Merge pull request 'test workflow' (#1) from workflows into main

Reviewed-on: #1
2025-08-20 12:06:54 +02:00 · 2025-08-20 12:06:54 +02:00 · 393c6b9ad2
commit 393c6b9ad2
parent 2d9feaa634 3e7d55f5b9
13 changed files with 173 additions and 85 deletions
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@ -0,0 +1,11 @@
+on:
+  push:
+    branches:
+      - main
+jobs:
+  build:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix develop
+      - run: colmena build -v --on @fili
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@ -0,0 +1,7 @@
+on: [push]
+jobs:
+  lint:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+      - run: nix fmt -- --check .
--- a/fili/configuration.nix
+++ b/fili/configuration.nix
@ -16,7 +16,6 @@ _: {
    networkmanager.enable = true;
  };

-
  nix.settings = {
    # users that can interact with nix
    trusted-users = [
--- a/fili/lib/auth.nix
+++ b/fili/lib/auth.nix
@ -1,4 +1,5 @@
-{ baseUrl, clientId }: {
+{ baseUrl, clientId }:
+{
  inherit clientId;

  userAuthUrl = "${baseUrl}/ui/oauth2";
--- a/fili/services/auth/kanidm.nix
+++ b/fili/services/auth/kanidm.nix
@ -1,9 +1,11 @@
-{pkgs, config, ...}: let
+{ pkgs, config, ... }:
+let
  lib = pkgs.lib;
  domain = "auth.donsz.nl";
  port = 3013;
  backupsDir = "/var/lib/kanidm/backup";
-in {
+in
+{
  services.kanidm.enableServer = true;
  services.kanidm.package = pkgs.kanidm_1_6;
  services.kanidm.serverSettings = {
@ -26,12 +28,11 @@ in {
      mkdir -p "${backupsDir}"
    '';
    serviceConfig = {
-      SupplementaryGroups =
-        [ config.security.acme.certs.${domain}.group ];
+      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
    };
  };

-  environment.systemPackages = [pkgs.kanidm];
+  environment.systemPackages = [ pkgs.kanidm ];

  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
--- a/fili/services/auth/oauth2-proxy.nix
+++ b/fili/services/auth/oauth2-proxy.nix
@ -1,12 +1,17 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
  sops.secrets.oauth2-proxy = {
    sopsFile = ../../../secrets/oauth2-proxy.env;
  };

  services.oauth2-proxy =
    let
-      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
-    in {
+      auth = import ../../lib/auth.nix {
+        baseUrl = "https://auth.donsz.nl";
+        clientId = "homeserver";
+      };
+    in
+    {
      enable = true;

      provider = "oidc";
@ -34,7 +39,7 @@
      };

      extraConfig = {
-      whitelist-domain = ["*.donsz.nl"];
+        whitelist-domain = [ "*.donsz.nl" ];
      };

      nginx.domain = "oauth2.donsz.nl";
--- a/fili/services/forgejo.nix
+++ b/fili/services/forgejo.nix
@ -1,4 +1,9 @@
-{ lib, pkgs, config, ... }:
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
 let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
@ -6,7 +11,7 @@ in
 {
  sops.secrets.forgejo = {
    sopsFile = ../../secrets/forgejo.yaml;
-    key="email_password";
+    key = "email_password";
    format = "yaml";
  };

@ -33,7 +38,7 @@ in
    lfs.enable = true;
    user = "forgejo";
    group = "forgejo";
-    repositoryRoot="/storage/storage/git";
+    repositoryRoot = "/storage/storage/git";

    database = {
      type = "postgres";
@ -43,8 +48,8 @@ in

    settings = {
      DEFAULT = {
-        APP_NAME="jana's git server";
-        APP_SLOGAN="meow!";
+        APP_NAME = "jana's git server";
+        APP_SLOGAN = "meow!";
      };
      server = {
        DOMAIN = "git.donsz.nl";
@ -62,7 +67,7 @@ in
        DEFAULT_ACTIONS_URL = "github";
      };
      repository = {
-        DEFAULT_PRIVATE="private";
+        DEFAULT_PRIVATE = "private";
      };
      mailer = {
        ENABLED = true;
@ -73,4 +78,56 @@ in
    };
    mailerPasswordFile = config.sops.secrets.forgejo.path;
  };
+
+  users.groups.forgejo-runner = { };
+  users.users.forgejo-runner = {
+    isSystemUser = true;
+    group = "forgejo-runner";
+  };
+
+  sops.secrets.forgejo-runner = {
+    sopsFile = ../../secrets/forgejo-runner.env;
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.fili = {
+      enable = true;
+      name = "forgejo-runner-01";
+      tokenFile = config.sops.secrets.forgejo-runner.path;
+      url = "https://git.donsz.nl/";
+      labels = [
+        "nix:host"
+        "docker:docker://node:16-bullseye"
+        "ubuntu-latest:docker://node:16-bullseye"
+      ];
+      settings = { };
+
+      hostPackages = with pkgs; [
+        # default ones
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+
+        # used in deployments
+        lix
+        openssh
+      ];
+    };
+  };
+
+  virtualisation.docker = {
+    daemon.settings = {
+      fixed-cidr-v6 = "fd00::/80";
+      ipv6 = true;
+    };
+  };
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
 }
--- a/fili/services/nginx.nix
+++ b/fili/services/nginx.nix
@ -1,4 +1,5 @@
-{pkgs, config, ...}: {
+{ pkgs, config, ... }:
+{
  services.nginx = {
    enable = true;
    statusPage = true;
--- a/fili/services/websites/homepage.nix
+++ b/fili/services/websites/homepage.nix
@ -1,4 +1,5 @@
-{flakes, pkgs, ...}: {
+{ flakes, pkgs, ... }:
+{
  services.nginx = {
    virtualHosts."donsz.nl" = {
      forceSSL = true;
--- a/fili/services/websites/mapf.nix
+++ b/fili/services/websites/mapf.nix
@ -1,4 +1,5 @@
-{flakes,...}: {
+{ flakes, ... }:
+{
  # imports = [
  #   flakes.mapf.nixosModules.default
  # ];
--- a/fili/services/websites/totpal.nix
+++ b/fili/services/websites/totpal.nix
@ -1,8 +1,6 @@
-{ flakes, pkgs,... }:
+{ flakes, pkgs, ... }:
 let
-  totpal =
-    flakes.totpal.packages.${pkgs.system}.default
-  ;
+  totpal = flakes.totpal.packages.${pkgs.system}.default;
 in
 {
  services.nginx = {
@ -17,8 +15,7 @@ in
    };
  };

-  systemd.services.totpal =
-    {
+  systemd.services.totpal = {
    description = "totpal";
    serviceConfig = {
      Type = "simple";
--- a/secrets/forgejo-runner.env
+++ b/secrets/forgejo-runner.env
@ -0,0 +1,7 @@
+TOKEN=ENC[AES256_GCM,data:5WnyyafhDtizIzL4VjXYsMFxLTKikS4Lg6rNGoeVbMqXbquutotfcQ==,iv:2QknXqH8eHft9NHy6K17uv2WvSfvDE8HJsaBDfzUlws=,tag:jw0ffCsfhBNBy++W7cyJsg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHaTZNTmxkMVVuWER0dTZN\nL3N0cDF2bHdpZUNLQWdJMHVjVk5LbnY1OGlVClpya1VhcHdRUW0yUW5CL21mSUJN\nMDU5cFZ1QUppaHZ2dXkwUjgrVFloS3cKLS0tIGNzRWUxSFlXUnR5eFhEQkNOWmRY\nV0dNWWRXVnJCU0duU2dGcWZRWFhMUm8K9dsrIrABcLRZ4pfduYrIaSiEVF+e2OA0\nOGY2eYWAxbgtqBXEX+vLn0eNtoAptpQi2WgOWwVPr1M1+07w7jExBA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
+sops_lastmodified=2025-08-20T10:03:18Z
+sops_mac=ENC[AES256_GCM,data:Su4KI/pxc1hqNzEYoA1iPU2a5Fp9o/SEf2DW+hx0T5sNL8UvUFDELqYUoGvNNuz1/59ZR8cEmNWhao9euBoF0eVoUAVuS6ADKkX8EjXXJY8qR3M7aseweYxRYXADcWLTlrXsK4xWU6z+NKwmdvYzir9N1XEeR+w3fJLBBNPBnZI=,iv:z3e0kJuJsCLrBGDXZZiYERA48bdvxTxCsPnSdUFgtT8=,tag:rW0zsoEKnKRTpJN8pkJ4/A==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.10.2