From 0343967c7552d66f176ac66ebba85ef1efc77a3e Mon Sep 17 00:00:00 2001
From: matt1432 <matt@nelim.org>
Date: Mon, 8 Jan 2024 01:11:22 -0500
Subject: [PATCH] feat: pin docker images and run dind for act_runner
---
devices/servivi/modules/arion/default.nix | 22 +++-
.../servivi/modules/arion/forgejo/compose.nix | 39 ++++---
.../arion/forgejo/images/act_runner.nix | 8 ++
.../modules/arion/forgejo/images/forgejo.nix | 8 ++
.../modules/arion/forgejo/images/postgres.nix | 8 ++
flake.lock | 104 +++++++++---------
6 files changed, 116 insertions(+), 73 deletions(-)
create mode 100644 devices/servivi/modules/arion/forgejo/images/act_runner.nix
create mode 100644 devices/servivi/modules/arion/forgejo/images/forgejo.nix
create mode 100644 devices/servivi/modules/arion/forgejo/images/postgres.nix
diff --git a/devices/servivi/modules/arion/default.nix b/devices/servivi/modules/arion/default.nix
index ef753327..03176009 100644
--- a/devices/servivi/modules/arion/default.nix
+++ b/devices/servivi/modules/arion/default.nix
@@ -2,6 +2,7 @@
arion,
config,
lib,
+ pkgs,
...
} @ inputs:
with lib;
@@ -37,6 +38,7 @@ in {
value = import p (inputs
// {
+ importImage = file: pkgs.callPackage file pkgs;
rwPath =
configPath
+ "/"
@@ -49,12 +51,26 @@ in {
# https://docs.hercules-ci.com/arion/options
settings = {
enableDefaultNetwork = v.enableDefaultNetwork or true;
- networks = optionalAttrs (hasAttr "networks" v) v.networks;
+
+ networks =
+ optionalAttrs (hasAttr "networks" v)
+ v.networks;
services =
mapAttrs (n': v': {
- image = optionalAttrs (hasAttr "customImage" v') v'.customImage;
- service = filterAttrs (n: v: n != "customImage") v';
+ # https://github.com/hercules-ci/arion/issues/169#issuecomment-1301370634
+ build.image =
+ optionalAttrs (hasAttr "hostImage" v')
+ (mkForce v'.hostImage);
+
+ image =
+ optionalAttrs (hasAttr "customImage" v')
+ v'.customImage;
+
+ service =
+ filterAttrs
+ (n: v: n != "customImage" && n != "hostImage")
+ v';
})
v.services;
};
diff --git a/devices/servivi/modules/arion/forgejo/compose.nix b/devices/servivi/modules/arion/forgejo/compose.nix
index 53fe7d4d..578c3ef5 100644
--- a/devices/servivi/modules/arion/forgejo/compose.nix
+++ b/devices/servivi/modules/arion/forgejo/compose.nix
@@ -1,14 +1,15 @@
{
config,
rwPath,
+ importImage,
...
}: let
secrets = config.sops.secrets;
in {
services = {
"forgejo" = {
- image = "codeberg.org/forgejo/forgejo:1.21.3-0";
container_name = "forgejo";
+ hostImage = importImage ./images/forgejo.nix;
ports = [
# Redirect WAN port 22 to this port
@@ -17,7 +18,6 @@ in {
];
restart = "always";
- privileged = true;
depends_on = ["forgejo-db"];
env_file = [secrets.forgejo.path];
@@ -41,29 +41,32 @@ in {
];
};
- "runner" = {
- image = "gitea/act_runner";
-
- # TODO: change name
- container_name = "podman-runner";
-
- restart = "always";
- depends_on = ["forgejo"];
-
- volumes = [
- "${secrets.forgejo-runner.path}:/data/.runner"
- "/var/run/docker.sock:/var/run/docker.sock"
- ];
- };
-
"forgejo-db" = {
- image = "public.ecr.aws/docker/library/postgres:14";
container_name = "forgejo-db";
+ hostImage = importImage ./images/postgres.nix;
+
restart = "always";
env_file = [secrets.forgejo-db.path];
volumes = ["${rwPath}/db:/var/lib/postgresql/data"];
};
+
+ "runner" = {
+ container_name = "act_runner";
+ hostImage = importImage ./images/act_runner.nix;
+ privileged = true;
+
+ restart = "always";
+ depends_on = ["forgejo"];
+
+ env_file = [secrets.forgejo-runner.path];
+ environment = {
+ GITEA_INSTANCE_URL = "https://git.nelim.org";
+ GITEA_RUNNER_NAME = "DinD";
+ };
+
+ volumes = ["${rwPath}/act:/data"];
+ };
};
}
diff --git a/devices/servivi/modules/arion/forgejo/images/act_runner.nix b/devices/servivi/modules/arion/forgejo/images/act_runner.nix
new file mode 100644
index 00000000..cd6d5586
--- /dev/null
+++ b/devices/servivi/modules/arion/forgejo/images/act_runner.nix
@@ -0,0 +1,8 @@
+pkgs:
+pkgs.dockerTools.pullImage {
+ imageName = "vegardit/gitea-act-runner";
+ imageDigest = "sha256:b785240f713d93f4a2d2a82926eacd0ac1deeae360d8ddfbd456102850285efb";
+ sha256 = "0z2vd663zyyfcz0rnl2ksivxmh63nhh4g42qx2idqb6j27s426bq";
+ finalImageName = "vegardit/gitea-act-runner";
+ finalImageTag = "dind-latest";
+}
diff --git a/devices/servivi/modules/arion/forgejo/images/forgejo.nix b/devices/servivi/modules/arion/forgejo/images/forgejo.nix
new file mode 100644
index 00000000..cf495f0c
--- /dev/null
+++ b/devices/servivi/modules/arion/forgejo/images/forgejo.nix
@@ -0,0 +1,8 @@
+pkgs:
+pkgs.dockerTools.pullImage {
+ imageName = "codeberg.org/forgejo/forgejo";
+ imageDigest = "sha256:5c89548057b137f5e2a78ed3434848679cb1fc5a510a4042caf7b47115c5174e";
+ sha256 = "13icchd25fwrdwsjg30g5fl0mgj7sndqa4g4pfry5cdprz0j5y9w";
+ finalImageName = "codeberg.org/forgejo/forgejo";
+ finalImageTag = "1.21.3-0";
+}
diff --git a/devices/servivi/modules/arion/forgejo/images/postgres.nix b/devices/servivi/modules/arion/forgejo/images/postgres.nix
new file mode 100644
index 00000000..ea1c43d3
--- /dev/null
+++ b/devices/servivi/modules/arion/forgejo/images/postgres.nix
@@ -0,0 +1,8 @@
+pkgs:
+pkgs.dockerTools.pullImage {
+ imageName = "postgres";
+ imageDigest = "sha256:1b8d18a565774e1734ea11ac1d4485d3eb168718f08c85dc2e24aeb16316249c";
+ sha256 = "05m8lmgly87cszg5iiv7c0gkz72bpdnh0kpp8zp91p32vyl225px";
+ finalImageName = "postgres";
+ finalImageTag = "14";
+}
diff --git a/flake.lock b/flake.lock
index 074651b6..1159e567 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
]
},
"locked": {
- "lastModified": 1704549352,
- "narHash": "sha256-fUwtVfjpkEtpQE2xwCTIgtmJzJSegFvNKsoZABDMvX4=",
+ "lastModified": 1704657027,
+ "narHash": "sha256-GWkEQO7hCE8zhNbBhYv02vDxRuLv/ni71rOfaAkztcA=",
"owner": "Aylur",
"repo": "ags",
- "rev": "dcb24f887efc3d0dbf291c75da05b19221bfdee4",
+ "rev": "19f823b93ee9b1de22e2a3acae5dfbe70c0a1e7a",
"type": "github"
},
"original": {
@@ -236,11 +236,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1701473968,
- "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=",
+ "lastModified": 1704152458,
+ "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5",
+ "rev": "88a2cd8166694ba0b6cb374700799cec53aef527",
"type": "github"
},
"original": {
@@ -380,11 +380,11 @@
"gpu-screen-recorder-src": {
"flake": false,
"locked": {
- "lastModified": 1704537241,
- "narHash": "sha256-6bo1tRgmozGjVhcBQB35qOfRjOnPNFwyM2bDiqF9qXU=",
+ "lastModified": 1704659362,
+ "narHash": "sha256-svbMipmpMFyxmwdNeZXkT6Z/wNtxKVjGIJt35h40itM=",
"ref": "refs/heads/master",
- "rev": "36e38fcad8f28c0efc77eb3328a5f93e93c3880a",
- "revCount": 453,
+ "rev": "4c098a4f0397876110a950d99e9951c360fedca8",
+ "revCount": 455,
"type": "git",
"url": "https://repo.dec05eba.com/gpu-screen-recorder"
},
@@ -541,11 +541,11 @@
"xdph": "xdph"
},
"locked": {
- "lastModified": 1704475363,
- "narHash": "sha256-isiBkAsjXIvb/6McVK42/iBbC4h+UL3JRkkLqTSPE48=",
+ "lastModified": 1704649868,
+ "narHash": "sha256-PKVOCPV5i8prioWway5PjRMsICtrVONV3y5W69gQLWw=",
"owner": "hyprwm",
"repo": "Hyprland",
- "rev": "7e033e48ace5406a9bc442f7d403f9ce3af193f3",
+ "rev": "d7d333d162da2d3fc852b2c7a3faa2709440cefa",
"type": "github"
},
"original": {
@@ -603,11 +603,11 @@
"nixpkgs-lib": "nixpkgs-lib_2"
},
"locked": {
- "lastModified": 1704024543,
- "narHash": "sha256-hmKcKSuTqVK47l2G0PkLAinZN1oCOb6XdPPJhNCQ2rg=",
+ "lastModified": 1704629345,
+ "narHash": "sha256-cWrno5kSY2cCaWIl97Ae4/iZ9rnMLlm0VrwRqdzIESk=",
"owner": "nix-community",
"repo": "lib-aggregate",
- "rev": "4608880f02f8f868e1b7f85c60abdfc5cb0cf9ec",
+ "rev": "3e408e7391e9d778f48861bb9da08ac54e01441a",
"type": "github"
},
"original": {
@@ -643,11 +643,11 @@
]
},
"locked": {
- "lastModified": 1704499431,
- "narHash": "sha256-P6PfGHT2VkjVkW1SuvzHGwf9n043Zq3XACVQ/U2oXuo=",
+ "lastModified": 1704672222,
+ "narHash": "sha256-GkwxrG62hqDXLAdW17bulA6ckI8JuVuwythPqOiMoHs=",
"owner": "nix-community",
"repo": "neovim-nightly-overlay",
- "rev": "713cb443519c554eb5957d5b5573483e94a90902",
+ "rev": "688360dd650feff8fef1d5a539eede840ec07d14",
"type": "github"
},
"original": {
@@ -666,11 +666,11 @@
},
"locked": {
"dir": "contrib",
- "lastModified": 1704494961,
- "narHash": "sha256-gQiTqBZLl4lpvCZ6zz8FZkE2u+9RmzGqVIdPQpY99E8=",
+ "lastModified": 1704648325,
+ "narHash": "sha256-8DxfLibKTkbPc/ct9eApn+ET7dbY3Z2Du46U0KK0zL4=",
"owner": "neovim",
"repo": "neovim",
- "rev": "28c183b38cdc00436d95af80ee8e34e4793ee38d",
+ "rev": "367e52cc79a786bbee4456b30f9ec5db7e28d6a5",
"type": "github"
},
"original": {
@@ -748,11 +748,11 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
- "lastModified": 1704244428,
- "narHash": "sha256-n3KZlxx1QS3919I1O77OhBouUeetlLpmQQcIx3dqAso=",
+ "lastModified": 1704590450,
+ "narHash": "sha256-9wUJ0irPrkukEUiqjXQev961l0sa0vgNlu9SW4GDV+E=",
"owner": "fufexan",
"repo": "nix-gaming",
- "rev": "bd7442917422de061bcf61323b07abbb93bdb766",
+ "rev": "7a393401bd9212a5635e82dede0198d3e9602d41",
"type": "github"
},
"original": {
@@ -790,11 +790,11 @@
]
},
"locked": {
- "lastModified": 1703992163,
- "narHash": "sha256-709CGmwU34dxv8DjSpRBZ+HibVJIVaFcA4JH+GFnhyM=",
+ "lastModified": 1704596958,
+ "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=",
"owner": "Mic92",
"repo": "nix-index-database",
- "rev": "d6510ce144f5da7dd9bac667ba3d5a4946c00d11",
+ "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62",
"type": "github"
},
"original": {
@@ -882,11 +882,11 @@
"nixpkgs-lib": {
"locked": {
"dir": "lib",
- "lastModified": 1701253981,
- "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=",
+ "lastModified": 1703961334,
+ "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58",
+ "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9",
"type": "github"
},
"original": {
@@ -899,11 +899,11 @@
},
"nixpkgs-lib_2": {
"locked": {
- "lastModified": 1703983607,
+ "lastModified": 1704588527,
"narHash": "sha256-YECXW8P0bqFM5e65Mu2fL4wZlonNWCuNEk7UQPsuJZ0=",
"owner": "nix-community",
"repo": "nixpkgs.lib",
- "rev": "a6c99b57d2e58f7fc6d52a08b0ba40160e75f738",
+ "rev": "be8e58791dcfa2b98b512c2a1bdf3bd94a38790b",
"type": "github"
},
"original": {
@@ -936,11 +936,11 @@
"nixpkgs": "nixpkgs_7"
},
"locked": {
- "lastModified": 1704330409,
- "narHash": "sha256-msr/ZbWUZBG4WZIybCC0sZJmdkJJLDbCB4uZG4lNFbE=",
+ "lastModified": 1704684968,
+ "narHash": "sha256-h+lSV/cfnfE5//dHefL154mgvaEmTz13ehI7eb/Hph0=",
"owner": "nix-community",
"repo": "nixpkgs-wayland",
- "rev": "6c542fbd24f9115eda6d7e33392f64aa95021eda",
+ "rev": "17d7827cd61e7e6bdc732c4817ea4da26ab0b47b",
"type": "github"
},
"original": {
@@ -967,11 +967,11 @@
},
"nixpkgs_3": {
"locked": {
- "lastModified": 1703499205,
- "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
+ "lastModified": 1704161960,
+ "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870",
+ "rev": "63143ac2c9186be6d9da6035fa22620018c85932",
"type": "github"
},
"original": {
@@ -999,11 +999,11 @@
},
"nixpkgs_5": {
"locked": {
- "lastModified": 1704194953,
- "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
+ "lastModified": 1704538339,
+ "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
+ "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701",
"type": "github"
},
"original": {
@@ -1031,11 +1031,11 @@
},
"nixpkgs_7": {
"locked": {
- "lastModified": 1704194953,
- "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
+ "lastModified": 1704538339,
+ "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=",
"owner": "nixos",
"repo": "nixpkgs",
- "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
+ "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701",
"type": "github"
},
"original": {
@@ -1131,11 +1131,11 @@
},
"nur": {
"locked": {
- "lastModified": 1704554033,
- "narHash": "sha256-4sgRZyamI4sh6VRk3kgkM/ojW+KCc4iDD0RRa4ed/7k=",
+ "lastModified": 1704687706,
+ "narHash": "sha256-kLipB2vqaB3Er4AEBSmRK1JM7q+4BcdI/Qg67HWyyS8=",
"owner": "nix-community",
"repo": "NUR",
- "rev": "3fbed9bd2b3c6eced12baea4b61b3a060cd39b8d",
+ "rev": "0c2e0672caa72f21ff4a4ea5ff8141bce26d3f7b",
"type": "github"
},
"original": {
@@ -1309,11 +1309,11 @@
"sops-nix": "sops-nix"
},
"locked": {
- "lastModified": 1704604320,
- "narHash": "sha256-tg8zrdwd4po2vaiGGm4mNmhnaEOWtbcAA05atam5LjM=",
+ "lastModified": 1704693422,
+ "narHash": "sha256-WjkB2UE+UyYYPKieq2JtYit0PlbTovO68+TFiERI3lk=",
"ref": "refs/heads/main",
- "rev": "c9ed7f5dfe70d863e1f0553a9761b072c0a133b7",
- "revCount": 25,
+ "rev": "34a949edd2ff2edec3b780c20287c2c8b6cd2ae5",
+ "revCount": 27,
"type": "git",
"url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
},