home/nixos-servers
home/nixos-servers
2
0
Fork 0
Code Issues 8 Pull requests Projects Releases Packages Wiki Activity Actions

add forgejo runner

Browse source
This commit is contained in:
Pim Kunis 2024-04-17 23:19:08 +02:00
parent a56de1672e
commit 39410c4bae
2 changed files with 142 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

171
kubenix-modules/forgejo.nix
View file

@ -1,5 +1,7 @@
{ myLib, ... }: { { myLib, ... }: {
kubernetes.resources = { kubernetes.resources = {
secrets.runner-secret.stringData.token = "ref+sops://secrets/sops.yaml#/forgejo/runnerToken";
configMaps = { configMaps = {
forgejo-config.data = { forgejo-config.data = {
# TODO: Generate from nix code? # TODO: Generate from nix code?
@ -117,41 +119,143 @@
}; };
}; };
deployments.forgejo = { deployments = {
metadata.labels.app = "forgejo"; forgejo = {
metadata.labels = {
app = "forgejo";
component = "forgejo";
};
spec = { spec = {
selector.matchLabels.app = "forgejo"; selector.matchLabels = {
app = "forgejo";
component = "forgejo";
};
template = { template = {
metadata.labels.app = "forgejo"; metadata.labels = {
app = "forgejo";
spec = { component = "forgejo";
containers.forgejo = {
image = "codeberg.org/forgejo/forgejo:1.20";
envFrom = [{ configMapRef.name = "forgejo-env"; }];
ports = {
web.containerPort = 3000;
ssh.containerPort = 22;
};
volumeMounts = [
{
name = "data";
mountPath = "/data";
}
{
name = "config";
mountPath = "/data/gitea/conf/app.ini";
subPath = "config";
}
];
}; };
volumes = { spec = {
data.persistentVolumeClaim.claimName = "forgejo"; containers.forgejo = {
config.configMap.name = "forgejo-config"; image = "codeberg.org/forgejo/forgejo:1.21";
envFrom = [{ configMapRef.name = "forgejo-env"; }];
ports = {
web.containerPort = 3000;
ssh.containerPort = 22;
};
volumeMounts = [
{
name = "data";
mountPath = "/data";
}
{
name = "config";
mountPath = "/data/gitea/conf/app.ini";
subPath = "config";
}
];
};
volumes = {
data.persistentVolumeClaim.claimName = "forgejo";
config.configMap.name = "forgejo-config";
};
};
};
};
};
# Forgejo-runner for docker in docker (dind) on Kubernetes:
# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/kubernetes/dind-docker.yaml
forgejo-runner = {
metadata.labels = {
app = "forgejo";
component = "runner";
};
spec = {
selector.matchLabels = {
app = "forgejo";
component = "runner";
};
template = {
metadata.labels = {
app = "forgejo";
component = "runner";
};
spec = {
restartPolicy = "Always";
volumes = {
docker-certs.emptyDir = { };
runner-data.emptyDir = { };
};
initContainers.runner-register = {
image = "code.forgejo.org/forgejo/runner:3.2.0";
command = [ "forgejo-runner" "register" "--no-interactive" "--token" "$(RUNNER_SECRET)" "--name" "$(RUNNER_NAME)" "--instance" "$(FORGEJO_INSTANCE_URL)" ];
env = {
RUNNER_NAME.value = "runner";
FORGEJO_INSTANCE_URL.value = "https://git.kun.is";
RUNNER_SECRET.valueFrom.secretKeyRef = {
name = "runner-secret";
key = "token";
};
};
resources.limits = {
cpu = "0.50";
memory = "64Mi";
};
volumeMounts = [{
name = "runner-data";
mountPath = "/data";
}];
};
containers = {
runner = {
image = "code.forgejo.org/forgejo/runner:3.0.0";
command = [ "sh" "-c" "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon" ];
env = {
DOCKER_HOST.value = "tcp://localhost:2376";
DOCKER_CERT_PATH.value = "/certs/client";
DOCKER_TLS_VERIFY.value = "1";
};
volumeMounts = [
{
name = "docker-certs";
mountPath = "/certs";
}
{
name = "runner-data";
mountPath = "/data";
}
];
};
daemon = {
image = "docker:23.0.6-dind";
securityContext.privileged = true;
env.DOCKER_TLS_CERTDIR.value = "/certs";
volumeMounts = [{
name = "docker-certs";
mountPath = "/certs";
}];
};
};
}; };
}; };
}; };
@ -160,7 +264,10 @@
services = { services = {
forgejo-web.spec = { forgejo-web.spec = {
selector.app = "forgejo"; selector = {
app = "forgejo";
component = "forgejo";
};
ports.web = { ports.web = {
port = 80; port = 80;

5
secrets/sops.yaml
View file

@ -15,6 +15,7 @@ kitchenowl:
forgejo: forgejo:
lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str] lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str] internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
runnerToken: ENC[AES256_GCM,data:F6PsbkhT1epKfi9MpLpMqDosloVkhIiq/olBi/bbt8k88qxfw0vwvg==,iv:I/LH8V0Um+PCpjSrcjiZAN71nXcqv1m84wBUPLWT33Q=,tag:Y3qhbt7OqkRbHOCXRKLUeg==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -30,8 +31,8 @@ sops:
dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g== EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-14T12:05:53Z" lastmodified: "2024-04-17T21:16:56Z"
mac: ENC[AES256_GCM,data:T4Uvkt28ACuLZv7FkJt9Nlhes1fVxasOnGgXpdhvMyf8DS4SFHBUQ0o6UsDcmjHixs/GFEkHNLa22V1PomNlPbpZ+ysNeYN0M/q8fguhpINMoJQlXQ6HXTEy7JQ9IBRfx010/1imjiNJ8QXkTYnDqDKk9sMhpJxubX8rBnGccJ4=,iv:rACUx2Nn8R8KgTF+OSP9MaW7yfNH8fOhlEEAynsdHsE=,tag:K2+iK/i0mDt7eNJlcE96NA==,type:str] mac: ENC[AES256_GCM,data:ICOsWZ7F7boyYhkFGgqJZOCY9aPXI5YvQfqcKkj4Pt/LoU9+PDi2iSDN47VTTloqIXap4PhEMEi7He6AV3r9DTHKT5PxQcWxESGffLlUlK7Q3a/H1V63Sdy9Ct1PycKupjEEWylYXWTWG5/dGe9qh6u1ZS7adz5fHxA3Y8MT6Dg=,iv:61IexBQQse6iShry10toUAjc3gLf588PKJFK+aJWCbY=,tag:wrSM4ipHBMXIEfLLLGe/Tw==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.8.1