bunch of stuff

zero downtime website deployment forgejo runners media folder stuff
2025-04-01 15:50:31 +02:00 · 2025-04-01 15:50:31 +02:00 · 2fa176db17
parent 9668273e5d
commit 2fa176db17
9 changed files with 169 additions and 22 deletions
--- a/modules/age.nix
+++ b/modules/age.nix
@ -1,4 +1,8 @@
 {config, ...}: {
-  # This is where the age files go
+  age.identityPaths = [
-  # age.secrets.nextcloud.file = ../secrets/nextcloud.age;
+    "/home/baritone/.ssh/id_ed25519"
  ];
  age.secrets = {
    forgejo-runner-token.file = ../secrets/forgejo-runner-token.age;
  };
 }
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 rgw77A B/0cZTeHin54r5rLOPknrID5HqDdXUP1f3n6q28B11s
 I8lGmJNvkJQQUlWD8fbCt+IuYisKhoVb59ulqQZsGJw
 --- 5qC6VjzF8ldbN+AuD+G5y8ABxl+hqD1mt8QyEgVxrjI
 rêÊcåºÃMï·Ö	UÞ;œm0à6kª°;‚ª-sŸKÿÀÔWM;·ã_Š<5F>&<26>Yk\èŒMNê1¨qO¨¤hM7kA1m•1
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -2,4 +2,5 @@ let
  public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"];
 in {
  "nextcloud.age".publicKeys = public-keys;
  "forgejo-runner-token.age".publicKeys = public-keys;
 }
--- a/services/conduwuit.nix
+++ b/services/conduwuit.nix
@ -25,8 +25,16 @@ in {
    forceSSL = true;
    enableACME = true;
    listen = [
-      { port = 443; ssl = true; addr = "0.0.0.0"; }
+      {
-      { port = 8448; ssl = true; addr = "0.0.0.0"; }
+        port = 443;
        ssl = true;
        addr = "0.0.0.0";
      }
      {
        port = 8448;
        ssl = true;
        addr = "0.0.0.0";
      }
    ];
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
--- a/services/docker.nix
+++ b/services/docker.nix
@ -0,0 +1,7 @@
 {...}:
 {
  virtualisation.docker = {
    enable = true;
    storageDriver = "zfs";
  };
 }
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -2,7 +2,10 @@
  host = "127.0.0.1";
  port = 6969;
 in {
-  imports = [./nginx.nix];
+  imports = [
    ./nginx.nix
    ./gitea-actions-runner.nix
  ];
  services.forgejo = {
    enable = true;
--- a/services/gitea-actions-runner.nix
+++ b/services/gitea-actions-runner.nix
@ -0,0 +1,90 @@
 {
  config,
  pkgs,
  ...
 }: {
  imports = [ ./docker.nix ];
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances = {
      agurk = {
        enable = true;
        name = "agurk";
        url = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
        tokenFile = config.age.secrets.forgejo-runner-token.path;
        labels = [
          "native:host"
        ];
        hostPackages = pkgs.lib.attrValues {
          inherit
            (pkgs)
            nix
            nodejs
            git
            bash
            fd
            ripgrep
            openssh
            ;
        };
        settings = {
          log.level = "info";
          runner = {
            file = ".runner";
            capacity = 2;
            timeout = "3h";
            insecure = false;
            fetch_timeout = "5s";
            fetch_interval = "2s";
          };
        };
      };
      hval = pkgs.lib.mkIf false {
        enable = true;
        name = "hval";
        url = "http://host.docker.internal:${toString config.services.forgejo.settings.server.HTTP_PORT}";
        tokenFile = config.age.secrets.forgejo-runner-token.path;
        labels = [
          docker:docker://node:16-bullseye
        ];
        hostPackages = pkgs.lib.attrValues {
          inherit
            (pkgs)
            nix
            nodejs
            git
            bash
            fd
            ripgrep
            openssh
            ;
        };
        settings = {
          log.level = "info";
          runner = {
            file = ".runner";
            capacity = 2;
            timeout = "3h";
            insecure = false;
            fetch_timeout = "5s";
            fetch_interval = "2s";
          };
        };
      };
    };
  };
  system.activationScripts."make-gitea-runner-dir" = pkgs.lib.stringAfter ["var"] ''
    mkdir -p /var/lib/gitea-runner/
    # chown -R microvm:jellyfin /var/lib/gitea-runner
  '';
  # systemd.services = builtins.listToAttrs (pkgs.lib.attrsets.mapAttrsToList (
  #   name: value: {
  #     name = "gitea-runner-${name}";
  #     value = {
  #       serviceConfig.ReadWritePaths = "/srv/web";
  #     };
  #   }
  # ) config.services.gitea-actions-runner.instances);
 }
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@ -30,7 +30,7 @@ in {
  # Create folder for media
  config.system.activationScripts."jellyfinMediaFolder" = lib.stringAfter ["var"] ''
    mkdir -p /var/lib/media
-    chmod -R 775 /var/lib/media
+    chmod 770 /var/lib/media
    chown -R jellyfin:jellyfin /var/lib/media
  '';
--- a/services/website.nix
+++ b/services/website.nix
@ -6,7 +6,7 @@
  host = "127.0.0.1";
  port = 8080;
  user = "website-host-user";
-  uid = 1900;
+  repo = "https://git.spoodythe.one/spoody/website";
 in {
  imports = [./nginx.nix];
  services.nginx.virtualHosts."spoodythe.one" = {
@ -18,33 +18,62 @@ in {
    };
  };
-  users.users."website-host-user" = {
+  users.users."${user}" = {
-    isNormalUser = true;
+    isSystemUser = true;
-    inherit uid;
+    home = "/home/${user}";
    createHome = true;
    group = "${user}";
    shell = pkgs.bash;
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90JNokb4/4DZ/2tHS8Lj/jq+UiA0B2g+MFeM8KuA6Y website-host-user@server"
    ];
  };
  users.groups."${user}" = {};
-  systemd.services."website" = {
+  security.sudo.extraRules = [
    {
      users = ["${user}"];
      commands = [
        {
          command = "/run/current-system/sw/bin/systemctl restart rebuild-website.service";
          options = ["SETENV" "NOPASSWD"];
        }
        {
          command = "/run/current-system/sw/bin/systemd-run -d --uid website-host-user ./webbisitey";
          options = ["SETENV" "NOPASSWD"];
        }
      ];
    }
  ];
  systemd.services."rebuild-website" = {
    description = "Service for running my website";
    wants = ["network-online.target"];
    after = ["network-online.target"];
    wantedBy = ["multi-user.target"];
    preStart = ''
      if [ ! -d "/home/${user}/website" ]; then
        ${pkgs.git}/bin/git clone https://gitlab.com/SpoodyTheOne/webbisitey/ "/home/${user}/website"
      fi
    '';
    script = ''
-      cd /home/${user}/website
+      echo "Making temporary folder"
-      ${pkgs.git}/bin/git pull
+      path=$(mktemp -d)
-      ${pkgs.nix}/bin/nix run
+      echo "Cloning repo"
      ${pkgs.git}/bin/git clone ${repo} "$path"
      echo "cd $path"
      cd "$path"
      echo "[nix build] Rebuilding website flake..."
      ${pkgs.nix}/bin/nix build                                                         # build
      echo "[killall] Killing previous website process"
      ${pkgs.killall}/bin/killall webbisitey || true                                    # stop old website
      echo "Changing directory to build result..."
      cd result/bin                                                                     # cd into result folder
      echo "[systemd-run] Running webbisitey-wrapped..."
      /run/wrappers/bin/sudo /run/current-system/sw/bin/systemd-run -d --uid ${user} ./webbisitey       # run new website
    '';
    serviceConfig = {
-      Restart = "always";
+      Type = "oneshot";
      RemainsAfterExit = true;
      User = user;
-      # WorkingDirectory = "/home/${user}/website";
+      WorkingDirectory = "/tmp";
    };
  };
 }