bunch of stuff

zero downtime website deployment forgejo runners media folder stuff
2025-04-01 15:50:31 +02:00 · 2025-04-01 15:50:31 +02:00 · 2fa176db17
parent 9668273e5d
commit 2fa176db17
9 changed files with 169 additions and 22 deletions
--- a/modules/age.nix
+++ b/modules/age.nix
@ -1,4 +1,8 @@
 {config, ...}: {
-  # This is where the age files go
-  # age.secrets.nextcloud.file = ../secrets/nextcloud.age;
+  age.identityPaths = [
+    "/home/baritone/.ssh/id_ed25519"
+  ];
+  age.secrets = {
+    forgejo-runner-token.file = ../secrets/forgejo-runner-token.age;
+  };
 }
--- a/secrets/forgejo-runner-token.age
+++ b/secrets/forgejo-runner-token.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 rgw77A B/0cZTeHin54r5rLOPknrID5HqDdXUP1f3n6q28B11s
+I8lGmJNvkJQQUlWD8fbCt+IuYisKhoVb59ulqQZsGJw
+--- 5qC6VjzF8ldbN+AuD+G5y8ABxl+hqD1mt8QyEgVxrjI
+rêÊcåºÃMï·Ö	UÞ;œm0à6kª°;‚ª-sŸKÿÀÔWM;·ã_Š<5F>&<26>Yk\èŒMNê1¨qO¨¤hM7kA1m•1
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -2,4 +2,5 @@ let
  public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"];
 in {
  "nextcloud.age".publicKeys = public-keys;
+  "forgejo-runner-token.age".publicKeys = public-keys;
 }
--- a/services/conduwuit.nix
+++ b/services/conduwuit.nix
@ -25,8 +25,16 @@ in {
    forceSSL = true;
    enableACME = true;
    listen = [
-      { port = 443; ssl = true; addr = "0.0.0.0"; }
-      { port = 8448; ssl = true; addr = "0.0.0.0"; }
+      {
+        port = 443;
+        ssl = true;
+        addr = "0.0.0.0";
+      }
+      {
+        port = 8448;
+        ssl = true;
+        addr = "0.0.0.0";
+      }
    ];
    locations."/" = {
      proxyPass = "http://${host}:${toString port}";
--- a/services/docker.nix
+++ b/services/docker.nix
@ -0,0 +1,7 @@
+{...}:
+{
+  virtualisation.docker = {
+    enable = true;
+    storageDriver = "zfs";
+  };
+}
--- a/services/forgejo.nix
+++ b/services/forgejo.nix
@ -2,7 +2,10 @@
  host = "127.0.0.1";
  port = 6969;
 in {
-  imports = [./nginx.nix];
+  imports = [
+    ./nginx.nix
+    ./gitea-actions-runner.nix
+  ];
  services.forgejo = {
    enable = true;

--- a/services/gitea-actions-runner.nix
+++ b/services/gitea-actions-runner.nix
@ -0,0 +1,90 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [ ./docker.nix ];
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances = {
+      agurk = {
+        enable = true;
+        name = "agurk";
+        url = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+        tokenFile = config.age.secrets.forgejo-runner-token.path;
+        labels = [
+          "native:host"
+        ];
+        hostPackages = pkgs.lib.attrValues {
+          inherit
+            (pkgs)
+            nix
+            nodejs
+            git
+            bash
+            fd
+            ripgrep
+            openssh
+            ;
+        };
+        settings = {
+          log.level = "info";
+          runner = {
+            file = ".runner";
+            capacity = 2;
+            timeout = "3h";
+            insecure = false;
+            fetch_timeout = "5s";
+            fetch_interval = "2s";
+          };
+        };
+      };
+      hval = pkgs.lib.mkIf false {
+        enable = true;
+        name = "hval";
+        url = "http://host.docker.internal:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+        tokenFile = config.age.secrets.forgejo-runner-token.path;
+        labels = [
+          docker:docker://node:16-bullseye
+        ];
+        hostPackages = pkgs.lib.attrValues {
+          inherit
+            (pkgs)
+            nix
+            nodejs
+            git
+            bash
+            fd
+            ripgrep
+            openssh
+            ;
+        };
+        settings = {
+          log.level = "info";
+          runner = {
+            file = ".runner";
+            capacity = 2;
+            timeout = "3h";
+            insecure = false;
+            fetch_timeout = "5s";
+            fetch_interval = "2s";
+          };
+        };
+      };
+    };
+  };
+
+  system.activationScripts."make-gitea-runner-dir" = pkgs.lib.stringAfter ["var"] ''
+    mkdir -p /var/lib/gitea-runner/
+    # chown -R microvm:jellyfin /var/lib/gitea-runner
+  '';
+
+  # systemd.services = builtins.listToAttrs (pkgs.lib.attrsets.mapAttrsToList (
+  #   name: value: {
+  #     name = "gitea-runner-${name}";
+  #     value = {
+  #       serviceConfig.ReadWritePaths = "/srv/web";
+  #     };
+  #   }
+  # ) config.services.gitea-actions-runner.instances);
+}
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@ -30,7 +30,7 @@ in {
  # Create folder for media
  config.system.activationScripts."jellyfinMediaFolder" = lib.stringAfter ["var"] ''
    mkdir -p /var/lib/media
-    chmod -R 775 /var/lib/media
+    chmod 770 /var/lib/media
    chown -R jellyfin:jellyfin /var/lib/media
  '';

--- a/services/website.nix
+++ b/services/website.nix
@ -6,7 +6,7 @@
  host = "127.0.0.1";
  port = 8080;
  user = "website-host-user";
-  uid = 1900;
+  repo = "https://git.spoodythe.one/spoody/website";
 in {
  imports = [./nginx.nix];
  services.nginx.virtualHosts."spoodythe.one" = {
@ -18,33 +18,62 @@ in {
    };
  };

-  users.users."website-host-user" = {
-    isNormalUser = true;
-    inherit uid;
+  users.users."${user}" = {
+    isSystemUser = true;
+    home = "/home/${user}";
+    createHome = true;
+    group = "${user}";
+    shell = pkgs.bash;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90JNokb4/4DZ/2tHS8Lj/jq+UiA0B2g+MFeM8KuA6Y website-host-user@server"
+    ];
  };
+  users.groups."${user}" = {};

-  systemd.services."website" = {
+  security.sudo.extraRules = [
+    {
+      users = ["${user}"];
+      commands = [
+        {
+          command = "/run/current-system/sw/bin/systemctl restart rebuild-website.service";
+          options = ["SETENV" "NOPASSWD"];
+        }
+        {
+          command = "/run/current-system/sw/bin/systemd-run -d --uid website-host-user ./webbisitey";
+          options = ["SETENV" "NOPASSWD"];
+        }
+      ];
+    }
+  ];
+
+  systemd.services."rebuild-website" = {
    description = "Service for running my website";
    wants = ["network-online.target"];
    after = ["network-online.target"];
    wantedBy = ["multi-user.target"];

-    preStart = ''
-      if [ ! -d "/home/${user}/website" ]; then
-        ${pkgs.git}/bin/git clone https://gitlab.com/SpoodyTheOne/webbisitey/ "/home/${user}/website"
-      fi
-    '';
-
    script = ''
-      cd /home/${user}/website
-      ${pkgs.git}/bin/git pull
-      ${pkgs.nix}/bin/nix run
+      echo "Making temporary folder"
+      path=$(mktemp -d)
+      echo "Cloning repo"
+      ${pkgs.git}/bin/git clone ${repo} "$path"
+      echo "cd $path"
+      cd "$path"
+      echo "[nix build] Rebuilding website flake..."
+      ${pkgs.nix}/bin/nix build                                                         # build
+      echo "[killall] Killing previous website process"
+      ${pkgs.killall}/bin/killall webbisitey || true                                    # stop old website
+      echo "Changing directory to build result..."
+      cd result/bin                                                                     # cd into result folder
+      echo "[systemd-run] Running webbisitey-wrapped..."
+      /run/wrappers/bin/sudo /run/current-system/sw/bin/systemd-run -d --uid ${user} ./webbisitey       # run new website
    '';

    serviceConfig = {
-      Restart = "always";
+      Type = "oneshot";
+      RemainsAfterExit = true;
      User = user;
-      # WorkingDirectory = "/home/${user}/website";
+      WorkingDirectory = "/tmp";
    };
  };
 }