enable gitea actions

This commit is contained in:
Cyryl Płotnicki 2023-06-01 22:10:18 +01:00
parent 11936d4ede
commit d5b5f12e21
5 changed files with 75 additions and 111 deletions

View file

@ -2,6 +2,7 @@
imports = [ imports = [
../cli.nix ../cli.nix
./bolty-boot.nix ./bolty-boot.nix
./gitea-runner.nix
./grafana.nix ./grafana.nix
./home-assistant.nix ./home-assistant.nix
./home-security.nix ./home-security.nix

View file

@ -0,0 +1,56 @@
{
"data": "ENC[AES256_GCM,data:FxM+PrQKjDJWrIXJlflAItiZDBtUdmETo54H1slOIMQ1bMP+KamjMwOXOwIDjohq,iv:QllifcjA3Hy6RsJqjMO4EeyuR1DjOjZmr4bIOSVdpsQ=,tag:SqScsAAIddlxBKE8tCLm3g==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeEpheDNYa0hCaHBUZDkr\nVGtrMmdzdllTeno2dDU2Sko5RldKWE9kYlFVCkx5L0hVdDhEaFZCWkpidUtpa045\ncldvYmtFNjlRK3VDQ1M0SGJQQzNVVG8KLS0tIFRSaGovTEZhWnFJbGxtQVIwbHdY\nWk1IZFBxZVl1cVkrTnFpd0tmUGxCZDgKTjrh/HhZeuCJX3a4TBUU/GS75nv5GsqJ\niDejCu5wvjuUCfpN79Ubh0SXqgTjBwe8F9/sQAy2l3dFfr0pKQuO8g==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3RDQmJVUnVVTmxCNXNY\ndXRVbGVzc2QxelBJVHhmVTNYWjY0aHBDZVNBCmRXeW1WdVcrbGpGcUZqQmVoMGtO\nY2g0RzAwSUVUR2wzN0NJY01OaGtjM2sKLS0tIERsUHhnZS9YRkJSUHNDNkpiaEFJ\nWGtYcG03SzFQazZPbXNPcDhZWHV6QlEKiM7qX/n2jpLhu89saXd3+L6ri7mwqSxN\ncwkn0aHOq+c98vXFp2i6dSyepWgZynke3rZyFbgxPx74m+RAqm77wg==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVnJkRHJJamltek9EckNJ\nRVowSHJXQWMxUENBeE84WWwzKzZybVFkL3pzCkRuNFFVRXl6TFl0Q0krVEc3cXEx\nSjRCWnFOSWJleWcvRE9NNUx1d0RZNWMKLS0tIHRkRFhySEVTM3hkUGc5SUo0dklV\neWcrc3RaeWZETEhONC9CNUtudldiOGcKGRNR6h5po4jHtBkDFjFPcQlDwsUaYJZq\naBnFfu/kdcwuvvCzxVVBJ1y9RfgqVxOVnAZXUXCyA97orHxa22Hk+A==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTCs2ZWtQVEdCcmlkY1dP\nMjRVV3FKM2Ezek1Tak5ZTUtxMU43NVJSam4wCkxSeS9sRkFhNUw3aHcvL1gxV2lM\nNTdYbExZUzhrRlorVzU5MU8zZEREUVkKLS0tIC9hbTVkcFQwcWdTQlJ0V3BteDBD\nQlg4eUpwei9ncW95MjBJdDhiUmhEWEkKEvqPQx1AjKsntfeH0cL7bP4kSqFO7JKB\n0sm+Z6Q8/TI4XasYICj2M2ZOtEMjEpJaIr0dMPwfWOBaWjfgKpkm6w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTFNOQk9qVmE4UnQwaDFK\ndktmRy84dnZ6b0NIU1FaajI5UXFSWUNZcmhJCmZ3SVY3NjFFOGY3bjQvNDZUcEcv\nM3kwNGR4L25IQVU2MEtNWDJ0WWhIVjQKLS0tIEtjTnl2THZNZjd4aXNJR0ozRWtX\nNFkvVlJaQUNuRlQzalRYWGNCUERxY2sKAXmtyVhvN95s6xrFwEVsw5yyL3yE2bMD\nspOSyP3lungAqVpMJyK5p+iLCOwlk/WtxpgoHUZjn+zdREmj+t9FAA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDN6UExVTWtzYkJhb0FQ\nZjdWaFIzaE5KcnlzdGpyZk1GZEhMQ2djUVRBCm9xc0xqSVkxUHVXV0UvaytBWE5l\nRFRnMVd1YzBjenJUV3RseWZLTUhva1UKLS0tIEo4R0ZRV1VNSTIrdU5JZmZIMjVi\nT1AxUGplUWJ3VldxOTU1K3BUKzJ6TDgK6NA2ppe4LO5QBnBD3Mj+k0CzGi4s3coT\nHq2SBqy5JDyZOmkJ9uXdKg3LyJtXtR/LMVG9FdVErHCqoWgIhBSnzQ==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NE4yT0xmUWo0QTZqS2FQ\nQXJaT1lkbWhHdkhvNDEyblVNS0Q3NE5aNlNRCnlWY0pudXdiSzlpYWZEQnFlYTE0\ncGlqblA0ZUxqUFFEZ0dqRk9Bdkpvb1EKLS0tIFBPeUw5K3ZLam4zRTh6b3dERVhm\nV3lEakQrcFVCc0F3Vkd6cWswRStLY1EK4Yg6cDOoknpPB4pzkRjAmf095IHTOAxJ\n4pqsQdc6xFy9SKACtfVWh9cNLFyDCEtsvu072tfMrqLJ0lWc2Kw8Hw==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5a0ZDVko1N3cxUlVhWUV0\nc0lXTGNIMXBzOTdTR25qaCs1YklaQ3dqazJRCmY1UGkvczRmZWZ2ckhudld1SjIv\nVk1wQ3g5dHl3c3E2ZWI0RG9sZXJnWUEKLS0tIDBBVjZZTUpLWHVqWlFqVXJWTlFr\nb3dWWU9SRER0VjVWRTlhTWhZS0h1a3MKUCM6eGPPd+Pjz3sLjYyBvkqMTZhDZbXl\nVdKhvbL2vcJBgBKe4uFIBXDpcIytVhx72qu4z1WgWZKsHqyQx8OETA==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOEpXU3ZrQmZHZFdtNDJE\neVVBa2pDR3l4NURuYm1tSkVTMTVmbVF4YVZJClZCdEx6ZUNxRlhCb0s2ZnVaYVJB\nTVcxNnlIN1NGMTVpOURTc0s2UXRRcWMKLS0tIDlyWlZCNmFsUEF0WjlHSW9MUndV\nd3RRM2pOMXNMTmZhSEh5aE1ONkErUTgKBCQvdhHADUvvRdN0HeUvwaZY/XrXv5u3\nSxQAOt3wb+OT0WZZVkSiQ9nUbavcaC7aBk7LmDYbcG2hDZJbiLY17w==\n-----END AGE ENCRYPTED FILE-----\n"
},
{
"recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTXVwRzVSd2NSSi90SVVu\na05jeitPNnE5TVJ1NXk5WGd6UnhObUwveHg0CjU0dTNxUUdtb253ZHdTMFkycWdI\nbjZsanUwSGdHcFZkckIrRDRTWldha3cKLS0tIE8wM09WMnhNeklnYytUWkVTc01E\neldXYlJXRm1OMWo0T1U3UlY4SFBndVEKs56uk3j02g1g7Ae16UGfwRQJghPvS8iG\nDcIrJp6tb5ToYKeAGcTDpDvaQeNWKBX6fSLVIiJbgDWIbbZp1HRYpw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2023-06-01T21:09:15Z",
"mac": "ENC[AES256_GCM,data:i5yS9G0BiQppdmQSIZ0e1iPt3HmpiSogIZQ4f4sOjvDh/cGII8KzcYhjjQkzVpDqYjXiFag3YnrzoCgOTH19D2H2ud+iTULqDIM+T4DSmAfc2cxzhrfqC1qp1EEuLY7dLr3QKUhd5NNv1PhQX4jbBzzz6CRo/nGKp65uMDBIFTw=,iv:ExFa9n/vZJESH+UhOpQy4SROwUN1Q8SbNEGOcmGJNtw=,tag:OqQnV4DCjSqc8t7WdT0uBQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

View file

@ -0,0 +1,17 @@
{ config, pkgs, inputs, lib, ... }: {
sops.secrets."gitea-runner-token" = {
sopsFile = ./gitea-runner-token.sops;
format = "binary";
};
virtualisation.podman = {
enable = true;
autoPrune.enable = true;
};
services.gitea-actions-runner.instances.bolty1 = {
enable = true;
url = "https://git.cyplo.dev";
tokenFile = config.sops.secrets."gitea-runner-token".path;
name = "bolty1";
labels = [ ];
};
}

View file

@ -1,111 +0,0 @@
{ config, pkgs, inputs, lib, ... }:
let
agentPort = 9000;
domain = "ci.cyplo.dev";
uid = 2061;
gid = 3061;
systemUserName = "woodpecker";
systemGroupName = "woodpecker";
podmanGid = 994;
secretSettings = {
owner = systemUserName;
group = systemGroupName;
};
woodpeckerEnvSecretName = "woodpecker-env";
woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}";
woodpeckerNixStorePath = "/var/lib/woodpecker/nix-store";
woodpeckerAgentContainer = {
autoStart = true;
forwardPorts = [ ];
bindMounts = {
"${woodpeckerEnvSecretPath}" = {
hostPath = "${woodpeckerEnvSecretPath}";
isReadOnly = true;
};
"${woodpeckerNixStorePath}" = {
hostPath = woodpeckerNixStorePath;
isReadOnly = false;
};
"/var/run/docker.sock" = {
hostPath = "/var/run/podman/podman.sock";
isReadOnly = false;
};
};
config = { config, pkgs, lib, ... }: {
system.stateVersion = "22.11";
users = {
mutableUsers = false;
allowNoPasswordLogin = true;
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
};
groups."${systemGroupName}" = {
inherit gid;
members = [ "${systemUserName}" ];
};
groups."podman" = {
gid = podmanGid;
members = [ "${systemUserName}" ];
};
};
systemd.services.woodpecker-agent = {
enable = true;
wantedBy = [ "multi-user.target" ];
environment = {
WOODPECKER_SERVER = "${domain}:${toString agentPort}";
WOODPECKER_MAX_PROCS = "1";
WOODPECKER_DEBUG_PRETTY = "true";
WOODPECKER_LOG_LEVEL = "debug";
};
serviceConfig = {
EnvironmentFile = [ woodpeckerEnvSecretPath ];
ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent";
User = systemUserName;
Group = systemGroupName;
};
};
};
};
in {
users = {
users."${systemUserName}" = {
inherit uid;
isSystemUser = true;
isNormalUser = false;
group = systemGroupName;
extraGroups = [ "podman" ];
};
groups."${systemGroupName}" = {
inherit gid;
members = [ "${systemUserName}" ];
};
groups."podman" = {
gid = podmanGid;
members = [ "${systemUserName}" ];
};
};
sops.secrets."woodpecker-env" = {
sopsFile = ../vpsfree1/gitea.sops;
format = "binary";
path = woodpeckerEnvSecretPath;
} // secretSettings;
virtualisation.podman = { enable = true; };
systemd.services.woodpecker-make-path = {
script = ''
mkdir -p ${woodpeckerNixStorePath}
chown -R ${systemUserName}:${systemGroupName} ${woodpeckerNixStorePath}
'';
serviceConfig = { Type = "oneshot"; };
};
containers.woodpecker-agent1 = woodpeckerAgentContainer;
systemd.services."container@woodpecker-agent1".requires =
[ "woodpecker-make-path.service" ];
}

View file

@ -94,6 +94,7 @@ in {
security.INSTALL_LOCK = true; security.INSTALL_LOCK = true;
oauth2.ENABLE = false; oauth2.ENABLE = false;
log.LEVEL = "Info"; log.LEVEL = "Info";
actions.ENABLED = true;
"markup.mermaid" = { "markup.mermaid" = {
ENABLED = true; ENABLED = true;
FILE_EXTENSIONS = ".md"; FILE_EXTENSIONS = ".md";