diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml deleted file mode 100644 index a6b01dd..0000000 --- a/.forgejo/workflows/ci.yaml +++ /dev/null @@ -1,24 +0,0 @@ -on: - push: - branches: - - main - pull_request: - -env: - NIX_CONFIG: 'extra-platforms = x86_64-linux' - -jobs: - check: - runs-on: ubuntu-latest-aarch64 - steps: - - uses: https://github.com/docker/setup-qemu-action@v3 - - uses: actions/checkout@v4 - - uses: https://github.com/cachix/install-nix-action@v26 - with: - nix_path: nixpkgs=channel:nixos-unstable - github_access_token: '${{ secrets.GH_TOKEN }}' - - uses: https://github.com/cachix/cachix-action@v14 - with: - name: kitchen - authToken: '${{ secrets.CACHIX_TOKEN }}' - - run: nix flake check --accept-flake-config diff --git a/.forgejo/workflows/update-flake.yaml b/.forgejo/workflows/update-flake.yaml deleted file mode 100644 index 4e6c56c..0000000 --- a/.forgejo/workflows/update-flake.yaml +++ /dev/null @@ -1,37 +0,0 @@ -on: - schedule: - - cron: '0 0 * * 1' - -jobs: - update-flake: - runs-on: ubuntu-latest-aarch64 - steps: - - uses: actions/checkout@v4 - - uses: https://github.com/cachix/install-nix-action@v26 - with: - nix_path: nixpkgs=channel:nixos-unstable - github_access_token: '${{ secrets.GH_TOKEN }}' - - name: Create branch - run: git switch -c update/flake-lock - - name: Update flake.lock - run: nix flake update --commit-lock-file - env: - GIT_AUTHOR_NAME: kitchen-ci - GIT_AUTHOR_EMAIL: do-not-reply@buffets.kitchen - GIT_COMMITTER_NAME: kitchen-ci - GIT_COMMITTER_EMAIL: do-not-reply@buffets.kitchen - - name: Push to repo - run: git push -f origin update/flake-lock - - name: Create PR - run: > - curl -X POST "${{ env.GITHUB_API_URL }}/repos/${{ env.GITHUB_REPOSITORY }}/pulls" - --fail - -H "Content-Type: application/json" - -H "Authorization: token ${{ secrets.BOT_TOKEN }}" - -d '{ - "title": "build(flake): update inputs", - "body": "", - "base": "main", - "head": "update/flake-lock", - "assignee": "chef" - }' || echo PR already open diff --git a/hosts/ami/acme.nix b/hosts/ami/acme.nix index 447cc2b..7c6c49e 100644 --- a/hosts/ami/acme.nix +++ b/hosts/ami/acme.nix @@ -11,6 +11,7 @@ extraDomainNames = [ "*.buffet.sh" + "*.buffets.kitchen" "buffets.kitchen" ]; }; diff --git a/hosts/ami/default.nix b/hosts/ami/default.nix index 58f9ed7..6298506 100644 --- a/hosts/ami/default.nix +++ b/hosts/ami/default.nix @@ -19,6 +19,7 @@ ./murmur.nix ./nginx.nix ./upgrade.nix + ./woodpecker.nix ../../users/maintainer ]; diff --git a/hosts/ami/forgejo-action-runner.nix b/hosts/ami/forgejo-action-runner.nix deleted file mode 100644 index 8207891..0000000 --- a/hosts/ami/forgejo-action-runner.nix +++ /dev/null @@ -1,47 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - numRunners = 1; -in { - age.secrets.kitchen-runner-token = { - file = ../../secrets/kitchen-runner-token.age; - owner = "gitea-runner"; - }; - - services.gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - - instances = lib.genAttrs (builtins.genList (n: "runner${builtins.toString n}") numRunners) (name: { - enable = true; - inherit name; - url = config.services.forgejo.settings.server.ROOT_URL; - tokenFile = config.age.secrets.kitchen-runner-token.path; - labels = ["docker-aarch64" "ubuntu-latest-aarch64:docker://ghcr.io/catthehacker/ubuntu:act-latest"]; - settings = { - log.level = "warn"; - container.network = "host"; - }; - }); - }; - - systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-runner${builtins.toString n}") numRunners) (_: { - serviceConfig.Nice = 15; - }); - - virtualisation.podman = { - enable = true; - autoPrune.enable = true; - dockerSocket.enable = true; - }; - - users.groups.gitea-runner = {}; - users.users.gitea-runner = { - isSystemUser = true; - group = "gitea-runner"; - extraGroups = ["podman"]; - home = "/var/lib/gitea-runner/"; - }; -} diff --git a/hosts/ami/forgejo.nix b/hosts/ami/forgejo.nix index 2fad10d..e2251b4 100644 --- a/hosts/ami/forgejo.nix +++ b/hosts/ami/forgejo.nix @@ -1,10 +1,6 @@ {pkgs, ...}: let port = 3000; in { - imports = [ - ./forgejo-action-runner.nix - ]; - services = { forgejo = { enable = true; @@ -14,6 +10,10 @@ in { APP_NAME = "buffet's kitchen"; }; + actions = { + ENABLED = false; + }; + admin = { SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true; }; @@ -69,6 +69,10 @@ in { DISABLE_REGISTRATION = true; ENABLE_NOTIFY_MAIL = true; }; + + webhook = { + ALLOWED_HOST_LIST = "external,loopback"; + }; }; }; diff --git a/hosts/ami/woodpecker.nix b/hosts/ami/woodpecker.nix new file mode 100644 index 0000000..3c8b380 --- /dev/null +++ b/hosts/ami/woodpecker.nix @@ -0,0 +1,37 @@ +{config, ...}: { + age.secrets.woodpecker.file = ../../secrets/woodpecker.age; + + services = let + port = 3007; + in { + woodpecker-server = { + enable = true; + + environment = { + WOODPECKER_OPEN = "true"; + WOODPECKER_ORGS = "kitchen"; + WOODPECKER_ADMIN = "chef"; + WOODPECKER_HOST = "https://ci.buffets.kitchen/"; + WOODPECKER_SERVER_ADDR = ":${toString port}"; + + WOODPECKER_FORGEJO = "true"; + WOODPECKER_FORGEJO_URL = "https://buffets.kitchen/"; + }; + + environmentFile = config.age.secrets.woodpecker.path; + }; + + nginx = { + virtualHosts."build.buffets.kitchen" = { + useACMEHost = "buffet.sh"; + forceSSL = true; + + locations = { + "/" = { + proxyPass = "http://localhost:${toString port}"; + }; + }; + }; + }; + }; +} diff --git a/secrets.nix b/secrets.nix index f478d4d..c13cf4a 100644 --- a/secrets.nix +++ b/secrets.nix @@ -6,4 +6,5 @@ in { "secrets/hetzner-dns.age".publicKeys = [buffet]; "secrets/kitchen-runner-token.age".publicKeys = [buffet]; "secrets/msmtppassword.age".publicKeys = [buffet]; + "secrets/woodpecker.age".publicKeys = [buffet]; } diff --git a/secrets/woodpecker.age b/secrets/woodpecker.age new file mode 100644 index 0000000..6cf21e7 Binary files /dev/null and b/secrets/woodpecker.age differ