teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: teidesu:041aa095ee3a101e04a7f30cd1f3268e9595743c
Branches Tags
teidesu:master
..
compare: teidesu:86e3043f1a0c65e27e6dc8759563efeed17c0998
Branches Tags
teidesu:master

No commits in common. "041aa095ee3a101e04a7f30cd1f3268e9595743c" and "86e3043f1a0c65e27e6dc8759563efeed17c0998" have entirely different histories.
041aa095ee ... 86e3043f1a

9 changed files with 46 additions and 115 deletions
Show stats Expand all files Collapse all files

3
hosts/koi/containers/navidrome/default.nix
View file

@ -16,9 +16,6 @@ let
document.head.appendChild(style); document.head.appendChild(style);
''; '';
in { in {
imports = [
./picard.nix
];
desu.secrets.navidrome-env.owner = "navidrome"; desu.secrets.navidrome-env.owner = "navidrome";
users.users.navidrome = { users.users.navidrome = {

45
hosts/koi/containers/navidrome/picard.nix
View file

@ -1,45 +0,0 @@
{ config, pkgs, ... }:
let
UID = 1128;
in {
users.users.picard = {
isNormalUser = true;
uid = UID;
extraGroups = [ "geesefs" ];
};
virtualisation.oci-containers.containers.picard = {
image = "mikenye/picard:2.12.3";
environment = {
USER_ID = builtins.toString UID;
GROUP_ID = builtins.toString config.users.groups.geesefs.gid;
TZ = "Europe/Moscow";
KEEP_APP_RUNNING = "1";
WEB_AUDIO = "1";
# ENABLE_CJK_FONT = "1";
};
extraOptions = [
"--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/music,target=/storage/s3"
"--mount=type=bind,source=/srv/picard,target=/config"
];
};
systemd.services.docker-picard.requires = [ "gocryptfs.service" ];
systemd.tmpfiles.rules = [
"d /srv/picard 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
services.nginx.virtualHosts."picard.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
extraConfig = ''
allow 10.0.0.0/8;
deny all;
'';
locations."/" = {
proxyPass = "http://picard.docker:5800$request_uri";
};
};
}

32
hosts/koi/services/actions-runner/buildkitd.nix
View file

@ -1,32 +0,0 @@
{ pkgs, ... }:
{
virtualisation.oci-containers.containers.act-runner-buildkitd = {
image = "moby/buildkit:v0.19.0-rc2-rootless";
cmd = [
"--oci-worker-no-process-sandbox"
"--addr=unix:///var/run/act-runner-buildkit/buildkitd.sock"
];
user = "1000:1000";
extraOptions = [
"--security-opt=seccomp=unconfined"
"--security-opt=apparmor=unconfined"
"--mount=type=bind,source=/var/lib/act-runner-buildkit,target=/home/user/.local/share/buildkit"
"--mount=type=bind,source=/var/run/act-runner-buildkit,target=/var/run/act-runner-buildkit"
];
};
systemd.services.act-runner-buildkit-clear-cache = {
serviceConfig = {
Type = "oneshot";
User = "1000";
ExecStart = "${pkgs.buildkit}/bin/buildctl --addr=unix:///var/run/act-runner-buildkit/buildkitd.sock prune";
};
startAt = "Mon 03:00";
};
systemd.tmpfiles.rules = [
"d /var/lib/act-runner-buildkit 0700 1000 1000 -"
"d /var/run/act-runner-buildkit 0700 1000 1000 -"
];
}

36
hosts/koi/services/actions-runner/default.nix
View file

@ -1,23 +1,28 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ let
imports = [ ./buildkitd.nix ]; UID = 1126;
in {
desu.secrets.forgejo-runners-token = {};
desu.secrets.forgejo-runners-token-sf = {}; desu.secrets.forgejo-runners-token-sf = {};
systemd.services.actions-runner-build-buildkit = { users.users.actions-runner = {
description = "buildkit image builder for actions runner"; isNormalUser = true;
uid = 1126;
};
systemd.services.actions-runner-build-dind = {
description = "dind image builder for actions runner";
after = [ "docker.service" ]; after = [ "docker.service" ];
wantedBy = [ "multi-user.target" ]; wantedBy = [ "multi-user.target" ];
serviceConfig = { serviceConfig = {
Type = "oneshot"; Type = "oneshot";
ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-buildkit ${pkgs.copyPathToStore ./image-buildkit}"; ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-dind ${pkgs.copyPathToStore ./image-dind}";
}; };
}; };
systemd.services.gitea-runner-koi-buildkit.requires = [ systemd.services.gitea-runner-koi.requires = [ "actions-runner-build-dind.service" ];
"actions-runner-build-buildkit.service" systemd.services.gitea-runner-koi-stupid-fish.requires = [ "actions-runner-build-dind.service" ];
"docker-act-runner-buildkitd.service"
];
services.gitea-actions-runner = { services.gitea-actions-runner = {
package = pkgs.forgejo-runner; package = pkgs.forgejo-runner;
@ -38,20 +43,17 @@
}; };
}; };
instances.koi-buildkit = { # a separate runner for dind because it requires privileged mode and act-runner doesnt support setting --privileged for certain images
name = "koi-buildkit"; instances.koi-dind = {
name = "koi-dind";
enable = true; enable = true;
url = "https://git.stupid.fish"; url = "https://git.stupid.fish";
tokenFile = config.desu.secrets.forgejo-runners-token-sf.path; tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
labels = [ labels = [
"buildkit:docker://local/actions-runner-buildkit" "docker-dind:docker://local/actions-runner-dind"
]; ];
settings = { settings = {
runner.capacity = 4; container.privileged = true;
container = {
valid_volumes = [ "/var/run/act-runner-buildkit" ];
options = "--user=1000:1000 --mount=type=bind,source=/var/run/act-runner-buildkit,target=/var/run/buildkit";
};
}; };
}; };
}; };

12
hosts/koi/services/actions-runner/image-buildkit/registry-login.sh
View file

@ -1,12 +0,0 @@
#!/usr/bin/env bash
set -euo pipefail
if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
echo "Usage: $0 <registry> <username> <password>"
exit 1
fi
BASE64_AUTH=$(echo -n "$2:$3" | base64)
mkdir -p /home/user/.docker
echo "{\"auths\": {\"$1\": {\"auth\": \"$BASE64_AUTH\"}}}" > /home/user/.docker/config.json

11
hosts/koi/services/actions-runner/image-buildkit/Dockerfile → hosts/koi/services/actions-runner/image-dind/Dockerfile
View file

@ -1,19 +1,20 @@
FROM node:23.4.0-alpine AS node FROM node:23.4.0-alpine AS node
FROM moby/buildkit:master-rootless FROM docker:27-dind-rootless
USER root USER root
COPY --from=node /usr/local/bin/node /usr/local/bin/node COPY --from=node /usr/local/bin/node /usr/local/bin/node
COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
COPY --from=node /usr/local/include/node /usr/local/include/node COPY --from=node /usr/local/include/node /usr/local/include/node
COPY ./registry-login.sh /opt/registry-login.sh COPY ./start-dockerd.sh /opt/start-dockerd.sh
RUN apk add libstdc++ bash && \ RUN apk add libstdc++ bash && \
ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \ ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \
ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx && \ ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx && \
ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack && \
ln -s /run/user/1000/docker.sock /var/run/docker.sock
ENV BUILDKIT_HOST=unix:///var/run/buildkit/buildkitd.sock ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
USER user USER rootless

21
hosts/koi/services/actions-runner/image-dind/start-dockerd.sh Executable file
View file

@ -0,0 +1,21 @@
#!/usr/bin/env bash
set -euo pipefail
if docker info &> /dev/null; then
exit 0
fi
nohup /usr/local/bin/dockerd-entrypoint.sh > /home/rootless/dockerd.log 2>&1 &
export DOCKER_HOST=unix:///run/user/1000/docker.sock
# wait for docker to start
retry=0
while ! docker info &> /dev/null; do
sleep 1
retry=$((retry + 1))
if [ $retry -gt 15 ]; then
echo "Failed to start dockerd after 15 seconds"
exit 1
fi
done

1
hosts/koi/services/coredns.nix
View file

@ -22,7 +22,6 @@ let
10.42.0.2 navi.stupid.fish 10.42.0.2 navi.stupid.fish
10.42.0.2 wiki.stupid.fish 10.42.0.2 wiki.stupid.fish
10.42.0.2 siyuan.tei.su 10.42.0.2 siyuan.tei.su
10.42.0.2 picard.stupid.fish
''; '';
package = coredns.override { package = coredns.override {

BIN
secrets/forgejo-runners-token.age Normal file
View file

Binary file not shown.