chore(koi/forgejo): improved dind image and added actions cleanup script

2025-01-04 22:52:20 +03:00 · 2025-01-04 22:52:20 +03:00 · 488f089a3a
commit 488f089a3a
parent 6993dc5b6f
5 changed files with 120 additions and 19 deletions
--- a/hosts/koi/containers/forgejo/clear-actions-logs.mjs
+++ b/hosts/koi/containers/forgejo/clear-actions-logs.mjs
@ -0,0 +1,48 @@
+// forgejo doesn't have a built-in way to clear old actions logs, so we have to do it manually
+// https://github.com/go-gitea/gitea/issues/24256, didnt find a separate issue for forgejo
+
+import * as fs from 'fs'
+import * as path from 'path'
+
+const LOGS_DIR = '/srv/forgejo/data/data/actions_log'
+const RETENTION = 30 * 24 * 60 * 60 * 1000 // 30 days
+
+function handleLogsDir(dir) {
+    // the actions_log dir structure is something like this:
+    // actions_log/owner/repo/job-id-hex/job-id.log.zst
+    // (todo: verify this is the case)
+    let found = false
+    const subdirs = fs.readdirSync(dir, { withFileTypes: true })
+    for (const subdir of subdirs) {
+        if (!subdir.isDirectory()) continue
+
+        const fullPath = path.join(dir, subdir.name)
+
+        // validate that the structure is how we expect it
+        const jobId = parseInt(subdir.name, 16)
+        if (isNaN(jobId)) {
+            console.error(`invalid job id at: ${fullPath}`)
+            process.exit(1)
+        }
+
+        const children = fs.readdirSync(fullPath, { withFileTypes: true })
+        if (children.length !== 1 || !children[0].isFile() || children[0].name !== `${jobId}.log.zst`) {
+            console.error(`Invalid actions_log dir: ${dir}`)
+            process.exit(1)
+        }
+
+        const stat = fs.statSync(fullPath)
+        if (stat.mtimeMs < Date.now() - RETENTION) {
+            console.log(`deleting old (${new Date(stat.mtimeMs).toISOString()}) actions log: ${fullPath}`)
+            fs.rmSync(fullPath, { recursive: true })
+            found = true
+        }
+    }
+
+}
+
+for (const owner of fs.readdirSync(LOGS_DIR)) {
+    for (const repo of fs.readdirSync(path.join(LOGS_DIR, owner))) {
+        handleLogsDir(path.join(LOGS_DIR, owner, repo))
+    }
+}
--- a/hosts/koi/containers/forgejo/default.nix
+++ b/hosts/koi/containers/forgejo/default.nix
@ -47,6 +47,15 @@ in {

  systemd.services.docker-forgejo.after = [ "postgresql.service" "gocryptfs.service" ];

+  systemd.services.forgejo-clear-actions-logs = {
+    serviceConfig = {
+      Type = "oneshot";
+      User = "forgejo";
+      ExecStart = "${pkgs.nodejs_22}/bin/nodejs ${./clear-actions-logs.mjs}";
+    };
+    startAt = "03:00";
+  };
+
  systemd.tmpfiles.rules = [
    "d /srv/forgejo/repos 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];
@ -58,6 +67,12 @@ in {
    locations."/" = {
      proxyPass = "http://forgejo.docker:3000$request_uri";
      proxyWebsockets = true;
+
+      extraConfig = ''
+        client_max_body_size 1g;
+        proxy_read_timeout 120s;
+        proxy_send_timeout 120s;
+      '';
    };
  };

--- a/hosts/koi/services/actions-runner/default.nix
+++ b/hosts/koi/services/actions-runner/default.nix
@ -1,39 +1,32 @@
 { config, pkgs, ... }: 

-{
+let 
+  UID = 1126;
+in {
  desu.secrets.forgejo-runners-token = {};
  desu.secrets.forgejo-runners-token-sf = {};

+  users.users.actions-runner = {
+    isNormalUser = true;
+    uid = 1126;
+  };
+
  systemd.services.actions-runner-build-dind = {
    description = "dind image builder for actions runner";
    after = [ "docker.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
-      ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-dind -f ${./Dockerfile.dind} .";
+      ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-dind ${pkgs.copyPathToStore ./image-dind}";
    };
  };

  systemd.services.gitea-runner-koi.requires = [ "actions-runner-build-dind.service" ];
+  systemd.services.gitea-runner-koi-stupid-fish.requires = [ "actions-runner-build-dind.service" ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.koi = {
-      name = "koi";
-      enable = true;
-      url = "https://codeberg.org";
-      tokenFile = config.desu.secrets.forgejo-runners-token.path;
-      labels = [
-        "node18:docker://node:18-bullseye"
-        "node20:docker://node:20-bullseye"
-        "node22:docker://node:22-bullseye"
-        "docker:docker://local/actions-runner-dind"
-      ];
-      settings = {
-        runner.capacity = 8;
-      };
-    };
-    instances.koi-stupid-fish = {
      name = "koi";
      enable = true;
      url = "https://git.stupid.fish";
@ -42,10 +35,26 @@
        "node18:docker://node:18-bullseye"
        "node20:docker://node:20-bullseye"
        "node22:docker://node:22-bullseye"
+        # fun fact: the actual image doesnt matter! it's only used to determine the runner
+        "docker:docker://node:22-bullseye"
      ];
      settings = {
        runner.capacity = 8;
      };
    };
+
+    # a separate runner for dind because it requires privileged mode and act-runner doesnt support setting --privileged for certain images
+    instances.koi-dind = {
+      name = "koi-dind";
+      enable = true;
+      url = "https://git.stupid.fish";
+      tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
+      labels = [
+        "docker-dind:docker://local/actions-runner-dind"
+      ];
+      settings = {
+        container.privileged = true;
+      };
+    };
  };
 }
--- a/hosts/koi/services/actions-runner/image-dind/Dockerfile
+++ b/hosts/koi/services/actions-runner/image-dind/Dockerfile
@ -1,12 +1,20 @@
 FROM node:23.4.0-alpine AS node

-FROM docker:27-dind
+FROM docker:27-dind-rootless
+
+USER root 

 COPY --from=node /usr/local/bin/node /usr/local/bin/node
 COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
 COPY --from=node /usr/local/include/node /usr/local/include/node
+COPY ./start-dockerd.sh /opt/start-dockerd.sh

 RUN apk add libstdc++ bash && \
    ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \
    ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx && \
-    ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack
+    ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack && \
+    ln -s /run/user/1000/docker.sock /var/run/docker.sock
+
+ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+
+USER rootless
--- a/hosts/koi/services/actions-runner/image-dind/start-dockerd.sh
+++ b/hosts/koi/services/actions-runner/image-dind/start-dockerd.sh
@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if docker info &> /dev/null; then
+  exit 0
+fi
+
+nohup /usr/local/bin/dockerd-entrypoint.sh > /home/rootless/dockerd.log 2>&1 &
+export DOCKER_HOST=unix:///run/user/1000/docker.sock
+
+# wait for docker to start
+retry=0
+while ! docker info &> /dev/null; do
+  sleep 1
+  retry=$((retry + 1))
+  if [ $retry -gt 15 ]; then
+    echo "Failed to start dockerd after 15 seconds"
+    exit 1
+  fi
+done