feat(koi): picard

chore(koi): dind -> buildkitd in actions-runner
2025-01-16 04:03:26 +03:00 · 2025-01-16 04:03:14 +03:00
9 changed files with 115 additions and 46 deletions
--- a/hosts/koi/containers/navidrome/default.nix
+++ b/hosts/koi/containers/navidrome/default.nix
@ -16,6 +16,9 @@ let
    document.head.appendChild(style);
  '';
 in {
  imports = [
    ./picard.nix
  ];
  desu.secrets.navidrome-env.owner = "navidrome";
  users.users.navidrome = {
--- a/hosts/koi/containers/navidrome/picard.nix
+++ b/hosts/koi/containers/navidrome/picard.nix
@ -0,0 +1,45 @@
 { config, pkgs, ... }:
 let 
  UID = 1128;
 in {
  users.users.picard = {
    isNormalUser = true;
    uid = UID;
    extraGroups = [ "geesefs" ];
  };
  virtualisation.oci-containers.containers.picard = {
    image = "mikenye/picard:2.12.3";
    environment = {
      USER_ID = builtins.toString UID;
      GROUP_ID = builtins.toString config.users.groups.geesefs.gid;
      TZ = "Europe/Moscow";
      KEEP_APP_RUNNING = "1";
      WEB_AUDIO = "1";
      # ENABLE_CJK_FONT = "1";
    };
    extraOptions = [
      "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/music,target=/storage/s3"
      "--mount=type=bind,source=/srv/picard,target=/config"
    ];
  };
  systemd.services.docker-picard.requires = [ "gocryptfs.service" ];
  systemd.tmpfiles.rules = [
    "d /srv/picard 0700 ${builtins.toString UID} ${builtins.toString UID} -"
  ];
  services.nginx.virtualHosts."picard.stupid.fish" = {
    forceSSL = true;
    useACMEHost = "stupid.fish";
    extraConfig = ''
      allow 10.0.0.0/8;
      deny all;
    '';
    locations."/" = {
      proxyPass = "http://picard.docker:5800$request_uri";
    };
  };
 }
--- a/hosts/koi/services/actions-runner/buildkitd.nix
+++ b/hosts/koi/services/actions-runner/buildkitd.nix
@ -0,0 +1,32 @@
 { pkgs, ... }:
 {
  virtualisation.oci-containers.containers.act-runner-buildkitd = {
    image = "moby/buildkit:v0.19.0-rc2-rootless";
    cmd = [ 
      "--oci-worker-no-process-sandbox"
      "--addr=unix:///var/run/act-runner-buildkit/buildkitd.sock"
    ];
    user = "1000:1000";
    extraOptions = [
      "--security-opt=seccomp=unconfined"
      "--security-opt=apparmor=unconfined"
      "--mount=type=bind,source=/var/lib/act-runner-buildkit,target=/home/user/.local/share/buildkit"
      "--mount=type=bind,source=/var/run/act-runner-buildkit,target=/var/run/act-runner-buildkit"
    ];
  };
  systemd.services.act-runner-buildkit-clear-cache = {
    serviceConfig = {
      Type = "oneshot";
      User = "1000";
      ExecStart = "${pkgs.buildkit}/bin/buildctl --addr=unix:///var/run/act-runner-buildkit/buildkitd.sock prune";
    };
    startAt = "Mon 03:00";
  };
  systemd.tmpfiles.rules = [
    "d /var/lib/act-runner-buildkit 0700 1000 1000 -"
    "d /var/run/act-runner-buildkit 0700 1000 1000 -"
  ];
 }
--- a/hosts/koi/services/actions-runner/default.nix
+++ b/hosts/koi/services/actions-runner/default.nix
@ -1,28 +1,23 @@
 { config, pkgs, ... }: 
-let 
+{
-  UID = 1126;
+  imports = [ ./buildkitd.nix ];
 in {
  desu.secrets.forgejo-runners-token = {};
  desu.secrets.forgejo-runners-token-sf = {};
-  users.users.actions-runner = {
+  systemd.services.actions-runner-build-buildkit = {
-    isNormalUser = true;
+    description = "buildkit image builder for actions runner";
    uid = 1126;
  };
  systemd.services.actions-runner-build-dind = {
    description = "dind image builder for actions runner";
    after = [ "docker.service" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      Type = "oneshot";
-      ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-dind ${pkgs.copyPathToStore ./image-dind}";
+      ExecStart = "${pkgs.docker}/bin/docker build -t local/actions-runner-buildkit ${pkgs.copyPathToStore ./image-buildkit}";
    };
  };
-  systemd.services.gitea-runner-koi.requires = [ "actions-runner-build-dind.service" ];
+  systemd.services.gitea-runner-koi-buildkit.requires = [
-  systemd.services.gitea-runner-koi-stupid-fish.requires = [ "actions-runner-build-dind.service" ];
+    "actions-runner-build-buildkit.service"
    "docker-act-runner-buildkitd.service"
  ];
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
@ -43,17 +38,20 @@ in {
      };
    };
-    # a separate runner for dind because it requires privileged mode and act-runner doesnt support setting --privileged for certain images
+    instances.koi-buildkit = {
-    instances.koi-dind = {
+      name = "koi-buildkit";
      name = "koi-dind";
      enable = true;
      url = "https://git.stupid.fish";
      tokenFile = config.desu.secrets.forgejo-runners-token-sf.path;
      labels = [
-        "docker-dind:docker://local/actions-runner-dind"
+        "buildkit:docker://local/actions-runner-buildkit" 
      ];
      settings = {
-        container.privileged = true;
+        runner.capacity = 4;
        container = {
          valid_volumes = [ "/var/run/act-runner-buildkit" ];
          options = "--user=1000:1000 --mount=type=bind,source=/var/run/act-runner-buildkit,target=/var/run/buildkit"; 
        };
      };
    };
  };
--- a/hosts/koi/services/actions-runner/image-buildkit/Dockerfile
+++ b/hosts/koi/services/actions-runner/image-buildkit/Dockerfile
@ -1,20 +1,19 @@
 FROM node:23.4.0-alpine AS node
-FROM docker:27-dind-rootless
+FROM moby/buildkit:master-rootless
 USER root 
 COPY --from=node /usr/local/bin/node /usr/local/bin/node
 COPY --from=node /usr/local/lib/node_modules /usr/local/lib/node_modules
 COPY --from=node /usr/local/include/node /usr/local/include/node
-COPY ./start-dockerd.sh /opt/start-dockerd.sh
+COPY ./registry-login.sh /opt/registry-login.sh
 RUN apk add libstdc++ bash && \
    ln -s /usr/local/lib/node_modules/npm/bin/npm-cli.js /usr/local/bin/npm && \
    ln -s /usr/local/lib/node_modules/npm/bin/npx-cli.js /usr/local/bin/npx && \
-    ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack && \
+    ln -s /usr/local/lib/node_modules/corepack/dist/corepack.js /usr/local/bin/corepack
    ln -s /run/user/1000/docker.sock /var/run/docker.sock
-ENV DOCKER_HOST=unix:///run/user/1000/docker.sock
+ENV BUILDKIT_HOST=unix:///var/run/buildkit/buildkitd.sock
-USER rootless
+USER user
--- a/hosts/koi/services/actions-runner/image-buildkit/registry-login.sh
+++ b/hosts/koi/services/actions-runner/image-buildkit/registry-login.sh
@ -0,0 +1,12 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if [ -z "$1" -o -z "$2" -o -z "$3" ]; then
    echo "Usage: $0 <registry> <username> <password>"
    exit 1
 fi
 BASE64_AUTH=$(echo -n "$2:$3" | base64)
 mkdir -p /home/user/.docker
 echo "{\"auths\": {\"$1\": {\"auth\": \"$BASE64_AUTH\"}}}" > /home/user/.docker/config.json
--- a/hosts/koi/services/actions-runner/image-dind/start-dockerd.sh
+++ b/hosts/koi/services/actions-runner/image-dind/start-dockerd.sh
@ -1,21 +0,0 @@
 #!/usr/bin/env bash
 set -euo pipefail
 if docker info &> /dev/null; then
  exit 0
 fi
 nohup /usr/local/bin/dockerd-entrypoint.sh > /home/rootless/dockerd.log 2>&1 &
 export DOCKER_HOST=unix:///run/user/1000/docker.sock
 # wait for docker to start
 retry=0
 while ! docker info &> /dev/null; do
  sleep 1
  retry=$((retry + 1))
  if [ $retry -gt 15 ]; then
    echo "Failed to start dockerd after 15 seconds"
    exit 1
  fi
 done
--- a/hosts/koi/services/coredns.nix
+++ b/hosts/koi/services/coredns.nix
@ -22,6 +22,7 @@ let
    10.42.0.2 navi.stupid.fish
    10.42.0.2 wiki.stupid.fish
    10.42.0.2 siyuan.tei.su
    10.42.0.2 picard.stupid.fish
  '';
  package = coredns.override {
--- a/secrets/forgejo-runners-token.age
+++ b/secrets/forgejo-runners-token.age
Author	SHA1	Message	Date
teidesu	041aa095ee	feat(koi): picard	2025-01-16 04:03:26 +03:00
teidesu	084ac001de	chore(koi): dind -> buildkitd in actions-runner	2025-01-16 04:03:14 +03:00