diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6efa7e1..1653c98 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,8 @@ env: jobs: build: - runs-on: nix + runs-on: docker + container: nixpkgs/nix-flakes:nixos-24.05 steps: - name: Initialize CI uses: https://git.qo.is/qo.is/actions-nix-init@main diff --git a/defaults/base-minimal/default.nix b/defaults/base-minimal/default.nix index bd2948f..4d530f9 100644 --- a/defaults/base-minimal/default.nix +++ b/defaults/base-minimal/default.nix @@ -78,6 +78,16 @@ ''; }; + system.autoUpgrade = { + enable = true; + randomizedDelaySec = "30m"; + flags = [ + "--update-input" + "nixpkgs-nixos-2211" + "--commit-lock-file" + ]; + }; + # Network services networking.firewall = { allowPing = true; diff --git a/nixos-modules/qois/git-ci-runner/default.nix b/nixos-modules/qois/git-ci-runner/default.nix index b074f74..fbdcd15 100644 --- a/nixos-modules/qois/git-ci-runner/default.nix +++ b/nixos-modules/qois/git-ci-runner/default.nix @@ -32,8 +32,7 @@ with lib; sops.secrets."forgejo/runner-registration-token".restartUnits = [ "gitea-runner-${defaultInstanceName}.service" - ] ++genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}.service") cfg.nixInstances) - ; + ]; virtualisation.podman = { enable = true; @@ -61,6 +60,7 @@ with lib; capacity = 30; }; cache.enable = true; # TODO: This should probably be a central cache server? + # the default network that also respects our dns server settings container.network = "host"; }; }; @@ -142,10 +142,17 @@ with lib; storage.runroot = "/run/containers/storage"; }; + #virtualisation.containers.containersConf.settings = { + # # podman seems to not work with systemd-resolved + # containers.dns_servers = [ + # "8.8.8.8" + # "8.8.4.4" + # ]; + #}; } { systemd.services = - genAttrs (genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances) + genAttrs (builtins.genList (n: "gitea-runner-nix${builtins.toString n}") cfg.nixInstances) (name: { after = [ "gitea-runner-nix-image.service" @@ -232,16 +239,15 @@ with lib; mkdir -p $out/bin for dir in ${ toString [ - pkgs.bash pkgs.coreutils pkgs.findutils + pkgs.gnugrep pkgs.gawk pkgs.git - pkgs.gnugrep - pkgs.jq pkgs.nix + pkgs.bash + pkgs.jq pkgs.nodejs - pkgs.openssh ] }; do for bin in "$dir"/bin/*; do @@ -254,7 +260,7 @@ with lib; cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt ''; in - genAttrs (genList (n: "nix${builtins.toString n}") cfg.nixInstances) (name: { + genAttrs (builtins.genList (n: "nix${builtins.toString n}") cfg.nixInstances) (name: { enable = true; name = "${config.networking.hostName}-${name}"; url = "https://${cfg.domain}"; @@ -262,6 +268,7 @@ with lib; labels = [ "nix:docker://gitea-runner-nix" ]; settings = { container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt --device /dev/kvm -v /nix:/nix -v ${storeDeps}/bin:/bin -v ${storeDeps}/etc/ssl:/etc/ssl --user nixuser --device=/dev/kvm"; + # the default network that also respects our dns server settings container.network = "host"; container.valid_volumes = [ "/nix"