From 0343967c7552d66f176ac66ebba85ef1efc77a3e Mon Sep 17 00:00:00 2001 From: matt1432 Date: Mon, 8 Jan 2024 01:11:22 -0500 Subject: [PATCH] feat: pin docker images and run dind for act_runner --- devices/servivi/modules/arion/default.nix | 22 +++- .../servivi/modules/arion/forgejo/compose.nix | 39 ++++--- .../arion/forgejo/images/act_runner.nix | 8 ++ .../modules/arion/forgejo/images/forgejo.nix | 8 ++ .../modules/arion/forgejo/images/postgres.nix | 8 ++ flake.lock | 104 +++++++++--------- 6 files changed, 116 insertions(+), 73 deletions(-) create mode 100644 devices/servivi/modules/arion/forgejo/images/act_runner.nix create mode 100644 devices/servivi/modules/arion/forgejo/images/forgejo.nix create mode 100644 devices/servivi/modules/arion/forgejo/images/postgres.nix diff --git a/devices/servivi/modules/arion/default.nix b/devices/servivi/modules/arion/default.nix index ef75332..0317600 100644 --- a/devices/servivi/modules/arion/default.nix +++ b/devices/servivi/modules/arion/default.nix @@ -2,6 +2,7 @@ arion, config, lib, + pkgs, ... } @ inputs: with lib; @@ -37,6 +38,7 @@ in { value = import p (inputs // { + importImage = file: pkgs.callPackage file pkgs; rwPath = configPath + "/" @@ -49,12 +51,26 @@ in { # https://docs.hercules-ci.com/arion/options settings = { enableDefaultNetwork = v.enableDefaultNetwork or true; - networks = optionalAttrs (hasAttr "networks" v) v.networks; + + networks = + optionalAttrs (hasAttr "networks" v) + v.networks; services = mapAttrs (n': v': { - image = optionalAttrs (hasAttr "customImage" v') v'.customImage; - service = filterAttrs (n: v: n != "customImage") v'; + # https://github.com/hercules-ci/arion/issues/169#issuecomment-1301370634 + build.image = + optionalAttrs (hasAttr "hostImage" v') + (mkForce v'.hostImage); + + image = + optionalAttrs (hasAttr "customImage" v') + v'.customImage; + + service = + filterAttrs + (n: v: n != "customImage" && n != "hostImage") + v'; }) v.services; }; diff --git a/devices/servivi/modules/arion/forgejo/compose.nix b/devices/servivi/modules/arion/forgejo/compose.nix index 53fe7d4..578c3ef 100644 --- a/devices/servivi/modules/arion/forgejo/compose.nix +++ b/devices/servivi/modules/arion/forgejo/compose.nix @@ -1,14 +1,15 @@ { config, rwPath, + importImage, ... }: let secrets = config.sops.secrets; in { services = { "forgejo" = { - image = "codeberg.org/forgejo/forgejo:1.21.3-0"; container_name = "forgejo"; + hostImage = importImage ./images/forgejo.nix; ports = [ # Redirect WAN port 22 to this port @@ -17,7 +18,6 @@ in { ]; restart = "always"; - privileged = true; depends_on = ["forgejo-db"]; env_file = [secrets.forgejo.path]; @@ -41,29 +41,32 @@ in { ]; }; - "runner" = { - image = "gitea/act_runner"; - - # TODO: change name - container_name = "podman-runner"; - - restart = "always"; - depends_on = ["forgejo"]; - - volumes = [ - "${secrets.forgejo-runner.path}:/data/.runner" - "/var/run/docker.sock:/var/run/docker.sock" - ]; - }; - "forgejo-db" = { - image = "public.ecr.aws/docker/library/postgres:14"; container_name = "forgejo-db"; + hostImage = importImage ./images/postgres.nix; + restart = "always"; env_file = [secrets.forgejo-db.path]; volumes = ["${rwPath}/db:/var/lib/postgresql/data"]; }; + + "runner" = { + container_name = "act_runner"; + hostImage = importImage ./images/act_runner.nix; + privileged = true; + + restart = "always"; + depends_on = ["forgejo"]; + + env_file = [secrets.forgejo-runner.path]; + environment = { + GITEA_INSTANCE_URL = "https://git.nelim.org"; + GITEA_RUNNER_NAME = "DinD"; + }; + + volumes = ["${rwPath}/act:/data"]; + }; }; } diff --git a/devices/servivi/modules/arion/forgejo/images/act_runner.nix b/devices/servivi/modules/arion/forgejo/images/act_runner.nix new file mode 100644 index 0000000..cd6d558 --- /dev/null +++ b/devices/servivi/modules/arion/forgejo/images/act_runner.nix @@ -0,0 +1,8 @@ +pkgs: +pkgs.dockerTools.pullImage { + imageName = "vegardit/gitea-act-runner"; + imageDigest = "sha256:b785240f713d93f4a2d2a82926eacd0ac1deeae360d8ddfbd456102850285efb"; + sha256 = "0z2vd663zyyfcz0rnl2ksivxmh63nhh4g42qx2idqb6j27s426bq"; + finalImageName = "vegardit/gitea-act-runner"; + finalImageTag = "dind-latest"; +} diff --git a/devices/servivi/modules/arion/forgejo/images/forgejo.nix b/devices/servivi/modules/arion/forgejo/images/forgejo.nix new file mode 100644 index 0000000..cf495f0 --- /dev/null +++ b/devices/servivi/modules/arion/forgejo/images/forgejo.nix @@ -0,0 +1,8 @@ +pkgs: +pkgs.dockerTools.pullImage { + imageName = "codeberg.org/forgejo/forgejo"; + imageDigest = "sha256:5c89548057b137f5e2a78ed3434848679cb1fc5a510a4042caf7b47115c5174e"; + sha256 = "13icchd25fwrdwsjg30g5fl0mgj7sndqa4g4pfry5cdprz0j5y9w"; + finalImageName = "codeberg.org/forgejo/forgejo"; + finalImageTag = "1.21.3-0"; +} diff --git a/devices/servivi/modules/arion/forgejo/images/postgres.nix b/devices/servivi/modules/arion/forgejo/images/postgres.nix new file mode 100644 index 0000000..ea1c43d --- /dev/null +++ b/devices/servivi/modules/arion/forgejo/images/postgres.nix @@ -0,0 +1,8 @@ +pkgs: +pkgs.dockerTools.pullImage { + imageName = "postgres"; + imageDigest = "sha256:1b8d18a565774e1734ea11ac1d4485d3eb168718f08c85dc2e24aeb16316249c"; + sha256 = "05m8lmgly87cszg5iiv7c0gkz72bpdnh0kpp8zp91p32vyl225px"; + finalImageName = "postgres"; + finalImageTag = "14"; +} diff --git a/flake.lock b/flake.lock index 074651b..1159e56 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1704549352, - "narHash": "sha256-fUwtVfjpkEtpQE2xwCTIgtmJzJSegFvNKsoZABDMvX4=", + "lastModified": 1704657027, + "narHash": "sha256-GWkEQO7hCE8zhNbBhYv02vDxRuLv/ni71rOfaAkztcA=", "owner": "Aylur", "repo": "ags", - "rev": "dcb24f887efc3d0dbf291c75da05b19221bfdee4", + "rev": "19f823b93ee9b1de22e2a3acae5dfbe70c0a1e7a", "type": "github" }, "original": { @@ -236,11 +236,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", + "lastModified": 1704152458, + "narHash": "sha256-DS+dGw7SKygIWf9w4eNBUZsK+4Ug27NwEWmn2tnbycg=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", + "rev": "88a2cd8166694ba0b6cb374700799cec53aef527", "type": "github" }, "original": { @@ -380,11 +380,11 @@ "gpu-screen-recorder-src": { "flake": false, "locked": { - "lastModified": 1704537241, - "narHash": "sha256-6bo1tRgmozGjVhcBQB35qOfRjOnPNFwyM2bDiqF9qXU=", + "lastModified": 1704659362, + "narHash": "sha256-svbMipmpMFyxmwdNeZXkT6Z/wNtxKVjGIJt35h40itM=", "ref": "refs/heads/master", - "rev": "36e38fcad8f28c0efc77eb3328a5f93e93c3880a", - "revCount": 453, + "rev": "4c098a4f0397876110a950d99e9951c360fedca8", + "revCount": 455, "type": "git", "url": "https://repo.dec05eba.com/gpu-screen-recorder" }, @@ -541,11 +541,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1704475363, - "narHash": "sha256-isiBkAsjXIvb/6McVK42/iBbC4h+UL3JRkkLqTSPE48=", + "lastModified": 1704649868, + "narHash": "sha256-PKVOCPV5i8prioWway5PjRMsICtrVONV3y5W69gQLWw=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "7e033e48ace5406a9bc442f7d403f9ce3af193f3", + "rev": "d7d333d162da2d3fc852b2c7a3faa2709440cefa", "type": "github" }, "original": { @@ -603,11 +603,11 @@ "nixpkgs-lib": "nixpkgs-lib_2" }, "locked": { - "lastModified": 1704024543, - "narHash": "sha256-hmKcKSuTqVK47l2G0PkLAinZN1oCOb6XdPPJhNCQ2rg=", + "lastModified": 1704629345, + "narHash": "sha256-cWrno5kSY2cCaWIl97Ae4/iZ9rnMLlm0VrwRqdzIESk=", "owner": "nix-community", "repo": "lib-aggregate", - "rev": "4608880f02f8f868e1b7f85c60abdfc5cb0cf9ec", + "rev": "3e408e7391e9d778f48861bb9da08ac54e01441a", "type": "github" }, "original": { @@ -643,11 +643,11 @@ ] }, "locked": { - "lastModified": 1704499431, - "narHash": "sha256-P6PfGHT2VkjVkW1SuvzHGwf9n043Zq3XACVQ/U2oXuo=", + "lastModified": 1704672222, + "narHash": "sha256-GkwxrG62hqDXLAdW17bulA6ckI8JuVuwythPqOiMoHs=", "owner": "nix-community", "repo": "neovim-nightly-overlay", - "rev": "713cb443519c554eb5957d5b5573483e94a90902", + "rev": "688360dd650feff8fef1d5a539eede840ec07d14", "type": "github" }, "original": { @@ -666,11 +666,11 @@ }, "locked": { "dir": "contrib", - "lastModified": 1704494961, - "narHash": "sha256-gQiTqBZLl4lpvCZ6zz8FZkE2u+9RmzGqVIdPQpY99E8=", + "lastModified": 1704648325, + "narHash": "sha256-8DxfLibKTkbPc/ct9eApn+ET7dbY3Z2Du46U0KK0zL4=", "owner": "neovim", "repo": "neovim", - "rev": "28c183b38cdc00436d95af80ee8e34e4793ee38d", + "rev": "367e52cc79a786bbee4456b30f9ec5db7e28d6a5", "type": "github" }, "original": { @@ -748,11 +748,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1704244428, - "narHash": "sha256-n3KZlxx1QS3919I1O77OhBouUeetlLpmQQcIx3dqAso=", + "lastModified": 1704590450, + "narHash": "sha256-9wUJ0irPrkukEUiqjXQev961l0sa0vgNlu9SW4GDV+E=", "owner": "fufexan", "repo": "nix-gaming", - "rev": "bd7442917422de061bcf61323b07abbb93bdb766", + "rev": "7a393401bd9212a5635e82dede0198d3e9602d41", "type": "github" }, "original": { @@ -790,11 +790,11 @@ ] }, "locked": { - "lastModified": 1703992163, - "narHash": "sha256-709CGmwU34dxv8DjSpRBZ+HibVJIVaFcA4JH+GFnhyM=", + "lastModified": 1704596958, + "narHash": "sha256-BK3Ohsz7m8X6qVKFxDtr8KVcHipfr5hYE9PDIJevHbQ=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "d6510ce144f5da7dd9bac667ba3d5a4946c00d11", + "rev": "f46800ac5a6e9f892fe36e50821c5d85794ecc62", "type": "github" }, "original": { @@ -882,11 +882,11 @@ "nixpkgs-lib": { "locked": { "dir": "lib", - "lastModified": 1701253981, - "narHash": "sha256-ztaDIyZ7HrTAfEEUt9AtTDNoCYxUdSd6NrRHaYOIxtk=", + "lastModified": 1703961334, + "narHash": "sha256-M1mV/Cq+pgjk0rt6VxoyyD+O8cOUiai8t9Q6Yyq4noY=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e92039b55bcd58469325ded85d4f58dd5a4eaf58", + "rev": "b0d36bd0a420ecee3bc916c91886caca87c894e9", "type": "github" }, "original": { @@ -899,11 +899,11 @@ }, "nixpkgs-lib_2": { "locked": { - "lastModified": 1703983607, + "lastModified": 1704588527, "narHash": "sha256-YECXW8P0bqFM5e65Mu2fL4wZlonNWCuNEk7UQPsuJZ0=", "owner": "nix-community", "repo": "nixpkgs.lib", - "rev": "a6c99b57d2e58f7fc6d52a08b0ba40160e75f738", + "rev": "be8e58791dcfa2b98b512c2a1bdf3bd94a38790b", "type": "github" }, "original": { @@ -936,11 +936,11 @@ "nixpkgs": "nixpkgs_7" }, "locked": { - "lastModified": 1704330409, - "narHash": "sha256-msr/ZbWUZBG4WZIybCC0sZJmdkJJLDbCB4uZG4lNFbE=", + "lastModified": 1704684968, + "narHash": "sha256-h+lSV/cfnfE5//dHefL154mgvaEmTz13ehI7eb/Hph0=", "owner": "nix-community", "repo": "nixpkgs-wayland", - "rev": "6c542fbd24f9115eda6d7e33392f64aa95021eda", + "rev": "17d7827cd61e7e6bdc732c4817ea4da26ab0b47b", "type": "github" }, "original": { @@ -967,11 +967,11 @@ }, "nixpkgs_3": { "locked": { - "lastModified": 1703499205, - "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=", + "lastModified": 1704161960, + "narHash": "sha256-QGua89Pmq+FBAro8NriTuoO/wNaUtugt29/qqA8zeeM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e1fa12d4f6c6fe19ccb59cac54b5b3f25e160870", + "rev": "63143ac2c9186be6d9da6035fa22620018c85932", "type": "github" }, "original": { @@ -999,11 +999,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1704194953, - "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", + "lastModified": 1704538339, + "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", + "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701", "type": "github" }, "original": { @@ -1031,11 +1031,11 @@ }, "nixpkgs_7": { "locked": { - "lastModified": 1704194953, - "narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=", + "lastModified": 1704538339, + "narHash": "sha256-1734d3mQuux9ySvwf6axRWZRBhtcZA9Q8eftD6EZg6U=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6", + "rev": "46ae0210ce163b3cba6c7da08840c1d63de9c701", "type": "github" }, "original": { @@ -1131,11 +1131,11 @@ }, "nur": { "locked": { - "lastModified": 1704554033, - "narHash": "sha256-4sgRZyamI4sh6VRk3kgkM/ojW+KCc4iDD0RRa4ed/7k=", + "lastModified": 1704687706, + "narHash": "sha256-kLipB2vqaB3Er4AEBSmRK1JM7q+4BcdI/Qg67HWyyS8=", "owner": "nix-community", "repo": "NUR", - "rev": "3fbed9bd2b3c6eced12baea4b61b3a060cd39b8d", + "rev": "0c2e0672caa72f21ff4a4ea5ff8141bce26d3f7b", "type": "github" }, "original": { @@ -1309,11 +1309,11 @@ "sops-nix": "sops-nix" }, "locked": { - "lastModified": 1704604320, - "narHash": "sha256-tg8zrdwd4po2vaiGGm4mNmhnaEOWtbcAA05atam5LjM=", + "lastModified": 1704693422, + "narHash": "sha256-WjkB2UE+UyYYPKieq2JtYit0PlbTovO68+TFiERI3lk=", "ref": "refs/heads/main", - "rev": "c9ed7f5dfe70d863e1f0553a9761b072c0a133b7", - "revCount": 25, + "rev": "34a949edd2ff2edec3b780c20287c2c8b6cd2ae5", + "revCount": 27, "type": "git", "url": "ssh://git@git.nelim.org/matt1432/nixos-secrets" },