Simon Bruder
4a8a7e0a4f
Since I currently do not have access to sayuri, sayuri’s migration is not done yet. The host keys and wg-home-private-key secret still have to be added.
60 lines
1.5 KiB
Nix
60 lines
1.5 KiB
Nix
# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
|
|
{ config, lib, pkgs, ... }:
|
|
let
|
|
user = "drone-runner-exec";
|
|
group = "drone-runner-exec";
|
|
|
|
availablePkgs = with pkgs; [
|
|
bash
|
|
git
|
|
git-lfs
|
|
gnutar
|
|
gzip
|
|
nix
|
|
];
|
|
in
|
|
{
|
|
systemd.services.drone-runner-exec = {
|
|
wantedBy = [ "multi-user.target" ];
|
|
# might break deployment
|
|
restartIfChanged = false;
|
|
confinement = {
|
|
enable = true;
|
|
packages = availablePkgs;
|
|
};
|
|
path = availablePkgs;
|
|
environment = {
|
|
DRONE_RPC_HOST = "ci.sbruder.de";
|
|
DRONE_RPC_PROTO = "https";
|
|
DRONE_RUNNER_CAPACITY = "2";
|
|
NIX_REMOTE = "daemon";
|
|
PAGER = "cat";
|
|
};
|
|
serviceConfig = {
|
|
EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
|
|
BindPaths = [
|
|
"/nix/var/nix/daemon-socket/socket"
|
|
"/run/nscd/socket"
|
|
];
|
|
BindReadOnlyPaths = [
|
|
"/etc/group:/etc/group"
|
|
"/etc/machine-id"
|
|
"/etc/nix:/etc/nix"
|
|
"/etc/passwd:/etc/passwd"
|
|
"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
|
|
"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
|
|
"/nix"
|
|
];
|
|
ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";
|
|
User = user;
|
|
Group = group;
|
|
};
|
|
};
|
|
|
|
users.users."${user}" = {
|
|
isSystemUser = true;
|
|
inherit group;
|
|
};
|
|
users.groups."${group}" = { };
|
|
}
|