diff --git a/nixos/boxes/bolty/default.nix b/nixos/boxes/bolty/default.nix index f4bec0e4..23db2e17 100644 --- a/nixos/boxes/bolty/default.nix +++ b/nixos/boxes/bolty/default.nix @@ -2,6 +2,7 @@ imports = [ ../cli.nix ./bolty-boot.nix + ./gitea-runner.nix ./grafana.nix ./home-assistant.nix ./home-security.nix diff --git a/nixos/boxes/bolty/gitea-runner-token.sops b/nixos/boxes/bolty/gitea-runner-token.sops new file mode 100644 index 00000000..a042ebe1 --- /dev/null +++ b/nixos/boxes/bolty/gitea-runner-token.sops @@ -0,0 +1,56 @@ +{ + "data": "ENC[AES256_GCM,data:FxM+PrQKjDJWrIXJlflAItiZDBtUdmETo54H1slOIMQ1bMP+KamjMwOXOwIDjohq,iv:QllifcjA3Hy6RsJqjMO4EeyuR1DjOjZmr4bIOSVdpsQ=,tag:SqScsAAIddlxBKE8tCLm3g==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeEpheDNYa0hCaHBUZDkr\nVGtrMmdzdllTeno2dDU2Sko5RldKWE9kYlFVCkx5L0hVdDhEaFZCWkpidUtpa045\ncldvYmtFNjlRK3VDQ1M0SGJQQzNVVG8KLS0tIFRSaGovTEZhWnFJbGxtQVIwbHdY\nWk1IZFBxZVl1cVkrTnFpd0tmUGxCZDgKTjrh/HhZeuCJX3a4TBUU/GS75nv5GsqJ\niDejCu5wvjuUCfpN79Ubh0SXqgTjBwe8F9/sQAy2l3dFfr0pKQuO8g==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3RDQmJVUnVVTmxCNXNY\ndXRVbGVzc2QxelBJVHhmVTNYWjY0aHBDZVNBCmRXeW1WdVcrbGpGcUZqQmVoMGtO\nY2g0RzAwSUVUR2wzN0NJY01OaGtjM2sKLS0tIERsUHhnZS9YRkJSUHNDNkpiaEFJ\nWGtYcG03SzFQazZPbXNPcDhZWHV6QlEKiM7qX/n2jpLhu89saXd3+L6ri7mwqSxN\ncwkn0aHOq+c98vXFp2i6dSyepWgZynke3rZyFbgxPx74m+RAqm77wg==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVnJkRHJJamltek9EckNJ\nRVowSHJXQWMxUENBeE84WWwzKzZybVFkL3pzCkRuNFFVRXl6TFl0Q0krVEc3cXEx\nSjRCWnFOSWJleWcvRE9NNUx1d0RZNWMKLS0tIHRkRFhySEVTM3hkUGc5SUo0dklV\neWcrc3RaeWZETEhONC9CNUtudldiOGcKGRNR6h5po4jHtBkDFjFPcQlDwsUaYJZq\naBnFfu/kdcwuvvCzxVVBJ1y9RfgqVxOVnAZXUXCyA97orHxa22Hk+A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTCs2ZWtQVEdCcmlkY1dP\nMjRVV3FKM2Ezek1Tak5ZTUtxMU43NVJSam4wCkxSeS9sRkFhNUw3aHcvL1gxV2lM\nNTdYbExZUzhrRlorVzU5MU8zZEREUVkKLS0tIC9hbTVkcFQwcWdTQlJ0V3BteDBD\nQlg4eUpwei9ncW95MjBJdDhiUmhEWEkKEvqPQx1AjKsntfeH0cL7bP4kSqFO7JKB\n0sm+Z6Q8/TI4XasYICj2M2ZOtEMjEpJaIr0dMPwfWOBaWjfgKpkm6w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTFNOQk9qVmE4UnQwaDFK\ndktmRy84dnZ6b0NIU1FaajI5UXFSWUNZcmhJCmZ3SVY3NjFFOGY3bjQvNDZUcEcv\nM3kwNGR4L25IQVU2MEtNWDJ0WWhIVjQKLS0tIEtjTnl2THZNZjd4aXNJR0ozRWtX\nNFkvVlJaQUNuRlQzalRYWGNCUERxY2sKAXmtyVhvN95s6xrFwEVsw5yyL3yE2bMD\nspOSyP3lungAqVpMJyK5p+iLCOwlk/WtxpgoHUZjn+zdREmj+t9FAA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDN6UExVTWtzYkJhb0FQ\nZjdWaFIzaE5KcnlzdGpyZk1GZEhMQ2djUVRBCm9xc0xqSVkxUHVXV0UvaytBWE5l\nRFRnMVd1YzBjenJUV3RseWZLTUhva1UKLS0tIEo4R0ZRV1VNSTIrdU5JZmZIMjVi\nT1AxUGplUWJ3VldxOTU1K3BUKzJ6TDgK6NA2ppe4LO5QBnBD3Mj+k0CzGi4s3coT\nHq2SBqy5JDyZOmkJ9uXdKg3LyJtXtR/LMVG9FdVErHCqoWgIhBSnzQ==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NE4yT0xmUWo0QTZqS2FQ\nQXJaT1lkbWhHdkhvNDEyblVNS0Q3NE5aNlNRCnlWY0pudXdiSzlpYWZEQnFlYTE0\ncGlqblA0ZUxqUFFEZ0dqRk9Bdkpvb1EKLS0tIFBPeUw5K3ZLam4zRTh6b3dERVhm\nV3lEakQrcFVCc0F3Vkd6cWswRStLY1EK4Yg6cDOoknpPB4pzkRjAmf095IHTOAxJ\n4pqsQdc6xFy9SKACtfVWh9cNLFyDCEtsvu072tfMrqLJ0lWc2Kw8Hw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5a0ZDVko1N3cxUlVhWUV0\nc0lXTGNIMXBzOTdTR25qaCs1YklaQ3dqazJRCmY1UGkvczRmZWZ2ckhudld1SjIv\nVk1wQ3g5dHl3c3E2ZWI0RG9sZXJnWUEKLS0tIDBBVjZZTUpLWHVqWlFqVXJWTlFr\nb3dWWU9SRER0VjVWRTlhTWhZS0h1a3MKUCM6eGPPd+Pjz3sLjYyBvkqMTZhDZbXl\nVdKhvbL2vcJBgBKe4uFIBXDpcIytVhx72qu4z1WgWZKsHqyQx8OETA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOEpXU3ZrQmZHZFdtNDJE\neVVBa2pDR3l4NURuYm1tSkVTMTVmbVF4YVZJClZCdEx6ZUNxRlhCb0s2ZnVaYVJB\nTVcxNnlIN1NGMTVpOURTc0s2UXRRcWMKLS0tIDlyWlZCNmFsUEF0WjlHSW9MUndV\nd3RRM2pOMXNMTmZhSEh5aE1ONkErUTgKBCQvdhHADUvvRdN0HeUvwaZY/XrXv5u3\nSxQAOt3wb+OT0WZZVkSiQ9nUbavcaC7aBk7LmDYbcG2hDZJbiLY17w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTXVwRzVSd2NSSi90SVVu\na05jeitPNnE5TVJ1NXk5WGd6UnhObUwveHg0CjU0dTNxUUdtb253ZHdTMFkycWdI\nbjZsanUwSGdHcFZkckIrRDRTWldha3cKLS0tIE8wM09WMnhNeklnYytUWkVTc01E\neldXYlJXRm1OMWo0T1U3UlY4SFBndVEKs56uk3j02g1g7Ae16UGfwRQJghPvS8iG\nDcIrJp6tb5ToYKeAGcTDpDvaQeNWKBX6fSLVIiJbgDWIbbZp1HRYpw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2023-06-01T21:09:15Z", + "mac": "ENC[AES256_GCM,data:i5yS9G0BiQppdmQSIZ0e1iPt3HmpiSogIZQ4f4sOjvDh/cGII8KzcYhjjQkzVpDqYjXiFag3YnrzoCgOTH19D2H2ud+iTULqDIM+T4DSmAfc2cxzhrfqC1qp1EEuLY7dLr3QKUhd5NNv1PhQX4jbBzzz6CRo/nGKp65uMDBIFTw=,iv:ExFa9n/vZJESH+UhOpQy4SROwUN1Q8SbNEGOcmGJNtw=,tag:OqQnV4DCjSqc8t7WdT0uBQ==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.7.3" + } +} \ No newline at end of file diff --git a/nixos/boxes/bolty/gitea-runner.nix b/nixos/boxes/bolty/gitea-runner.nix new file mode 100644 index 00000000..558b38f2 --- /dev/null +++ b/nixos/boxes/bolty/gitea-runner.nix @@ -0,0 +1,17 @@ +{ config, pkgs, inputs, lib, ... }: { + sops.secrets."gitea-runner-token" = { + sopsFile = ./gitea-runner-token.sops; + format = "binary"; + }; + virtualisation.podman = { + enable = true; + autoPrune.enable = true; + }; + services.gitea-actions-runner.instances.bolty1 = { + enable = true; + url = "https://git.cyplo.dev"; + tokenFile = config.sops.secrets."gitea-runner-token".path; + name = "bolty1"; + labels = [ ]; + }; +} diff --git a/nixos/boxes/bolty/woodpecker-agent.nix b/nixos/boxes/bolty/woodpecker-agent.nix deleted file mode 100644 index 4396718e..00000000 --- a/nixos/boxes/bolty/woodpecker-agent.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, pkgs, inputs, lib, ... }: -let - agentPort = 9000; - domain = "ci.cyplo.dev"; - uid = 2061; - gid = 3061; - systemUserName = "woodpecker"; - systemGroupName = "woodpecker"; - podmanGid = 994; - secretSettings = { - owner = systemUserName; - group = systemGroupName; - }; - woodpeckerEnvSecretName = "woodpecker-env"; - woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}"; - woodpeckerNixStorePath = "/var/lib/woodpecker/nix-store"; - woodpeckerAgentContainer = { - autoStart = true; - forwardPorts = [ ]; - bindMounts = { - "${woodpeckerEnvSecretPath}" = { - hostPath = "${woodpeckerEnvSecretPath}"; - isReadOnly = true; - }; - "${woodpeckerNixStorePath}" = { - hostPath = woodpeckerNixStorePath; - isReadOnly = false; - }; - "/var/run/docker.sock" = { - hostPath = "/var/run/podman/podman.sock"; - isReadOnly = false; - }; - }; - config = { config, pkgs, lib, ... }: { - system.stateVersion = "22.11"; - users = { - mutableUsers = false; - allowNoPasswordLogin = true; - users."${systemUserName}" = { - inherit uid; - isSystemUser = true; - isNormalUser = false; - group = systemGroupName; - }; - groups."${systemGroupName}" = { - inherit gid; - members = [ "${systemUserName}" ]; - }; - groups."podman" = { - gid = podmanGid; - members = [ "${systemUserName}" ]; - }; - }; - - systemd.services.woodpecker-agent = { - enable = true; - wantedBy = [ "multi-user.target" ]; - - environment = { - WOODPECKER_SERVER = "${domain}:${toString agentPort}"; - WOODPECKER_MAX_PROCS = "1"; - WOODPECKER_DEBUG_PRETTY = "true"; - WOODPECKER_LOG_LEVEL = "debug"; - }; - serviceConfig = { - EnvironmentFile = [ woodpeckerEnvSecretPath ]; - ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent"; - User = systemUserName; - Group = systemGroupName; - }; - }; - }; - }; -in { - users = { - users."${systemUserName}" = { - inherit uid; - isSystemUser = true; - isNormalUser = false; - group = systemGroupName; - extraGroups = [ "podman" ]; - }; - groups."${systemGroupName}" = { - inherit gid; - members = [ "${systemUserName}" ]; - }; - groups."podman" = { - gid = podmanGid; - members = [ "${systemUserName}" ]; - }; - }; - - sops.secrets."woodpecker-env" = { - sopsFile = ../vpsfree1/gitea.sops; - format = "binary"; - path = woodpeckerEnvSecretPath; - } // secretSettings; - - virtualisation.podman = { enable = true; }; - systemd.services.woodpecker-make-path = { - script = '' - mkdir -p ${woodpeckerNixStorePath} - chown -R ${systemUserName}:${systemGroupName} ${woodpeckerNixStorePath} - ''; - serviceConfig = { Type = "oneshot"; }; - }; - - containers.woodpecker-agent1 = woodpeckerAgentContainer; - systemd.services."container@woodpecker-agent1".requires = - [ "woodpecker-make-path.service" ]; -} diff --git a/nixos/boxes/vpsfree1/gitea.nix b/nixos/boxes/vpsfree1/gitea.nix index c654832a..56cd83f8 100644 --- a/nixos/boxes/vpsfree1/gitea.nix +++ b/nixos/boxes/vpsfree1/gitea.nix @@ -94,6 +94,7 @@ in { security.INSTALL_LOCK = true; oauth2.ENABLE = false; log.LEVEL = "Info"; + actions.ENABLED = true; "markup.mermaid" = { ENABLED = true; FILE_EXTENSIONS = ".md";