enable gitea actions
This commit is contained in:
parent
11936d4ede
commit
d5b5f12e21
5 changed files with 75 additions and 111 deletions
|
@ -2,6 +2,7 @@
|
||||||
imports = [
|
imports = [
|
||||||
../cli.nix
|
../cli.nix
|
||||||
./bolty-boot.nix
|
./bolty-boot.nix
|
||||||
|
./gitea-runner.nix
|
||||||
./grafana.nix
|
./grafana.nix
|
||||||
./home-assistant.nix
|
./home-assistant.nix
|
||||||
./home-security.nix
|
./home-security.nix
|
||||||
|
|
56
nixos/boxes/bolty/gitea-runner-token.sops
Normal file
56
nixos/boxes/bolty/gitea-runner-token.sops
Normal file
|
@ -0,0 +1,56 @@
|
||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:FxM+PrQKjDJWrIXJlflAItiZDBtUdmETo54H1slOIMQ1bMP+KamjMwOXOwIDjohq,iv:QllifcjA3Hy6RsJqjMO4EeyuR1DjOjZmr4bIOSVdpsQ=,tag:SqScsAAIddlxBKE8tCLm3g==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"kms": null,
|
||||||
|
"gcp_kms": null,
|
||||||
|
"azure_kv": null,
|
||||||
|
"hc_vault": null,
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeEpheDNYa0hCaHBUZDkr\nVGtrMmdzdllTeno2dDU2Sko5RldKWE9kYlFVCkx5L0hVdDhEaFZCWkpidUtpa045\ncldvYmtFNjlRK3VDQ1M0SGJQQzNVVG8KLS0tIFRSaGovTEZhWnFJbGxtQVIwbHdY\nWk1IZFBxZVl1cVkrTnFpd0tmUGxCZDgKTjrh/HhZeuCJX3a4TBUU/GS75nv5GsqJ\niDejCu5wvjuUCfpN79Ubh0SXqgTjBwe8F9/sQAy2l3dFfr0pKQuO8g==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3RDQmJVUnVVTmxCNXNY\ndXRVbGVzc2QxelBJVHhmVTNYWjY0aHBDZVNBCmRXeW1WdVcrbGpGcUZqQmVoMGtO\nY2g0RzAwSUVUR2wzN0NJY01OaGtjM2sKLS0tIERsUHhnZS9YRkJSUHNDNkpiaEFJ\nWGtYcG03SzFQazZPbXNPcDhZWHV6QlEKiM7qX/n2jpLhu89saXd3+L6ri7mwqSxN\ncwkn0aHOq+c98vXFp2i6dSyepWgZynke3rZyFbgxPx74m+RAqm77wg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVnJkRHJJamltek9EckNJ\nRVowSHJXQWMxUENBeE84WWwzKzZybVFkL3pzCkRuNFFVRXl6TFl0Q0krVEc3cXEx\nSjRCWnFOSWJleWcvRE9NNUx1d0RZNWMKLS0tIHRkRFhySEVTM3hkUGc5SUo0dklV\neWcrc3RaeWZETEhONC9CNUtudldiOGcKGRNR6h5po4jHtBkDFjFPcQlDwsUaYJZq\naBnFfu/kdcwuvvCzxVVBJ1y9RfgqVxOVnAZXUXCyA97orHxa22Hk+A==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTCs2ZWtQVEdCcmlkY1dP\nMjRVV3FKM2Ezek1Tak5ZTUtxMU43NVJSam4wCkxSeS9sRkFhNUw3aHcvL1gxV2lM\nNTdYbExZUzhrRlorVzU5MU8zZEREUVkKLS0tIC9hbTVkcFQwcWdTQlJ0V3BteDBD\nQlg4eUpwei9ncW95MjBJdDhiUmhEWEkKEvqPQx1AjKsntfeH0cL7bP4kSqFO7JKB\n0sm+Z6Q8/TI4XasYICj2M2ZOtEMjEpJaIr0dMPwfWOBaWjfgKpkm6w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTFNOQk9qVmE4UnQwaDFK\ndktmRy84dnZ6b0NIU1FaajI5UXFSWUNZcmhJCmZ3SVY3NjFFOGY3bjQvNDZUcEcv\nM3kwNGR4L25IQVU2MEtNWDJ0WWhIVjQKLS0tIEtjTnl2THZNZjd4aXNJR0ozRWtX\nNFkvVlJaQUNuRlQzalRYWGNCUERxY2sKAXmtyVhvN95s6xrFwEVsw5yyL3yE2bMD\nspOSyP3lungAqVpMJyK5p+iLCOwlk/WtxpgoHUZjn+zdREmj+t9FAA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDN6UExVTWtzYkJhb0FQ\nZjdWaFIzaE5KcnlzdGpyZk1GZEhMQ2djUVRBCm9xc0xqSVkxUHVXV0UvaytBWE5l\nRFRnMVd1YzBjenJUV3RseWZLTUhva1UKLS0tIEo4R0ZRV1VNSTIrdU5JZmZIMjVi\nT1AxUGplUWJ3VldxOTU1K3BUKzJ6TDgK6NA2ppe4LO5QBnBD3Mj+k0CzGi4s3coT\nHq2SBqy5JDyZOmkJ9uXdKg3LyJtXtR/LMVG9FdVErHCqoWgIhBSnzQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NE4yT0xmUWo0QTZqS2FQ\nQXJaT1lkbWhHdkhvNDEyblVNS0Q3NE5aNlNRCnlWY0pudXdiSzlpYWZEQnFlYTE0\ncGlqblA0ZUxqUFFEZ0dqRk9Bdkpvb1EKLS0tIFBPeUw5K3ZLam4zRTh6b3dERVhm\nV3lEakQrcFVCc0F3Vkd6cWswRStLY1EK4Yg6cDOoknpPB4pzkRjAmf095IHTOAxJ\n4pqsQdc6xFy9SKACtfVWh9cNLFyDCEtsvu072tfMrqLJ0lWc2Kw8Hw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5a0ZDVko1N3cxUlVhWUV0\nc0lXTGNIMXBzOTdTR25qaCs1YklaQ3dqazJRCmY1UGkvczRmZWZ2ckhudld1SjIv\nVk1wQ3g5dHl3c3E2ZWI0RG9sZXJnWUEKLS0tIDBBVjZZTUpLWHVqWlFqVXJWTlFr\nb3dWWU9SRER0VjVWRTlhTWhZS0h1a3MKUCM6eGPPd+Pjz3sLjYyBvkqMTZhDZbXl\nVdKhvbL2vcJBgBKe4uFIBXDpcIytVhx72qu4z1WgWZKsHqyQx8OETA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOEpXU3ZrQmZHZFdtNDJE\neVVBa2pDR3l4NURuYm1tSkVTMTVmbVF4YVZJClZCdEx6ZUNxRlhCb0s2ZnVaYVJB\nTVcxNnlIN1NGMTVpOURTc0s2UXRRcWMKLS0tIDlyWlZCNmFsUEF0WjlHSW9MUndV\nd3RRM2pOMXNMTmZhSEh5aE1ONkErUTgKBCQvdhHADUvvRdN0HeUvwaZY/XrXv5u3\nSxQAOt3wb+OT0WZZVkSiQ9nUbavcaC7aBk7LmDYbcG2hDZJbiLY17w==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTXVwRzVSd2NSSi90SVVu\na05jeitPNnE5TVJ1NXk5WGd6UnhObUwveHg0CjU0dTNxUUdtb253ZHdTMFkycWdI\nbjZsanUwSGdHcFZkckIrRDRTWldha3cKLS0tIE8wM09WMnhNeklnYytUWkVTc01E\neldXYlJXRm1OMWo0T1U3UlY4SFBndVEKs56uk3j02g1g7Ae16UGfwRQJghPvS8iG\nDcIrJp6tb5ToYKeAGcTDpDvaQeNWKBX6fSLVIiJbgDWIbbZp1HRYpw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2023-06-01T21:09:15Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:i5yS9G0BiQppdmQSIZ0e1iPt3HmpiSogIZQ4f4sOjvDh/cGII8KzcYhjjQkzVpDqYjXiFag3YnrzoCgOTH19D2H2ud+iTULqDIM+T4DSmAfc2cxzhrfqC1qp1EEuLY7dLr3QKUhd5NNv1PhQX4jbBzzz6CRo/nGKp65uMDBIFTw=,iv:ExFa9n/vZJESH+UhOpQy4SROwUN1Q8SbNEGOcmGJNtw=,tag:OqQnV4DCjSqc8t7WdT0uBQ==,type:str]",
|
||||||
|
"pgp": null,
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.7.3"
|
||||||
|
}
|
||||||
|
}
|
17
nixos/boxes/bolty/gitea-runner.nix
Normal file
17
nixos/boxes/bolty/gitea-runner.nix
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{ config, pkgs, inputs, lib, ... }: {
|
||||||
|
sops.secrets."gitea-runner-token" = {
|
||||||
|
sopsFile = ./gitea-runner-token.sops;
|
||||||
|
format = "binary";
|
||||||
|
};
|
||||||
|
virtualisation.podman = {
|
||||||
|
enable = true;
|
||||||
|
autoPrune.enable = true;
|
||||||
|
};
|
||||||
|
services.gitea-actions-runner.instances.bolty1 = {
|
||||||
|
enable = true;
|
||||||
|
url = "https://git.cyplo.dev";
|
||||||
|
tokenFile = config.sops.secrets."gitea-runner-token".path;
|
||||||
|
name = "bolty1";
|
||||||
|
labels = [ ];
|
||||||
|
};
|
||||||
|
}
|
|
@ -1,111 +0,0 @@
|
||||||
{ config, pkgs, inputs, lib, ... }:
|
|
||||||
let
|
|
||||||
agentPort = 9000;
|
|
||||||
domain = "ci.cyplo.dev";
|
|
||||||
uid = 2061;
|
|
||||||
gid = 3061;
|
|
||||||
systemUserName = "woodpecker";
|
|
||||||
systemGroupName = "woodpecker";
|
|
||||||
podmanGid = 994;
|
|
||||||
secretSettings = {
|
|
||||||
owner = systemUserName;
|
|
||||||
group = systemGroupName;
|
|
||||||
};
|
|
||||||
woodpeckerEnvSecretName = "woodpecker-env";
|
|
||||||
woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}";
|
|
||||||
woodpeckerNixStorePath = "/var/lib/woodpecker/nix-store";
|
|
||||||
woodpeckerAgentContainer = {
|
|
||||||
autoStart = true;
|
|
||||||
forwardPorts = [ ];
|
|
||||||
bindMounts = {
|
|
||||||
"${woodpeckerEnvSecretPath}" = {
|
|
||||||
hostPath = "${woodpeckerEnvSecretPath}";
|
|
||||||
isReadOnly = true;
|
|
||||||
};
|
|
||||||
"${woodpeckerNixStorePath}" = {
|
|
||||||
hostPath = woodpeckerNixStorePath;
|
|
||||||
isReadOnly = false;
|
|
||||||
};
|
|
||||||
"/var/run/docker.sock" = {
|
|
||||||
hostPath = "/var/run/podman/podman.sock";
|
|
||||||
isReadOnly = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
config = { config, pkgs, lib, ... }: {
|
|
||||||
system.stateVersion = "22.11";
|
|
||||||
users = {
|
|
||||||
mutableUsers = false;
|
|
||||||
allowNoPasswordLogin = true;
|
|
||||||
users."${systemUserName}" = {
|
|
||||||
inherit uid;
|
|
||||||
isSystemUser = true;
|
|
||||||
isNormalUser = false;
|
|
||||||
group = systemGroupName;
|
|
||||||
};
|
|
||||||
groups."${systemGroupName}" = {
|
|
||||||
inherit gid;
|
|
||||||
members = [ "${systemUserName}" ];
|
|
||||||
};
|
|
||||||
groups."podman" = {
|
|
||||||
gid = podmanGid;
|
|
||||||
members = [ "${systemUserName}" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.woodpecker-agent = {
|
|
||||||
enable = true;
|
|
||||||
wantedBy = [ "multi-user.target" ];
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
WOODPECKER_SERVER = "${domain}:${toString agentPort}";
|
|
||||||
WOODPECKER_MAX_PROCS = "1";
|
|
||||||
WOODPECKER_DEBUG_PRETTY = "true";
|
|
||||||
WOODPECKER_LOG_LEVEL = "debug";
|
|
||||||
};
|
|
||||||
serviceConfig = {
|
|
||||||
EnvironmentFile = [ woodpeckerEnvSecretPath ];
|
|
||||||
ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent";
|
|
||||||
User = systemUserName;
|
|
||||||
Group = systemGroupName;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in {
|
|
||||||
users = {
|
|
||||||
users."${systemUserName}" = {
|
|
||||||
inherit uid;
|
|
||||||
isSystemUser = true;
|
|
||||||
isNormalUser = false;
|
|
||||||
group = systemGroupName;
|
|
||||||
extraGroups = [ "podman" ];
|
|
||||||
};
|
|
||||||
groups."${systemGroupName}" = {
|
|
||||||
inherit gid;
|
|
||||||
members = [ "${systemUserName}" ];
|
|
||||||
};
|
|
||||||
groups."podman" = {
|
|
||||||
gid = podmanGid;
|
|
||||||
members = [ "${systemUserName}" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
sops.secrets."woodpecker-env" = {
|
|
||||||
sopsFile = ../vpsfree1/gitea.sops;
|
|
||||||
format = "binary";
|
|
||||||
path = woodpeckerEnvSecretPath;
|
|
||||||
} // secretSettings;
|
|
||||||
|
|
||||||
virtualisation.podman = { enable = true; };
|
|
||||||
systemd.services.woodpecker-make-path = {
|
|
||||||
script = ''
|
|
||||||
mkdir -p ${woodpeckerNixStorePath}
|
|
||||||
chown -R ${systemUserName}:${systemGroupName} ${woodpeckerNixStorePath}
|
|
||||||
'';
|
|
||||||
serviceConfig = { Type = "oneshot"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
containers.woodpecker-agent1 = woodpeckerAgentContainer;
|
|
||||||
systemd.services."container@woodpecker-agent1".requires =
|
|
||||||
[ "woodpecker-make-path.service" ];
|
|
||||||
}
|
|
|
@ -94,6 +94,7 @@ in {
|
||||||
security.INSTALL_LOCK = true;
|
security.INSTALL_LOCK = true;
|
||||||
oauth2.ENABLE = false;
|
oauth2.ENABLE = false;
|
||||||
log.LEVEL = "Info";
|
log.LEVEL = "Info";
|
||||||
|
actions.ENABLED = true;
|
||||||
"markup.mermaid" = {
|
"markup.mermaid" = {
|
||||||
ENABLED = true;
|
ENABLED = true;
|
||||||
FILE_EXTENSIONS = ".md";
|
FILE_EXTENSIONS = ".md";
|
||||||
|
|
Loading…
Reference in a new issue