iofq/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

move runner to node

Browse source
This commit is contained in:
iofq 2025-09-27 15:36:14 -05:00
parent c0a175ec7f
commit 3f81a20e87
5 changed files with 62 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

1
nixos/consensus/configuration.nix
View file

@ -8,6 +8,7 @@
imports = [
./hardware-configuration.nix
./backups.nix
./forgejo-runner.nix
];
sops = {
secrets = {

6
nixos/oracle/forgejo-runner.nix → nixos/consensus/forgejo-runner.nix
View file

@ -7,17 +7,17 @@
};
};
};
virtualisation.docker.enable = true;
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "oracle-runner1";
name = "runner-1";
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets."forgejo-runner".path;
labels = [
"ubuntu-latest:docker://node:20-bullseye"
"nix-latest:docker://nixos/nix:latest"
"nix-upstream-latest:docker://nixos/nix:latest"
"native:host"
];
};
};

1
nixos/default.nix
View file

@ -66,7 +66,6 @@ in
};
modules = defaultModules ++ [
./oracle/configuration.nix
./oracle/forgejo-runner.nix
];
};
}

24
nixos/oracle/forgejo.nix
View file

@ -5,10 +5,14 @@ let
in
{
sops = {
defaultSopsFile = ../../secrets/restic.yaml;
secrets = {
"env" = {
sopsFile = ../../secrets/cf-acme.yaml;
};
"b2-forgejo/env" = { };
"b2-forgejo/repo" = { };
"b2-forgejo/password" = { };
};
};
security.acme = {
@ -61,4 +65,24 @@ in
};
};
};
services.restic.backups = {
b2-forgejo = {
initialize = true;
environmentFile = config.sops.secrets."b2-forgejo/env".path;
repositoryFile = config.sops.secrets."b2-forgejo/repo".path;
passwordFile = config.sops.secrets."b2-forgejo/password".path;
paths = [
"/var/lib/forgejo"
];
timerConfig = {
OnCalendar = "*-*-* */6:00:00";
};
pruneOpts = [
"--keep-daily 31"
"--keep-monthly 6"
"--keep-yearly 2"
];
};
};
}

46
secrets/restic.yaml
View file

@ -13,27 +13,49 @@ b2-immich:
password: ENC[AES256_GCM,data:c4mi0hfLnI+QMQibW0feTBo7vK7HgYGWExPWtxFN0uf0TeiN9A+u31yRpCzF0cdiQw==,iv:IbtWLSEZMgaRAMA/nHhFBzfJho8E/kk+EaMtWZHuvuM=,tag:vFdedNL14B3Wl8yFHZ9fZQ==,type:str]
repo: ENC[AES256_GCM,data:fgB/jLZpn8mUotSEhE0=,iv:rcGy9xV9OgQn6Q0zB5UkB49EffY+OL9GtlCvxSgIg8o=,tag:5BSUtw44Z1xZipXCraELBQ==,type:str]
env: ENC[AES256_GCM,data:lwnoWd5pEmhcQcMExDWZ2BCRHEuYBEB9/F5vG9dNUQ9vqNLYDsehk4bwn+gaxQjwnxxucA4I4S+24qjWZaEoGyrf/dkxKVsP17TkjQ5BjQFAWOLn1npvcL3s,iv:ojsCnAMOSDT9Ua+H5O48k9G39BjHC8AFGuQFYCQBPG8=,tag:ojgrh847HLTUOjDoV61wlg==,type:str]
b2-forgejo:
password: ENC[AES256_GCM,data:ErT8GttMASlLhn+abQX56KVaotLbRTKiCVqr6I/OoaWpD+aUrnOCxBlfH/8u32720Q==,iv:mbjIzbwc/VF6gdy7y1UJWZ4ihW1IhDN+Po8/Gje2iyg=,tag:t3vsl8R22CVIE1bafCfTLA==,type:str]
repo: ENC[AES256_GCM,data:sEiuSPIYh/AJDhgqUKgz,iv:D13S3asCjjVZKEeIZqSRYoIMs+QS5vOXjnm2F5rUU/c=,tag:7WgPBEW1nYQkvWOt5XQq+g==,type:str]
env: ENC[AES256_GCM,data:MF4s4cgLgY0Ym/5RJK6B1icrAFewj4fAntvY+juxRGu3H2WzGi+EKYqIOsYcCe/86bs8kMDddR/NX9UyDP5TIkjkdp75A4Fgq7yPiNHmOPBDa0j0sR3OD+zB,iv:FP8sHqHG7lu2Rt/KbwRl2EusEVgWwQPJqq3CPt1UHLw=,tag:OZaQT+qOLlJjxQYs6bsUeA==,type:str]
sops:
age:
- recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXVncwYmRudlFYWmhad1Ar
Mm5NWVNmTUszQ2lnMER1aCtvK1pjeHdJT0ZvCm5kYU5PbWQ0cXdId3J6aElHNFcx
Q3JSWXQxQmErMGJUZmdNRktuQm1iQ28KLS0tIGlCZzVydHR0eXY5ZXZLRUxkODBR
ZnU3ZFl1NkZqREJpcnlNMEdwVVljclkKSEmp9QkoMufA4DACbuilm6tZutpTN+ZN
ZHa9B8TDtuSZcAieMOoGxQoC4An96qIemwsMlecqGFWjJqN7wEapDQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcC90dkcvbnJoQzFDWTcr
SXFTdnRTOGhxZ3RNMHVpZFFLWHdIWUxMYzNZCjRlRTdYaS9YMjdFdzIzeHVLR3hs
QzNPM2k2UVV3bWI5WjVDT2pDaVZPaFEKLS0tIFFtdDI2Zmxnbk4xV2NGb2NDWUF6
VmROS3plOURRTzYzaEo2S1RraFRKeW8Kg3jYWWQuEX1Y6SfkT6lRdX6tmgkFiIW7
JX9D10jqN4DbDOYKu+MRvdz9/cagIyodg1/5LIPGBNGOKpNLiEH7AQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwU1JwYnVwVFVQSTlqVmZ2
djEyL3BjYkNMNldSZGUrdnBITENQMVZVNm1VCjlYd3NoY3NWVVA1UVlyMTIvekVl
MHhVeGpuV2N3azZGMmJqRERJQjZGVGsKLS0tIFgvOHAxWW5XUVdyRGZGR3I5V3lr
MXhYMkl5TTZVcDlNWUs4M3ZieDVRa1kKN3mh6jxui1a8i0VJJQmrAjhAhQkP4VcP
IpiYzY9IwIZu6VlC7qEuh3eeVq+v3SYcTmCh6/gwpmeDAjnL6hD5sA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqd3RQQUtmVXgvb1JLMnZt
Y0dITDF6anBKcWxoOWZuQStSTk1zWkdwdEN3CmFaVWphcVpjTUhNcUdjVGpnV0hq
Z25hVmNDQUQ1YnJSd3puS214TzlkbkUKLS0tIGVXRG9mczBKcHFzb0FwYU5FZkpY
ZVhQWDZwR2xFU0xTVGVLZ3NFanY1emcKu09zXLUscPvcVQSgiN4H4dWpjMyb3t7e
aa54tbZ6o1+6lLg1DniL9lBxit6R+qk3SjMuU1MQJvD7ah39RSuyng==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-03T03:18:04Z"
mac: ENC[AES256_GCM,data:zJSCaqp1m0u3fYUsLRz+asYeCqqZ4os0UdElBYrootGMmFjQ9j+X+As4np6CP44o4sWmcyePc+SKzW316wsFQObnvP+eIc+SFNjvGbw4oZPlRdSr9otbVOhPeEaWWCoONQgZ0FAbhbcsF2V3qvjmfrekd8yu3bcaH6LNZA2gT9A=,iv:Rq733/8bE7iS42C4tecN3JjyIHSY8lbCeuRKQY6TKb8=,tag:lcrVpglZyChUQRJ3jtwwpw==,type:str]
- recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdUpxSWtHbmxzdlRYZHFT
NUY5RDhXUGN5YmlPS0UyTWcrUDlUZ3Rjbnp3CnlkQUgyNVBVclh0KzNCZkVYZURx
RXFkR2JFckVPbkg5Umo3VEF1cFFOZFkKLS0tIEM2OE1hZVpUd0EzeEFrVGc4Zmww
UzZZcFB4UngvTHF2YWtsSWQ1dGJaKzQK+cuuvX8un2bID+fLG5SFzQhfJ6QX5/pG
sVSUc+VG+04aak70p8AgOO7zN75rzSf5R83mmpEwB9a+rfDrKvbjiQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdUU2NDRKV0w1Wkp0cDh6
NkV5bGRXOXpId1N4R09HdGhaK1lyM05WMkNRCnZSa0ovK01JaUZ3cG1qMkFzbW5z
WHc2NDYvNFN0SnBnSVlId0pjM2xBZnMKLS0tIHRoVkQ3NzBab1BzUVltWEVWeVZi
MmJRaXZheS9JamgybTc2THc1OVQ5N3MKr73ke9RIRsZvvVGl4nyxbbe/8f5KQ6Av
Uac6joEg0R6DbcQ9xRkbHyFySnLTHsF5HfVnUj2gPbdA1YsO0w2nlg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-27T20:37:26Z"
mac: ENC[AES256_GCM,data:30D/RyuIjhaJkRa4kBb3JK3FOGbbGL0aKAOlPgyNhpPyp7OWY1eYo2uoQSVa6lnjRgCV+YbmquXF6iNzUgWbzUWs6UuOfN+hIb/PKydBgITgVLp1bOfUQs8l2X2feYJ/QatBwr6VMgbBdrshppctSdypc9cTNv5r6sod0QwfpHA=,iv:uhwGM/bru/Z3UqnmOUHImhQkNm97zad+aH+VNXKy9m0=,tag:Zpdgcp2lPBNP4FjlTeXtKw==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2