Flake is now modular and supports forgejo and forgejo-ci-runner #1
7 changed files with 151 additions and 14 deletions
|
@ -1,6 +1,8 @@
|
||||||
keys:
|
keys:
|
||||||
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
- &Lyn age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
- &forgenite age1u4dtlq4lavqufzsqfqlsnu67u3x2t3d7ffxkqrah2des4dlxns2slegl38
|
||||||
|
- &forgejo-ci age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||||
|
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: secrets/all/[^/]+\.yaml$
|
- path_regex: secrets/all/[^/]+\.yaml$
|
||||||
key_groups:
|
key_groups:
|
||||||
|
@ -13,3 +15,8 @@
|
||||||
- age:
|
- age:
|
||||||
- *Lyn
|
- *Lyn
|
||||||
- *forgenite
|
- *forgenite
|
||||||
|
- path_regex: secrets/hosts/forgejo-ci.yaml
|
||||||
|
key_groups:
|
||||||
|
- age:
|
||||||
|
- *Lyn
|
||||||
|
- *forgejo-ci
|
||||||
|
|
28
flake.nix
28
flake.nix
|
@ -5,7 +5,18 @@
|
||||||
sops-nix.url = "github:Mic92/sops-nix";
|
sops-nix.url = "github:Mic92/sops-nix";
|
||||||
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||||
};
|
};
|
||||||
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: {
|
outputs = {self, nixpkgs, nixpkgs-unstable, sops-nix }@inputs: let
|
||||||
|
|
||||||
|
passInputs = ({lib,config,...}:{
|
||||||
|
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
||||||
|
config.inputs = inputs;
|
||||||
|
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
||||||
|
config.pkgsInstances = {
|
||||||
|
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
||||||
|
};
|
||||||
|
});
|
||||||
|
|
||||||
|
in {
|
||||||
|
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
"forgejo" = nixpkgs.lib.nixosSystem {
|
"forgejo" = nixpkgs.lib.nixosSystem {
|
||||||
|
@ -13,14 +24,15 @@
|
||||||
modules = [
|
modules = [
|
||||||
./hosts/forgenite
|
./hosts/forgenite
|
||||||
sops-nix.nixosModules.sops
|
sops-nix.nixosModules.sops
|
||||||
({lib,config,...}:{
|
passInputs
|
||||||
options.inputs = lib.mkOption{type = lib.types.attrs;};
|
];
|
||||||
config.inputs = inputs;
|
|
||||||
options.pkgsInstances = lib.mkOption{type = lib.types.attrs;};
|
|
||||||
config.pkgsInstances = {
|
|
||||||
unstable = import inputs.nixpkgs-unstable{system = config.nixpkgs.system;};
|
|
||||||
};
|
};
|
||||||
})
|
"forgejo-ci" = nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
./hosts/forgejo-ci
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
|
passInputs
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
19
hosts/forgejo-ci/default.nix
Normal file
19
hosts/forgejo-ci/default.nix
Normal file
|
@ -0,0 +1,19 @@
|
||||||
|
{ config, pkgs, lib, inputs, ... }: {
|
||||||
|
imports =
|
||||||
|
[
|
||||||
|
./../../services/forgejo-ci.nix
|
||||||
|
./hardware-configuration.nix
|
||||||
|
./../../users/lyn
|
||||||
|
./../../meta/profiles/base.nix
|
||||||
|
./../../meta/profiles/vm.nix
|
||||||
|
];
|
||||||
|
lyn.sops.secrets."hosts/frottjo-ci-runner/forgejo_ci-token".owner = "gitea-runner";
|
||||||
|
# Use UEFI
|
||||||
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
|
|
||||||
|
# Firewall stuff:
|
||||||
|
networking.firewall.enable = true;
|
||||||
|
networking.firewall.allowPing = true;
|
||||||
|
}
|
38
hosts/forgejo-ci/hardware-configuration.nix
Normal file
38
hosts/forgejo-ci/hardware-configuration.nix
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
# Do not modify this file! It was generated by ‘nixos-generate-config’
|
||||||
|
# and may be overwritten by future invocations. Please make changes
|
||||||
|
# to /etc/nixos/configuration.nix instead.
|
||||||
|
{ config, lib, pkgs, modulesPath, ... }:
|
||||||
|
|
||||||
|
{
|
||||||
|
imports =
|
||||||
|
[ (modulesPath + "/profiles/qemu-guest.nix")
|
||||||
|
];
|
||||||
|
|
||||||
|
boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
|
||||||
|
boot.initrd.kernelModules = [ ];
|
||||||
|
boot.kernelModules = [ "kvm-intel" ];
|
||||||
|
boot.extraModulePackages = [ ];
|
||||||
|
|
||||||
|
fileSystems."/" =
|
||||||
|
{ device = "/dev/disk/by-uuid/58fe64e6-74c3-4a96-885c-340a3126d1f0";
|
||||||
|
fsType = "ext4";
|
||||||
|
};
|
||||||
|
|
||||||
|
fileSystems."/boot" =
|
||||||
|
{ device = "/dev/disk/by-uuid/40A9-C398";
|
||||||
|
fsType = "vfat";
|
||||||
|
};
|
||||||
|
|
||||||
|
swapDevices =
|
||||||
|
[ { device = "/dev/disk/by-uuid/4d39c334-1726-4646-95d3-ecbedbf21ddb"; }
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||||
|
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||||
|
# still possible to use this option, but it's recommended to use it in conjunction
|
||||||
|
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
|
||||||
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
# networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
||||||
|
}
|
|
@ -11,7 +11,7 @@
|
||||||
# Use UEFI
|
# Use UEFI
|
||||||
boot.loader.systemd-boot.enable = true;
|
boot.loader.systemd-boot.enable = true;
|
||||||
|
|
||||||
networking.hostName = "forgejo"; # Define your hostname.
|
networking.hostName = "forgenite"; # Define your hostname.
|
||||||
|
|
||||||
# Firewall stuff:
|
# Firewall stuff:
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
32
secrets/hosts/forgejo-ci.yaml
Normal file
32
secrets/hosts/forgejo-ci.yaml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
hosts:
|
||||||
|
forgejo-ci:
|
||||||
|
forgejo_ci_token: ENC[AES256_GCM,data:zZQPn/YxMKly1hcT2m3cGoIILh4wG7GiCXwiKRwNLrrPfwJlfAUn9g==,iv:xKVR09JhCIM5plxifcHeAEcsp1UyuXaqXaQCqIPywtU=,tag:zF032vUnTr8Mj79ZLCWcfg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age18c6zws9wk9r7dxjqafwj2l2ex5mn5v8u6yrd2ys9ng8q09rsedpqm38jzv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhMG5zVlFXWjNYdFVjdEd3
|
||||||
|
WWliRGtBR2YrTEtYcXF0WmI1NnNQc0NnN2dFCjVMMXVWVzJ3Z3g3NjlBaFNSdFFy
|
||||||
|
NWxSNjNxN2hFNWYyQkRVUHBGa25laFkKLS0tIFpWaEE4MDBPTWhFdnBOOWNtRC80
|
||||||
|
YW9QUWJCRmhhYm1Zb2t6RFJ1SStERHMK8Yk/lGQYocea8MaR4c7/7tkRSqIcjYrO
|
||||||
|
+i1HN9gIrasVtZF1k0YuSB7sCCQ+oVvKtVCR7TRoeJhoxqgQZ/q5RQ==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age13pau3xqusxuczm9kwpxg4fdze4xhenfwmjw80ed7g336a8x7tqpqdqvjjj
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TWhSM3lYK3JMQUc0WDUz
|
||||||
|
VlEySTNTN2ZaMHo0OXlyTWNPYVhSWE5uZkNJCkFqNHJCc3h6WkVJUkYxM0VibFRY
|
||||||
|
MWdYYWdtd1FnMmdtMndIY3gvcmJVQzQKLS0tIFpZV2RrZTg3cWxJOFlkY2F3TWRW
|
||||||
|
SVdvMjEyVi81Nnh1UndKMGdXRkIwQjgK+uRsg09wkhyYMW/31mCrRK1AE/Zrvcy8
|
||||||
|
Vc7oHU0jscuhBNl/nMRsdquUgIZ67wAf6xJHjAXkUmQ2zi3PVXELvw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-06T03:55:48Z"
|
||||||
|
mac: ENC[AES256_GCM,data:H9RZy7w/quqfjMedaQe1NHAasC0FspxcXPyAXoy5uZaAoevNdXQNIe5yqBW+BRrw/5uIKKtLuS7YS5B3evpor2WRV0EeoPmy4dI/oFYZWg2kNzLVTumxQp4Q1vOOcrBrMUmm7OeoItr85p42Cx/08I9TnwRieGMnG5Mn0J6o+Zo=,iv:XbWd6j2LhhOld7NXN2m58f1cUJpLcdb3Ywf0bNkQYdA=,tag:T5gTjfRCCLfGFtIzXE7OfA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.9.0
|
29
services/forgejo-ci.nix
Normal file
29
services/forgejo-ci.nix
Normal file
|
@ -0,0 +1,29 @@
|
||||||
|
{ config, pkgs, lib, inputs, ... }:
|
||||||
|
{
|
||||||
|
environment.systemPackages = with pkgs; [
|
||||||
|
docker
|
||||||
|
forgejo-actions-runner
|
||||||
|
|
||||||
|
];
|
||||||
|
|
||||||
|
# Enable docker
|
||||||
|
virtualisation.docker = {
|
||||||
|
enable = true;
|
||||||
|
daemon.settings = {
|
||||||
|
fixed-cidr-v6 = "fd00::/80";
|
||||||
|
ipv6 = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Forgejo actions runner
|
||||||
|
services.gitea-actions-runner = {
|
||||||
|
instances = {
|
||||||
|
"shibepro-ci" = {
|
||||||
|
enable = true;
|
||||||
|
url = "https://git.shibe.pro";
|
||||||
|
name = "shibepro-ci";
|
||||||
|
tokenFile = config.sops.secrets."hosts/forgejo-ci/forgejo_ci-token".path;
|
||||||
|
labels = [];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue