSmURmGmHDzPQvkLop81rCogMZkVoA0tg446U1sPdIo8HJZD+cLt
+LXCNlyLU/MK7RCAG25+Z2KE43Z0xuXyNmHc0tpYOWs6oob7+ZmsWFObpyN6v69G/
+rTnZbQCp/H/Rr19UbJhoEhDpB6J+6O1OlJXe5hUDiiIYpC6vtzJV8B0ERQ9Vr1TC
+nCo+RaBJoPbkJySSO500G3/psQugsxBcxRtCy78cHV1B4fKEJM4e1Hi3VP2uhCju
+gRaiLGikDy4rpQQxasszOO2Yt57OGV5qySnZ9hfDLhtmhmNjL2HazZlVT1um28j4
++DZQ7JUmjvlmzZPPt2fWG4k2zv6Xy1p2aLiuL+6TrQLjEyIMa41Lxf6bB7hlYo1Y
+3Xl5yE94wvBx2+gKEArlqdrn/P8cdktHuGrELBwVaVgvHHtBM3qfzBik2lIRJMIx
+haEIuBv/ZtSMbM/ItaAnJA==
+=eW+j
+-----END PGP PUBLIC KEY BLOCK-----

machines/ci-runner/README.md

@@ -0,0 +1,15 @@
+<!--
+SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+
+SPDX-License-Identifier: CC-BY-SA-4.0
+-->
+
+# ci-runner
+
+## Hardware
+
+QEMU/KVM virtual machine on [koyomi](../koyomi/README.md).
+
+## Purpose
+
+It will serve as a CI runner for Forgejo.

machines/ci-runner/configuration.nix

@@ -0,0 +1,67 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../../modules
+  ];
+
+  sbruder = {
+    full = false;
+  };
+
+  networking.hostName = "ci-runner";
+
+  system.stateVersion = "24.05";
+
+  sops.secrets.forgejo-runner-token-personal = {
+    sopsFile = ./secrets.yaml;
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances = {
+      personal = {
+        enable = true;
+        name = "koyomi-vm";
+        url = "https://git.sbruder.de";
+        tokenFile = config.sops.secrets.forgejo-runner-token-personal.path;
+        labels = [
+          "nix:host"
+        ];
+        settings = {
+          log.level = "warn"; # seems to have little effect
+          runner = {
+            capacity = 4;
+            timeout = "1h";
+          };
+        };
+        hostPackages = with pkgs; [
+          bash
+          coreutils
+          git
+          git-lfs
+          nix
+          nodejs
+          podman
+        ];
+      };
+    };
+  };
+
+  virtualisation = {
+    podman = {
+      enable = true;
+      defaultNetwork.settings = {
+        ipv6_enabled = true;
+      };
+    };
+    containers.containersConf.settings = {
+      engine.cgroup_manager = "cgroupfs"; # systemd does not work for system user
+    };
+  };
+}

machines/ci-runner/hardware-configuration.nix

@@ -0,0 +1,56 @@
+# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+{ modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  sbruder.machine.isVm = true;
+
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+    kernelParams = [ "console=ttyS0" ];
+    initrd = {
+      availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sr_mod" "virtio_blk" ];
+      kernelModules = [ ];
+    };
+    loader = {
+      grub.enable = false;
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/e1a9b0bb-9f04-498c-ac2f-aad9da4639f3";
+      fsType = "btrfs";
+      options = [ "compress=zstd" "discard" "noatime" "ssd" ]; # for some reason, the kernel assumes rotational
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7A51-7897";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+  };
+
+  networking = {
+    useDHCP = false;
+    usePredictableInterfaceNames = false;
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      eth0 = {
+        name = "eth0";
+        DHCP = "yes";
+        domains = [ "sbruder.de" ];
+      };
+    };
+  };
+}

machines/ci-runner/secrets.yaml

@@ -0,0 +1,72 @@
+forgejo-runner-token-personal: ENC[AES256_GCM,data:U2VmQW3mO+3lNBczxU5MmKjseCICXcu1q9g4xctrJMl7Hcau0Hfy2IT8YzaEnTo=,iv:IRf+5sTyx20cMyUCg8jffDiSIuNgVRySD7eqOlzzAXY=,tag:vLEo/E2VUZ4Uu/vTFDomUw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-07-19T10:19:26Z"
+    mac: ENC[AES256_GCM,data:9btw7oa8ZNJYYW/TmsQYRMdW493PFV0oae/bp3r9mLZ8i272BJmvrsrLjuRTuyo9aMiE4DqtQ217723hMt+p7Q6WHqwgamlDU8PjZVCN3Q6t2dH7oZuTSq3bWxm4MQJH2fB77Bfk1M9YiUdNt4Lm/Mz1pxy8zLHCHWoLqN3XErI=,iv:JybjhZE0czAZhSByPGRJBnWwr/Y1y7D05G1WxiOgWh4=,tag:gT5qRCK+b2Gt7bG8jpl2VQ==,type:str]
+    pgp:
+        - created_at: "2024-07-19T10:09:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAV+XCpuYtwJAQ0tudjofCp9kLhagt3iFPOZxMVm7Wu38w
+            7h11CkDL2crHptPFundK0cVC1C149l8fpTRM3w6HzrqrYeSb2rVB3sTJnquWE6vc
+            hF4Dub78fMESoMASAQdAyxaxQvNwxAVVLs2zfhpaEVJMJTVb2X8Re28T5oyzBTsw
+            vfLrp2aF9f6aR0rKawCdWCtbkdT84RqjcmFeRFm80aKg/moUOsEGKrJIom8bvzgC
+            hF4DM6AcvgVUx2MSAQdAkmk2DPVyggHcMG98DGidvPx2lx6f1jUctmu4bgCOCXow
+            JmC3Navjws1ki32t3AYO18VLzTdJnnoUZsMgKIZjrmTYq1SYEbZF7YkHpFKyD2P/
+            1GgBCQIQznxhAwr2Y1EfOOIurUCAFioUkb00NYurpRtXkwlq6zXj+g3mqy4oIxwE
+            G8PWC0Gd5DDf3vgY8gu+yIPdQYVtPEmcgdVAuf2URXeZzOYkYdME9aHjmOkZZLgl
+            q+rcko9nXtgqfQ==
+            =a7Tl
+            -----END PGP MESSAGE-----
+          fp: 6CD375BD0741F67E5A289BC333A01CBE0554C763
+        - created_at: "2024-07-19T10:09:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4Dub78fMESoMASAQdAn4gu062b6uphH7aptsB+qJsJvw5j1jeEijaiN3g3HCEw
+            7efyFGEXz5Jr3QBkvA86zzzw4uaj6s8jcpGkygPgVxkid+wNPNE7Od2GxwsQ7Rzs
+            1GgBCQIQznKTHLTufQbnTxtYWdZ7Vd7d90/hl9ZkGRXCq5llvppaYkuO+RO3HeW1
+            Z4hAPFKrvOjNctb/Puh9kbmQ2g02KFdzs1xUvq3+Ma6gI+WeefV/R/VewAVve8+2
+            G/CwY+iDECvL1A==
+            =QVmD
+            -----END PGP MESSAGE-----
+          fp: 0C8AF4B4320A511384DF6B5BB9BEFC7CC112A0C0
+        - created_at: "2024-07-19T10:09:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DLHeEFiC484ASAQdAwLuRB1t778hUtgsjaQisVwMhBudnSIOtrBFehLU5Smow
+            AA29mIR2539iMz/Qkdjoumj3IIKGu6a/fBeu0eLUcZqSt5PtpMKMDnF47HeRv/QQ
+            1GgBCQIQGjEJcIaQyjBPuHyxUNryt6M72ed5eKsnsHBhe+xmwc8AFliP2rt/kZOn
+            yJGjhMrFAib5i8rRDQiW+HlDHKZeGxsX3yLGdOSI9KfIFvawcYV8pxDFzIca/3X1
+            TcVFed7B2BUIow==
+            =6bPt
+            -----END PGP MESSAGE-----
+          fp: 403215E0F99D2582C7055C512C77841620B8F380
+        - created_at: "2024-07-19T10:09:12Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA+i3LVLDqjnuARAArF6aiDcKtyilbZXdBga+6nAqwBdpeYfXlnTMUztFLRYs
+            cSSe2HKu6J9G1oMqpZuNcGLUXgrdKk8PO3YmivWcPubQ0ruiorgzmSnXDhYvij7+
+            b9b3dSWXwe82sdCVlSQZRNeapeb1hW8wcrKSoFDUYyIl3HdlxFcB1Y7hKe3XpzAy
+            UMxgZ8B+Ne1JOHZw97YhZmr834F7/i4vCUv/US+dGd5Fl4a3bX/8ft43T0uj5JWW
+            PsbjZa2LIuV6dhXu8URraQHj24Z2xM/PSSmm277MzFiXVT/0jWHe38iXLxsp7/KV
+            hFYqbH49P7gTC7GWJ0xHJaICWXR9WJKSttc5ue8sMkf4rj3C/ULmxS7uKbUn4FgD
+            Po4XCOSanZZZos4Tz/KxExLjDioJbCBUSBVQUP07RRDyVjIEe4GlOG7QCVgqty6U
+            LJk7sQLgFOsCgaMGuA5u5hulWx7YDHqaZxKwWZ4ME8huoP2F7L4HzoWJGK33chCR
+            1t+p/cnflcz459bSGmDMjprZAtD2XFD08/GbDqS7rotPy0h+dnbT7TnvHrFFGjd2
+            Qw8SIytL0D0KcqKOIXztwtt30RqTMp3CnV22NasGJsbhshAV3zVheI/8dA6UuB4r
+            kltGrz+O+Z7HMwuYKKTUzz3C29VJYYhPlf4uq3kF+JJZC6ZQUNAoD5rgVDeZDyDS
+            WAEqbel5S7ImX3oAsIF21iI11jsbWHS1/PjHdsBQdSeBzVXooiRfVa/e4ixgk8S1
+            tbJl8GcvK4vdDxW689A86w7DoquocXRzJIYsKB/GVfsrTlTofAwPjHY=
+            =bQn7
+            -----END PGP MESSAGE-----
+          fp: 20e376b89b30327fb82f12e8e8b72d52c3aa39ee
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

machines/default.nix

@@ -85,4 +85,9 @@ in
 
     targetHost = "koyomi.sbruder.de";
   };
+  ci-runner = {
+    system = "x86_64-linux";
+
+    targetHost = "ci-runner.sbruder.de";
+  };
 }