Replace Containerfile with Forgejo Actions

.gitea/workflows/update.yaml

@@ -0,0 +1,36 @@
+name: Update flake.lock
+
+# PREREQUISITES:
+#  - Generate ssh key: `ssh-keygen -t ed25519 -f snowflake`.
+#  - Add private key to https://git.caspervk.net/caspervk/nixos/settings/actions/secrets as SNOWFLAKE_SSH_PRIVATE_KEY.
+#  - Add public key to https://git.caspervk.net/caspervk/nixos/settings/keys with WRITE access.
+#  - Add public key to https://git.caspervk.net/caspervk/nixos-secrets/settings/keys with READ access.
+
+on:
+  # https://forgejo.org/docs/latest/user/actions/#onschedule
+  schedule:
+    - cron: "23 17 * * 1"
+
+jobs:
+  update:
+    runs-on: debian-latest
+    container:
+      image: docker.io/nixos/nix:2.21.0
+    steps:
+      - run: |
+          # Configure SSH
+          mkdir ~/.ssh/
+          echo "git.caspervk.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAvPxSg6XN6znT1T4H0U1lzJBsGY7Uann+TBisWD3Drd" > ~/.ssh/known_hosts
+          echo "${{ secrets.SNOWFLAKE_SSH_PRIVATE_KEY }}" > ~/.ssh/id_ed25519
+          chmod 0600 ~/.ssh/id_ed25519
+
+          # Checkout repository
+          git clone git@git.caspervk.net:caspervk/nixos.git
+          cd nixos/
+
+          # Update flake.lock
+          git config user.email "snowflake@caspervk.net"
+          git config user.name "snowflake"
+          nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file
+          git push
+

Containerfile

@@ -1,22 +0,0 @@
-# Automatic NixOS upgrades (modules/server/system.nix) requires updating
-# flake.lock in the repository periodically. This repository is hosted on
-# Gitea, which doesn't have good support for CI. Instead, this Containerfile
-# is run on a server. This requires a Gitea access token[1] with repository
-# read/write permissions. Note that we must use an account-wide access token to
-# be able to clone through HTTPS (and utilise certificates rather than blindly
-# trusting SSH keys), as repository deploy keys can only be used through
-# SSH. The token should be passed as the GIT_PASSWORD environment variable.
-# [1] https://git.caspervk.net/user/settings/applications
-
-FROM nixos/nix:latest
-
-CMD git clone https://caspervk:$GIT_PASSWORD@git.caspervk.net/caspervk/nixos.git && \
-    cd nixos/ && \
-    git config user.email "snowflake@caspervk.net" && \
-    git config user.name "snowflake" && \
-    # store in /dev/shm tmpfs to avoid an ever-growing nix store in the container
-    nix --extra-experimental-features nix-command --extra-experimental-features flakes flake update --commit-lock-file --store /dev/shm && \
-    git push && \
-    cd .. && \
-    rm -rf nixos/ && \
-    sleep 7d  # Run again in a week. Requires `restart: unless-stopped`

flake.lock

@@ -120,11 +120,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711460390,
-        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
+        "lastModified": 1711668574,
+        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
+        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1711743434,
-        "narHash": "sha256-fqeuUwSNBeWL4pSDsqIehH6Mgl3J8ZmEGPhmdD1gufo=",
+        "lastModified": 1711747594,
+        "narHash": "sha256-k8Ew/EDpcLJKs285SqEldFbiKSf9rsHz/g0btv8zFM8=",
         "ref": "refs/heads/master",
-        "rev": "c79b0434590226446576f6b19d474cb9e41dc6b2",
-        "revCount": 6,
+        "rev": "110dae44d26b6d973922b804213446d1c0165486",
+        "revCount": 7,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/sigma/default.nix

@@ -5,6 +5,7 @@
     ../../modules/server
     ./hardware.nix
     #./borg.nix
+    ./gitea.nix
     ./network.nix
   ];
 

hosts/sigma/gitea.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  secrets,
+  ...
+}: {
+  # https://forgejo.org/docs/latest/admin/actions/
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances."default" = {
+      enable = true;
+      name = "default";
+      url = "https://git.caspervk.net";
+      # From https://git.caspervk.net/admin/actions/runners/
+      tokenFile = config.age.secrets.gitea-actions-runner-token-file.path;
+      # The Forgejo runner relies on application containers (Docker, Podman,
+      # etc) to execute a workflow in an isolated environment. Labels are used
+      # to map jobs' `runs-on` to their runtime environment. Many common
+      # actions require bash, git and nodejs, as well as a filesystem that
+      # follows the filesystem hierarchy standard.
+      labels = [
+        "debian-latest:docker://node:20-bullseye"
+      ];
+      # https://forgejo.org/docs/latest/admin/actions/#configuration
+      settings = {
+        runner = {
+          # Default fetch interval is 2s -- no need to spam the server
+          fetch_interval = "5m";
+        };
+      };
+    };
+  };
+
+  age.secrets.gitea-actions-runner-token-file = {
+    file = "${secrets}/secrets/gitea-actions-runner-token-file.age";
+    mode = "400";
+    owner = "root";
+    group = "root";
+  };
+}

overlays/default.nix

@@ -1,3 +1,3 @@
 {...}: {
-  imports = [];
+  imports = [./forgejo-actions-runner.nix];
 }

overlays/forgejo-actions-runner.nix

@@ -0,0 +1,24 @@
+{...}: {
+  # Running containers without /bin/sleep (such as nixos) requires newer
+  # forgejo act runner. See https://codeberg.org/forgejo/forgejo/issues/2611.
+  nixpkgs.overlays = [
+    (final: prev: {
+      forgejo-actions-runner = prev.callPackage "${prev.path}/pkgs/development/tools/continuous-integration/forgejo-actions-runner" {
+        buildGoModule = args:
+          prev.buildGoModule (args
+            // rec {
+              version = "3.4.1";
+
+              src = prev.fetchFromGitea {
+                domain = "codeberg.org";
+                owner = "forgejo";
+                repo = "runner";
+                rev = "v${version}";
+                hash = "sha256-c8heIHt+EJ6LnZT4/6TTWd7v85VRHjH72bdje12un4M=";
+              };
+              vendorHash = "sha256-FCCQZdAYRtJR3DGQIEvUzv+1kqvxVTGkwJwZSohq28s=";
+            });
+      };
+    })
+  ];
+}