From 3b4431b8c502a303c5ebf495757ef0a6122bb033 Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Tue, 26 Mar 2024 14:57:26 -0400 Subject: [PATCH] Remove older gh runner --- nix-darwin/ci/github-runner.nix | 2 +- nixos/easy-github-runners.nix | 151 -------------------------------- systems/github-runner.nix | 2 +- 3 files changed, 2 insertions(+), 153 deletions(-) delete mode 100644 nixos/easy-github-runners.nix diff --git a/nix-darwin/ci/github-runner.nix b/nix-darwin/ci/github-runner.nix index 0d829e2..40d3eae 100644 --- a/nix-darwin/ci/github-runner.nix +++ b/nix-darwin/ci/github-runner.nix @@ -1,3 +1,4 @@ +# TODO: Remove in favour of systems/github-runner.nix { flake, pkgs, lib, ... }: { @@ -7,7 +8,6 @@ # ./linux-builder.nix ]; - # TODO: Refactor this into a module, like easy-github-runners.nix services.github-runners = let srid = { diff --git a/nixos/easy-github-runners.nix b/nixos/easy-github-runners.nix deleted file mode 100644 index 78f0294..0000000 --- a/nixos/easy-github-runners.nix +++ /dev/null @@ -1,151 +0,0 @@ -/* Module for setting up personal or org-wide github runners - - Limitations - - A runner can run only one job at a time: https://github.com/orgs/community/discussions/26769 - - This makes sharing an org-wide runner less useful, unless we create multiple runners. - - TODOs - - - [x] Run runners in containers - - [ ] macOS runners: https://github.com/LnL7/nix-darwin/issues/582 - - [x] Support github orgs - - [ ] Unbreak cachix? https://github.com/cachix/cachix-action/issues/169 - - [x] Or switch to nix-serve or attic - -*/ -top@{ pkgs, lib, config, ... }: -let - inherit (lib) types; -in -{ - options = { - services.easy-github-runners = lib.mkOption { - description = '' - Attrset of runners. - - The key will be used to identify the runner name. It could be either org - name or the repo path, unless you want to run multiple runners per - org/repo, in which case choose a suitably unique key while setting org - name or repo path in `githubPath` option. - ''; - type = types.lazyAttrsOf (types.submodule ({ config, name, ... }: { - options = { - owner = lib.mkOption { - type = types.str; - description = '' - The owner of this repo/org. - - The PAC token of this owner must be able to setup runners for this - repo/org. - ''; - default = lib.head (lib.splitString "/" config.githubPath); - }; - url = lib.mkOption { - type = types.str; - description = ''Github URL for this runner''; - default = "https://github.com/${config.githubPath}"; - }; - githubPath = lib.mkOption { - type = types.str; - default = name; - description = '' - The path after https://github.com in the URL for this runner - - By default, it uses the attr key. If you are running multiple - runners per org or per repo, you may want to explicitly specify - the githubPath to disambiguate. - ''; - }; - tokenSecretPath = lib.mkOption { - type = types.str; - # By default, we expect personal access token (not runner registeration token) - # Thus, it is bucket by the owner. - default = "gh-selfhosted-tokens/${config.owner}"; - readOnly = true; - description = '' - sops-nix key path containing the token for this runner. - ''; - }; - nixosConfig = lib.mkOption { - type = types.deferredModule; - description = '' - NixOS configuration for the GitHub Runner container - ''; - default = { pkgs, ... }: { - nix.settings = { - experimental-features = "nix-command flakes repl-flake"; - max-jobs = "auto"; - }; - }; - }; - runnerConfig = lib.mkOption { - type = types.lazyAttrsOf types.raw; - description = ''Configuration for the GitHub Runner''; - default = { - extraPackages = with pkgs; [ - cachix - nixci - which - coreutils - ]; - extraLabels = [ "nixos" ]; - }; - }; - }; - })); - }; - }; - config = - let - cfg = config.services.easy-github-runners; - user = "github-runner"; - userModule = { - users.users.${user} = { - uid = 1099; - isSystemUser = true; - group = user; - }; - users.groups.${user} = { }; - }; - in - userModule // { - sops.secrets = - lib.flip lib.mapAttrs' cfg (name: cfg: - lib.nameValuePair cfg.tokenSecretPath { - mode = "0440"; - }); - - nix.settings = { - trusted-users = [ user ]; - allowed-users = [ user ]; - }; - - containers = - lib.flip lib.mapAttrs' cfg - (name: cfg: - let - tokenFile = top.config.sops.secrets."${cfg.tokenSecretPath}".path; - nameLegal = lib.replaceStrings [ "/" ] [ "-" ] name; - in - lib.nameValuePair ''github-runner-${nameLegal}'' { - autoStart = true; - bindMounts."${tokenFile}" = { - hostPath = tokenFile; - isReadOnly = true; - }; - config = { config, pkgs, ... }: { - system.stateVersion = "23.11"; - imports = [ - userModule - cfg.nixosConfig - ]; - nix.settings.trusted-users = [ user ]; # for cachix - services.github-runners."${nameLegal}" = cfg.runnerConfig // { - enable = true; - inherit user tokenFile; - inherit (cfg) url; - }; - }; - }); - }; -} diff --git a/systems/github-runner.nix b/systems/github-runner.nix index 2e089f0..e3b6ae2 100644 --- a/systems/github-runner.nix +++ b/systems/github-runner.nix @@ -3,7 +3,7 @@ # - [x] Colmena deploy, with keys from 1Password. # - [x] Github Runners # - [ ] Distributed builder to host (macOS) -# - [ ] Refactor, to allow multiple repos (then remove easy-github-runners.nix) +# - [x] Refactor, to allow multiple repos (then remove easy-github-runners.nix) { flake, pkgs, lib, ... }: let