diff --git a/modules/age.nix b/modules/age.nix index c786b42..5e3261a 100644 --- a/modules/age.nix +++ b/modules/age.nix @@ -1,4 +1,8 @@ {config, ...}: { - # This is where the age files go - # age.secrets.nextcloud.file = ../secrets/nextcloud.age; + age.identityPaths = [ + "/home/baritone/.ssh/id_ed25519" + ]; + age.secrets = { + forgejo-runner-token.file = ../secrets/forgejo-runner-token.age; + }; } diff --git a/secrets/forgejo-runner-token.age b/secrets/forgejo-runner-token.age new file mode 100644 index 0000000..6f9531c --- /dev/null +++ b/secrets/forgejo-runner-token.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 rgw77A B/0cZTeHin54r5rLOPknrID5HqDdXUP1f3n6q28B11s +I8lGmJNvkJQQUlWD8fbCt+IuYisKhoVb59ulqQZsGJw +--- 5qC6VjzF8ldbN+AuD+G5y8ABxl+hqD1mt8QyEgVxrjI +rcM U;m06k;-sKWM;_&Yk\MN1qOhM7k A1m1 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 3a786a6..cfa9796 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,4 +2,5 @@ let public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"]; in { "nextcloud.age".publicKeys = public-keys; + "forgejo-runner-token.age".publicKeys = public-keys; } diff --git a/services/conduwuit.nix b/services/conduwuit.nix index 2538ab1..926dab0 100644 --- a/services/conduwuit.nix +++ b/services/conduwuit.nix @@ -25,8 +25,16 @@ in { forceSSL = true; enableACME = true; listen = [ - { port = 443; ssl = true; addr = "0.0.0.0"; } - { port = 8448; ssl = true; addr = "0.0.0.0"; } + { + port = 443; + ssl = true; + addr = "0.0.0.0"; + } + { + port = 8448; + ssl = true; + addr = "0.0.0.0"; + } ]; locations."/" = { proxyPass = "http://${host}:${toString port}"; diff --git a/services/docker.nix b/services/docker.nix new file mode 100644 index 0000000..52427b5 --- /dev/null +++ b/services/docker.nix @@ -0,0 +1,7 @@ +{...}: +{ + virtualisation.docker = { + enable = true; + storageDriver = "zfs"; + }; +} diff --git a/services/forgejo.nix b/services/forgejo.nix index 2f0dda1..ae08783 100755 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -2,7 +2,10 @@ host = "127.0.0.1"; port = 6969; in { - imports = [./nginx.nix]; + imports = [ + ./nginx.nix + ./gitea-actions-runner.nix + ]; services.forgejo = { enable = true; diff --git a/services/gitea-actions-runner.nix b/services/gitea-actions-runner.nix new file mode 100644 index 0000000..920bf29 --- /dev/null +++ b/services/gitea-actions-runner.nix @@ -0,0 +1,90 @@ +{ + config, + pkgs, + ... +}: { + imports = [ ./docker.nix ]; + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances = { + agurk = { + enable = true; + name = "agurk"; + url = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "native:host" + ]; + hostPackages = pkgs.lib.attrValues { + inherit + (pkgs) + nix + nodejs + git + bash + fd + ripgrep + openssh + ; + }; + settings = { + log.level = "info"; + runner = { + file = ".runner"; + capacity = 2; + timeout = "3h"; + insecure = false; + fetch_timeout = "5s"; + fetch_interval = "2s"; + }; + }; + }; + hval = pkgs.lib.mkIf false { + enable = true; + name = "hval"; + url = "http://host.docker.internal:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + docker:docker://node:16-bullseye + ]; + hostPackages = pkgs.lib.attrValues { + inherit + (pkgs) + nix + nodejs + git + bash + fd + ripgrep + openssh + ; + }; + settings = { + log.level = "info"; + runner = { + file = ".runner"; + capacity = 2; + timeout = "3h"; + insecure = false; + fetch_timeout = "5s"; + fetch_interval = "2s"; + }; + }; + }; + }; + }; + + system.activationScripts."make-gitea-runner-dir" = pkgs.lib.stringAfter ["var"] '' + mkdir -p /var/lib/gitea-runner/ + # chown -R microvm:jellyfin /var/lib/gitea-runner + ''; + + # systemd.services = builtins.listToAttrs (pkgs.lib.attrsets.mapAttrsToList ( + # name: value: { + # name = "gitea-runner-${name}"; + # value = { + # serviceConfig.ReadWritePaths = "/srv/web"; + # }; + # } + # ) config.services.gitea-actions-runner.instances); +} diff --git a/services/jellyfin.nix b/services/jellyfin.nix index ffa5656..fa62357 100755 --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -30,7 +30,7 @@ in { # Create folder for media config.system.activationScripts."jellyfinMediaFolder" = lib.stringAfter ["var"] '' mkdir -p /var/lib/media - chmod -R 775 /var/lib/media + chmod 770 /var/lib/media chown -R jellyfin:jellyfin /var/lib/media ''; diff --git a/services/website.nix b/services/website.nix index 19ceefb..fd45a89 100755 --- a/services/website.nix +++ b/services/website.nix @@ -6,7 +6,7 @@ host = "127.0.0.1"; port = 8080; user = "website-host-user"; - uid = 1900; + repo = "https://git.spoodythe.one/spoody/website"; in { imports = [./nginx.nix]; services.nginx.virtualHosts."spoodythe.one" = { @@ -18,33 +18,62 @@ in { }; }; - users.users."website-host-user" = { - isNormalUser = true; - inherit uid; + users.users."${user}" = { + isSystemUser = true; + home = "/home/${user}"; + createHome = true; + group = "${user}"; + shell = pkgs.bash; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90JNokb4/4DZ/2tHS8Lj/jq+UiA0B2g+MFeM8KuA6Y website-host-user@server" + ]; }; + users.groups."${user}" = {}; - systemd.services."website" = { + security.sudo.extraRules = [ + { + users = ["${user}"]; + commands = [ + { + command = "/run/current-system/sw/bin/systemctl restart rebuild-website.service"; + options = ["SETENV" "NOPASSWD"]; + } + { + command = "/run/current-system/sw/bin/systemd-run -d --uid website-host-user ./webbisitey"; + options = ["SETENV" "NOPASSWD"]; + } + ]; + } + ]; + + systemd.services."rebuild-website" = { description = "Service for running my website"; wants = ["network-online.target"]; after = ["network-online.target"]; wantedBy = ["multi-user.target"]; - preStart = '' - if [ ! -d "/home/${user}/website" ]; then - ${pkgs.git}/bin/git clone https://gitlab.com/SpoodyTheOne/webbisitey/ "/home/${user}/website" - fi - ''; - script = '' - cd /home/${user}/website - ${pkgs.git}/bin/git pull - ${pkgs.nix}/bin/nix run + echo "Making temporary folder" + path=$(mktemp -d) + echo "Cloning repo" + ${pkgs.git}/bin/git clone ${repo} "$path" + echo "cd $path" + cd "$path" + echo "[nix build] Rebuilding website flake..." + ${pkgs.nix}/bin/nix build # build + echo "[killall] Killing previous website process" + ${pkgs.killall}/bin/killall webbisitey || true # stop old website + echo "Changing directory to build result..." + cd result/bin # cd into result folder + echo "[systemd-run] Running webbisitey-wrapped..." + /run/wrappers/bin/sudo /run/current-system/sw/bin/systemd-run -d --uid ${user} ./webbisitey # run new website ''; serviceConfig = { - Restart = "always"; + Type = "oneshot"; + RemainsAfterExit = true; User = user; - # WorkingDirectory = "/home/${user}/website"; + WorkingDirectory = "/tmp"; }; }; }