From 15f6a5d7d3b2f3aa5e9461f63dd2b13e8d336478 Mon Sep 17 00:00:00 2001 From: DerGrumpf Date: Mon, 22 Jun 2026 19:53:09 +0200 Subject: [PATCH] Added Gitea runner --- .gitea/workflows/ci.yml | 35 +++ flake.lock | 36 +-- flake.nix | 2 + hosts/cyper-desktop/configuration.nix | 13 +- nixos/roles/gitea.nix | 319 ++++++++++++++------------ secrets/secrets.yaml | 5 +- 6 files changed, 237 insertions(+), 173 deletions(-) create mode 100644 .gitea/workflows/ci.yml diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml new file mode 100644 index 0000000..f1a475c --- /dev/null +++ b/.gitea/workflows/ci.yml @@ -0,0 +1,35 @@ +name: CI + +on: + push: + branches: ["main"] + pull_request: + +jobs: + check: + runs-on: nix + steps: + - uses: actions/checkout@v4 + + - name: Setup age key + run: | + mkdir -p ~/.config/sops/age + echo "${{ secrets.AGE_KEY }}" > ~/.config/sops/age/keys.txt + chmod 600 ~/.config/sops/age/keys.txt + + - name: Nix flake check + run: nix flake check --no-build + + - name: Format check + run: nix fmt -- --check . + + - name: Build NixOS configs (dry-run) + run: | + nix build .#nixosConfigurations.cyper-desktop.config.system.build.toplevel --dry-run + nix build .#nixosConfigurations.cyper-controller.config.system.build.toplevel --dry-run + nix build .#nixosConfigurations.cyper-proxy.config.system.build.toplevel --dry-run + nix build .#nixosConfigurations.cyper-node-1.config.system.build.toplevel --dry-run + nix build .#nixosConfigurations.cyper-node-2.config.system.build.toplevel --dry-run + + - name: Eval darwin config (Linux-safe) + run: nix eval .#darwinConfigurations.cyper-mac.system diff --git a/flake.lock b/flake.lock index 9079cbf..e6d076c 100644 --- a/flake.lock +++ b/flake.lock @@ -77,11 +77,11 @@ ] }, "locked": { - "lastModified": 1781242433, - "narHash": "sha256-bchLZZ3sRn740zyvD2icZSnNoTaanN0nw7l6fjVXO+E=", + "lastModified": 1781761792, + "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "aabb2037edfc0f210723b72cd5f528aab5dd3f0b", + "rev": "a1fa429e945becaf60468600daf649be4ba0350c", "type": "github" }, "original": { @@ -209,11 +209,11 @@ ] }, "locked": { - "lastModified": 1781667738, - "narHash": "sha256-OxrwHpsWf+QGbos1LMDGAcv7sjBGshcw/43th6waeYI=", + "lastModified": 1781788787, + "narHash": "sha256-YqlTCRRhGvNjcJejPeMuHrYQ/TVhOO2MV/nEGMWb8nk=", "owner": "nix-community", "repo": "home-manager", - "rev": "7664e05e2413d5e2b8c54a884eb8ea0f8a504fc2", + "rev": "d456f483f157d4b706416005da226234b9c116ff", "type": "github" }, "original": { @@ -320,11 +320,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1781627558, - "narHash": "sha256-qqFd1ufiH/oBB2RCmt7dg5Kyca7grJguIJrNPsD91zk=", + "lastModified": 1781796010, + "narHash": "sha256-bIqjZgUfp3vba/C1UJLVqTo8zdpfqMDvuwWrHmqDWm4=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "5b47c782c9f83539a6c642d83844cdc9130a2873", + "rev": "ae1690c2138313d988c81f5c25a9d0b6fadfd3b1", "type": "github" }, "original": { @@ -675,11 +675,11 @@ "nixpkgs-nixcord": "nixpkgs-nixcord" }, "locked": { - "lastModified": 1781659360, - "narHash": "sha256-bwTlMeMALwHREYkYBd9swITfW270tt6GzyY1j+QAqIU=", + "lastModified": 1781775854, + "narHash": "sha256-0eb1+zKSTwgD3qsBm7UiuRabahHQNkTP94Z/s3nMK60=", "owner": "kaylorben", "repo": "nixcord", - "rev": "9dd239d5f8d651ccd94efcf1e3bd384ad41084ca", + "rev": "b92ceb7923c87dfcfcf84415407b0ca63e17548b", "type": "github" }, "original": { @@ -796,11 +796,11 @@ "systems": "systems_3" }, "locked": { - "lastModified": 1781637822, - "narHash": "sha256-6Fwwt8BBGF5rqwGPhj/9ZMyyjXeJQzeHHJQfPuqJP3I=", + "lastModified": 1781713417, + "narHash": "sha256-Kaj44jTNmnaFhKrcADx8nXmUYPa7l2HYfb7m6lEPy7Q=", "owner": "nix-community", "repo": "nixvim", - "rev": "d43c763fd9fae0912bdb4103cd842f26fea5b0ed", + "rev": "caee4e5d4161778815f522d9ea1c9e3dc42462b7", "type": "github" }, "original": { @@ -817,11 +817,11 @@ ] }, "locked": { - "lastModified": 1781694117, - "narHash": "sha256-TobjUrIR9hSn3PdjooxvNYjuQuCbZ+HIQzExWatX6Bo=", + "lastModified": 1781800183, + "narHash": "sha256-NcRZr/JQiAvqC2qCyMxcfx/98Hf1epwdtjcbwKHeMf8=", "owner": "nix-community", "repo": "NUR", - "rev": "fea207887cf1f76cb19452ffd6978b82311d9746", + "rev": "0559d992b12ee209570bb325d79e90007b13da52", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index b1196ad..53d98db 100644 --- a/flake.nix +++ b/flake.nix @@ -227,5 +227,7 @@ } ]; }; + + formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style; }; } diff --git a/hosts/cyper-desktop/configuration.nix b/hosts/cyper-desktop/configuration.nix index bc18d4e..eaa616d 100644 --- a/hosts/cyper-desktop/configuration.nix +++ b/hosts/cyper-desktop/configuration.nix @@ -33,10 +33,12 @@ efi.canTouchEfiVariables = true; }; - services.desktopManager.plasma6.enable = false; - services.displayManager.sddm = { - enable = false; - wayland.enable = true; + services = { + desktopManager.plasma6.enable = false; + displayManager.sddm = { + enable = false; + wayland.enable = true; + }; }; environment.pathsToLink = [ @@ -45,4 +47,7 @@ ]; system.stateVersion = "26.11"; + + virtualisation.docker.enable = true; + users.users.phil.extraGroups = [ "docker" ]; } diff --git a/nixos/roles/gitea.nix b/nixos/roles/gitea.nix index 4a75776..1386550 100644 --- a/nixos/roles/gitea.nix +++ b/nixos/roles/gitea.nix @@ -36,6 +36,10 @@ in owner = "gitea"; group = "gitea"; }; + "gitea/runnerToken" = { + owner = "gitea"; + group = "gitea"; + }; "kanidm_gitea_secret" = { owner = "gitea"; group = "gitea"; @@ -43,169 +47,186 @@ in }; }; - services.postgresql = { - enable = true; - package = pkgs.postgresql_14; - ensureDatabases = [ "gitea" ]; - ensureUsers = [ - { - name = "gitea"; - ensureDBOwnership = true; - } - ]; - authentication = lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 md5 - host all all ::1/128 md5 - ''; - }; - - systemd.services.gitea-db-password = { - description = "Set gitea postgres user password"; - requires = [ "postgresql.service" ]; - after = [ "postgresql.service" ]; - before = [ "gitea.service" ]; - wantedBy = [ "gitea.service" ]; - serviceConfig = { - Type = "oneshot"; - User = "postgres"; - RemainAfterExit = true; + systemd.services = { + gitea-db-password = { + description = "Set gitea postgres user password"; + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + before = [ "gitea.service" ]; + wantedBy = [ "gitea.service" ]; + serviceConfig = { + Type = "oneshot"; + User = "postgres"; + RemainAfterExit = true; + }; + script = '' + pass=$(cat ${config.sops.secrets."gitea/dbPassword".path}) + ${pkgs.postgresql_14}/bin/psql -c \ + "ALTER USER gitea WITH PASSWORD '$pass';" + ''; }; - script = '' - pass=$(cat ${config.sops.secrets."gitea/dbPassword".path}) - ${pkgs.postgresql_14}/bin/psql -c \ - "ALTER USER gitea WITH PASSWORD '$pass';" + + gitea.preStart = lib.mkAfter '' + themeDir="${config.services.gitea.stateDir}/custom/public/assets/css" + mkdir -p "$themeDir" + for f in ${giteaTheme}/*.css; do + name=$(basename "$f") + ln -sf "$f" "$themeDir/$name" + done ''; }; - services.gitea = { - enable = true; - package = pkgs.gitea; - user = "gitea"; - group = "gitea"; - - lfs = { + services = { + postgresql = { enable = true; - contentDir = "/storage/fast/lfs"; + package = pkgs.postgresql_14; + ensureDatabases = [ "gitea" ]; + ensureUsers = [ + { + name = "gitea"; + ensureDBOwnership = true; + } + ]; + authentication = lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 md5 + host all all ::1/128 md5 + ''; }; - database = { - type = "postgres"; - host = "127.0.0.1"; - port = 5432; - name = "gitea"; + gitea = { + enable = true; + package = pkgs.gitea; user = "gitea"; - passwordFile = config.sops.secrets."gitea/dbPassword".path; + group = "gitea"; + + lfs = { + enable = true; + contentDir = "/storage/fast/lfs"; + }; + + database = { + type = "postgres"; + host = "127.0.0.1"; + port = 5432; + name = "gitea"; + user = "gitea"; + passwordFile = config.sops.secrets."gitea/dbPassword".path; + }; + + settings = { + server = { + DOMAIN = domain; + HTTP_ADDR = "0.0.0.0"; + HTTP_PORT = httpPort; + SSH_PORT = sshPort; + SSH_LISTEN_PORT = sshPort; + ROOT_URL = "https://${domain}/"; + DISABLE_SSH = false; + START_SSH_SERVER = true; + LFS_START_SERVER = true; + }; + + metrics = { + ENABLED = true; + ENABLED_ISSUE_BY_LABEL = true; + ENABLED_ISSUE_BY_REPOSITORY = true; + }; + + ui = { + DEFAULT_THEME = "catppuccin-mocha-green"; + THEMES = lib.concatStringsSep "," [ + # built-in + "gitea" + "arc-green" + # latte + "catppuccin-latte-blue" + "catppuccin-latte-flamingo" + "catppuccin-latte-green" + "catppuccin-latte-lavender" + "catppuccin-latte-maroon" + "catppuccin-latte-mauve" + "catppuccin-latte-peach" + "catppuccin-latte-pink" + "catppuccin-latte-red" + "catppuccin-latte-rosewater" + "catppuccin-latte-sapphire" + "catppuccin-latte-sky" + "catppuccin-latte-teal" + "catppuccin-latte-yellow" + # frappe + "catppuccin-frappe-blue" + "catppuccin-frappe-flamingo" + "catppuccin-frappe-green" + "catppuccin-frappe-lavender" + "catppuccin-frappe-maroon" + "catppuccin-frappe-mauve" + "catppuccin-frappe-peach" + "catppuccin-frappe-pink" + "catppuccin-frappe-red" + "catppuccin-frappe-rosewater" + "catppuccin-frappe-sapphire" + "catppuccin-frappe-sky" + "catppuccin-frappe-teal" + "catppuccin-frappe-yellow" + # macchiato + "catppuccin-macchiato-blue" + "catppuccin-macchiato-flamingo" + "catppuccin-macchiato-green" + "catppuccin-macchiato-lavender" + "catppuccin-macchiato-maroon" + "catppuccin-macchiato-mauve" + "catppuccin-macchiato-peach" + "catppuccin-macchiato-pink" + "catppuccin-macchiato-red" + "catppuccin-macchiato-rosewater" + "catppuccin-macchiato-sapphire" + "catppuccin-macchiato-sky" + "catppuccin-macchiato-teal" + "catppuccin-macchiato-yellow" + # mocha + "catppuccin-mocha-blue" + "catppuccin-mocha-flamingo" + "catppuccin-mocha-green" + "catppuccin-mocha-lavender" + "catppuccin-mocha-maroon" + "catppuccin-mocha-mauve" + "catppuccin-mocha-peach" + "catppuccin-mocha-pink" + "catppuccin-mocha-red" + "catppuccin-mocha-rosewater" + "catppuccin-mocha-sapphire" + "catppuccin-mocha-sky" + "catppuccin-mocha-teal" + "catppuccin-mocha-yellow" + ]; + }; + }; }; - settings = { - server = { - DOMAIN = domain; - HTTP_ADDR = "0.0.0.0"; - HTTP_PORT = httpPort; - SSH_PORT = sshPort; - SSH_LISTEN_PORT = sshPort; - ROOT_URL = "https://${domain}/"; - DISABLE_SSH = false; - START_SSH_SERVER = true; - LFS_START_SERVER = true; - }; - - metrics = { - ENABLED = true; - ENABLED_ISSUE_BY_LABEL = true; - ENABLED_ISSUE_BY_REPOSITORY = true; - }; - - ui = { - DEFAULT_THEME = "catppuccin-mocha-green"; - THEMES = lib.concatStringsSep "," [ - # built-in - "gitea" - "arc-green" - # latte - "catppuccin-latte-blue" - "catppuccin-latte-flamingo" - "catppuccin-latte-green" - "catppuccin-latte-lavender" - "catppuccin-latte-maroon" - "catppuccin-latte-mauve" - "catppuccin-latte-peach" - "catppuccin-latte-pink" - "catppuccin-latte-red" - "catppuccin-latte-rosewater" - "catppuccin-latte-sapphire" - "catppuccin-latte-sky" - "catppuccin-latte-teal" - "catppuccin-latte-yellow" - # frappe - "catppuccin-frappe-blue" - "catppuccin-frappe-flamingo" - "catppuccin-frappe-green" - "catppuccin-frappe-lavender" - "catppuccin-frappe-maroon" - "catppuccin-frappe-mauve" - "catppuccin-frappe-peach" - "catppuccin-frappe-pink" - "catppuccin-frappe-red" - "catppuccin-frappe-rosewater" - "catppuccin-frappe-sapphire" - "catppuccin-frappe-sky" - "catppuccin-frappe-teal" - "catppuccin-frappe-yellow" - # macchiato - "catppuccin-macchiato-blue" - "catppuccin-macchiato-flamingo" - "catppuccin-macchiato-green" - "catppuccin-macchiato-lavender" - "catppuccin-macchiato-maroon" - "catppuccin-macchiato-mauve" - "catppuccin-macchiato-peach" - "catppuccin-macchiato-pink" - "catppuccin-macchiato-red" - "catppuccin-macchiato-rosewater" - "catppuccin-macchiato-sapphire" - "catppuccin-macchiato-sky" - "catppuccin-macchiato-teal" - "catppuccin-macchiato-yellow" - # mocha - "catppuccin-mocha-blue" - "catppuccin-mocha-flamingo" - "catppuccin-mocha-green" - "catppuccin-mocha-lavender" - "catppuccin-mocha-maroon" - "catppuccin-mocha-mauve" - "catppuccin-mocha-peach" - "catppuccin-mocha-pink" - "catppuccin-mocha-red" - "catppuccin-mocha-rosewater" - "catppuccin-mocha-sapphire" - "catppuccin-mocha-sky" - "catppuccin-mocha-teal" - "catppuccin-mocha-yellow" - ]; - }; + gitea-actions-runner.instances."cyper-nix" = { + enable = true; + url = "https://git.cyperpunk.de"; + tokenFile = config.sops.secrets."gitea/runnerToken".path; + name = "cyper-controller"; + labels = [ + "nix:host" + ]; }; }; - # symlink catppuccin css files into gitea's custom dir on every service start - systemd.services.gitea.preStart = lib.mkAfter '' - themeDir="${config.services.gitea.stateDir}/custom/public/assets/css" - mkdir -p "$themeDir" - for f in ${giteaTheme}/*.css; do - name=$(basename "$f") - ln -sf "$f" "$themeDir/$name" - done - ''; - - users.users.gitea = { - isSystemUser = true; - group = "gitea"; - home = "/var/lib/gitea"; - createHome = true; + users = { + users = { + gitea = { + isSystemUser = true; + group = "gitea"; + home = "/var/lib/gitea"; + createHome = true; + }; + postgres.extraGroups = [ "gitea" ]; + }; + groups.gitea = { }; }; - users.groups.gitea = { }; - users.users.postgres.extraGroups = [ "gitea" ]; networking.firewall.allowedTCPPorts = [ httpPort diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index cd5496a..8702d1d 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -30,6 +30,7 @@ gitea: internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str] lfsJwtSecret: ENC[AES256_GCM,data:L20mFZ6zwsF3ZUoodarTJV+vhUdLlBrUbHz7FpEzJ2/C6AdFc1ZZcioN3g==,iv:E2C3gg1OYQ46Ae2bGnhF+3uw+q77l+yph3Kd2fxwW9M=,tag:VQkQ4R9S8Dr39rSLhL/X1w==,type:str] mailerPassword: "" + runnerToken: ENC[AES256_GCM,data:af4j9ZkTaiRCR6Tv87JAxGCDBWu1DoA1YN/AlasEyHeDTK4TZTXy6A==,iv:KiV8Ovc3z5q6Nb4muYTXkG6F9LgsfwC6KUxMmIJ5KGM=,tag:kQtMAWZeww8hOzVj+Ghl3Q==,type:str] ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str] ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str] sops: @@ -43,7 +44,7 @@ sops: 6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w== -----END AGE ENCRYPTED FILE----- recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t - lastmodified: "2026-05-27T20:55:18Z" - mac: ENC[AES256_GCM,data:qHJwYNk4rR37KAKFKGpMfkY/Q3VJ+15yM3cUUaF6/MrHn5BtE6aoV9jjxoXbftTjNTmRRw37M4rVJJjaw+5baWwLrHpBGD5vNJC3HLwH9Mx/UmL9m90dpUWxQN9U5ah3jcg5uZzIZWhC32YNNYiuBz+qK7FwtxgEoXPbxVuh8zM=,iv:QTKO8cF5wIad/yIIs4a4/WC0lxIrCgYNZ9vfMiI28Ic=,tag:cKdCiu9w4pvpxAuMmZxDTA==,type:str] + lastmodified: "2026-06-22T17:45:52Z" + mac: ENC[AES256_GCM,data:/5b3uUOiHP4UY0/9e+wBVvr1w0iF1+00444URUTgAOnzX8eZgtB3ZUmNJQ/dHuqB9cptR3EuoOdI/xmmlTlBZcMZr/sPuCmi3KQFvOJIoF7ws/NjavOPJPaqMoJAOJWb4LjYOVabvrkP0jSqWAELvest6bEuIXHzwSXr2eUQWbQ=,iv:t/actyMRvWMOZ4mEImMCKhRjALzKUo9fCk46FCauPac=,tag:r4zQ4inr77+b4zQQGVT5ig==,type:str] unencrypted_suffix: _unencrypted version: 3.13.1