[mcp] Some user setup on the way to automated deployments

[mcp] Adds gitea runners
2025-04-28 19:31:55 -07:00 · 2025-04-28 19:30:27 -07:00
5 changed files with 112 additions and 62 deletions
--- a/secrets/mcp.yaml
+++ b/secrets/mcp.yaml
@@ -1,4 +1,6 @@
-gitea_db_password: ENC[AES256_GCM,data:G2YqiDk0msBRjUJkoPxWmayQ9dI=,iv:FsojIJIi61K7rD2VULDgIx6uSYX3iDiA6W744HlgHl0=,tag:BlmsM7LZHnBCKtfuqlhoKA==,type:str]
+gitea:
+    db_password: ENC[AES256_GCM,data:12FYMsc8HdTMdPegoPLCidaHMMU=,iv:Uat0g7Nvota1yvj6InIAo7Dzv3cBtVVzlRa1d09gx1s=,tag:sFavpAHW0k/Fv1uzPVuGcA==,type:str]
+    registration_token: ENC[AES256_GCM,data:zYfFATOuqACrGUyt6xPhiisz293uomKc6BLPKz8I+MFFBrBdzT9FqA==,iv:gyp2WsUHMMrNBmssWGPLSJmZqlAtopc6HeAtX9+oCXs=,tag:mLEPTapn7OM3bm5c9TKB0A==,type:str]
 bookstack_app_key: ENC[AES256_GCM,data:N79JVlQSoVCXOsIHCxd19HFm6LkrYyXQu/xWenEdUlQWqwZEi3PuHXG7fQgvzQY4KI7S,iv:cd2l2eOv+wAJ5sih3YhHgQTdy1qrvaIsoHcywOnHuYM=,tag:5QvCHlQX8wUz3tI2NXl+8A==,type:str]
 bookstack_db: ENC[AES256_GCM,data:m8fGgAfmJu1rEaxmTVH4FfBhyiU=,iv:OnBT/6sp9zmcJ1+kBmdmvaE630hifxBpvKnu3XrVXcE=,tag:SSVQcYkAymlbFOnf0MB6KA==,type:str]
 mariadb_root_password: ENC[AES256_GCM,data:p965ZhFQqqX+Ub1yhgklVYlBH6A=,iv:qC5WwTvZGvlbAkYiv35xHizMYAnP0V0Vw79EkvL32wQ=,tag:gOJQvHeOC9turFKOMQ9DNg==,type:str]
@@ -33,8 +35,8 @@ sops:
            by9aNFY4dXNxaWxnTXFTQS9reHhuQWMKh5rZ93nFtBV9EpFVRp+E+GXZ6xzVy2Jw
            vFh4deGcAb60q4odSaeWfk1Dr7L9Ua69oK9omjbCNUt+P7Kwlfca7Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-24T23:16:22Z"
-    mac: ENC[AES256_GCM,data:NY9uhBwukENyny0lSnYDrdRDlAm5o0kGBs8Tes4x3/dofWibl9HqHobilg4qrLFzwCgQsgyPAFoRKV7ZVQ25YHjXM4YnoFVmUASfyTfoejWet/J3HwOO1xNkX8N6iYWJRYHOWaKMm46ZvkjmqAB0N6L7Z/8Uk7b09HoAxJ3aVHA=,iv:kI3kv0e9kcc8cb4H+YCnQYs7qDbucQYo264lz4zR/2E=,tag:ELqxtawXwhEPBncDz3REVA==,type:str]
+    lastmodified: "2025-04-28T23:33:42Z"
+    mac: ENC[AES256_GCM,data:cZkRcGV5/CPPVUdTDekwC8UjO6K348sBsS7NvR8wnoXS0AmSZsqN594nkvoc0VccM55Hwnm4jZxY56OV+UFMya1IRIkTo6LJRb88/CgZ8bjz30ACe33FKgJfCugimUDKsekbgNX1UFg1DVbqYK9/N4fcEBSxV3Xmzy5QGnQ/8KU=,iv:EprUHNtU5w7569ADMOxw+izDAL22A5OrB12T9iyHxKU=,tag:kRvyUEZwd/RttKdFOY2bJQ==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.4
--- a/system/hosts/mcp/containers/gitea.nix
+++ b/system/hosts/mcp/containers/gitea.nix
@@ -1,24 +1,40 @@
 { config, ... }:
 let 
-  inherit (import ./lib.nix config) hostRule blazestar;
+  inherit (import ./lib.nix config) mkContainer blazestar;
 in
 {
-  virtualisation.oci-containers.containers.gitea = {
+  sops.secrets = {
+    "gitea/db_password" = {
+      restartUnits = [ "podman-gitea.service" ];
+    };
+    "gitea/registration_token" = {
+      restartUnits = [ "podman-gitea-runner.service" ];
+    };
+  };
+
+  sops.templates."gitea.env".content = ''
+    GITEA__database__DB_TYPE="postgres"
+    GITEA__database__HOST="db"
+    GITEA__database__NAME="gitea"
+    GITEA__database__USER="gitea"
+    GITEA__database__PASSWD="${config.sops.placeholder."gitea/db_password"}"
+  '';
+
+  virtualisation.oci-containers.containers.gitea = mkContainer {
    image = "gitea/gitea:latest-rootless";
-    autoStart = true;
    dependsOn = [
      "db"
    ];
-    extraOptions = [
-      "-l=traefik.enable=true"
-      "-l=traefik.http.routers.gitea.rule=${hostRule "git" blazestar}"
-      "-l=traefik.http.services.gitea.loadbalancer.server.port=3000"
-      "-l=homepage.group=Apps"
-      "-l=homepage.name=Gitea"
-      "-l=homepage.icon=gitea.png"
-      "-l=homepage.href=https://git.${blazestar}"
-      "-l=homepage.description=Git Server"
-    ];
+    hostName = "git";
+    domain = blazestar;
+    public = true;
+    port = 3000;
+    homepageOpts = {
+      name = "Gitea";
+      icon = "gitea.png";
+      description = "Git Server";
+      group = "Apps";
+    };
    ports = [
      "2222:2222"
    ];
@@ -36,14 +52,21 @@ in
    ];
  };

-  sops.secrets."gitea_db_password" = {
-    restartUnits = [ "podman-gitea.service" ];
-  };
-  sops.templates."gitea.env".content = ''
-    GITEA__database__DB_TYPE="postgres"
-    GITEA__database__HOST="db"
-    GITEA__database__NAME="gitea"
-    GITEA__database__USER="gitea"
-    GITEA__database__PASSWD="${config.sops.placeholder."gitea_db_password"}"
+  sops.templates."gitea-runner.env".content = ''
+    GITEA_RUNNER_NAME=MCP
+    GITEA_INSTANCE_URL=https://git.${blazestar}
+    GITEA_RUNNER_REGISTRATION_TOKEN=${config.sops.placeholder."gitea/registration_token"}
  '';
+
+  virtualisation.oci-containers.containers.gitea-runner = {
+    image = "gitea/act_runner:latest";
+    autoStart = true;
+    environmentFiles = [
+      config.sops.templates."gitea-runner.env".path
+    ];
+    volumes = [
+      # The runner will spawn new containers to run the actions
+      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+    ];
+  };
 }
--- a/system/hosts/mcp/containers/user-ids.nix
+++ b/system/hosts/mcp/containers/user-ids.nix
@@ -1,37 +0,0 @@
-{
-  gitea = 2001;
-  timetagger = 2002;
-  pocket-id = {
-    uid = 2003;
-    gid = 2003;
-  };
-  bookstack = {
-    uid = 2004;
-    gid = 2004;
-  };
-  mariadb = {
-    uid = 2005;
-    gid = 2005;
-  };
-  focalboard = {
-    uid = 2006;
-    gid = 2006;
-  };
-  offen = {
-    uid = 2007;
-    gid = 2007;
-  };
-
-  mkUserAndGroup = name: ids: {
-    groups."${name}" = {
-      gid = ids.gid;
-    };
-
-    users."${name}" = {
-      uid = ids.uid;
-      isSystemUser = true;
-      description = "System User for ${name}";
-      group = "${name}";
-    };
-  };
-}
--- a/system/hosts/mcp/containers/users.nix
+++ b/system/hosts/mcp/containers/users.nix
@@ -0,0 +1,56 @@
+{ pkgs, ... }: let
+  systemUsers = {
+    gitea = {
+      uid = 2001;
+      extraGroups = [ "git" ];
+    };
+    # timetagger = 2002;
+    pocket-id = 2003;
+    bookstack = 2004;
+    mariadb = 2005;
+    focalboard = 2006;
+    offen = 2007;
+    public-html = {
+      uid = 2008;
+      shell = pkgs.zsh;
+      authorizedKeys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKPiqbLAXpBkjXnHLvz3VCd5i+VmYdd9dAcRt+8E1OQX drew@vega"
+      ];
+      home = "/tank/web";
+      packages = [ pkgs.git ];
+    };
+  };
+
+  mkUser = name: value: {
+    uid = value.uid or value;
+    isSystemUser = true; # only affects UID allocation, but required
+    description = "System User for ${name}";
+    group = "${name}";
+    shell = value.shell or null;
+    extraGroups = value.extraGroups or [];
+    openssh.authorizedKeys.keys = value.authorizedKeys or [];
+    home = value.home or "/var/empty";
+    packages = value.packages or [];
+  };
+  mkGroup = name: value: let
+    # 1. Value if int
+    # 2. "gid" if present
+    # 3. "uid"
+    gid =
+      if builtins.isInt value
+      then value
+      else if builtins.hasAttr "gid" value
+        then value.gid
+        else value.uid;
+  in {
+    inherit gid;
+  };
+in {
+  users.users = builtins.mapAttrs mkUser systemUsers;
+  users.groups = (builtins.mapAttrs mkGroup systemUsers) // {
+    # Legacy groups.
+    git = {
+      gid = 992;
+    };
+  };
+}
--- a/system/hosts/mcp/drew.nix
+++ b/system/hosts/mcp/drew.nix
@@ -13,6 +13,12 @@
  programs.git = {
    userName = "Drew Haven";
    userEmail = "drew.haven@gmail.com";
+    extraConfig = {
+      safe = {
+        # Marks the web directory as safe even though I don't own it.
+        directory = "/tank/web";
+      };
+    };
  };

  services.syncthing.tray.enable = false;
Author	SHA1	Message	Date
Drew Haven	39b2c4301c	[mcp] Some user setup on the way to automated deployments	2025-04-28 19:31:55 -07:00
Drew Haven	3da928a7a8	[mcp] Adds gitea runners	2025-04-28 19:30:27 -07:00