add github actions runner and secret management

2023-10-25 20:30:57 +02:00
parent 6d92e424a8
commit fa953c311e
8 changed files with 179 additions and 5 deletions
--- a/test-server/configuration.nix
+++ b/test-server/configuration.nix
@@ -2,9 +2,7 @@
 # your system.  Help is available in the configuration.nix(5) man page
 # and in the NixOS manual (accessible by running ‘nixos-help’).

-{ config, pkgs, ... }:
-
-{
+{ config, pkgs, lib, inputs, ... }:{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
@@ -103,6 +101,8 @@
    tcpdump
    dig
    vscodium
+    inputs.agenix.packages."x86_64-linux".default
+    btop
  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
  #  wget
  ];
--- a/test-server/flake.lock
+++ b/test-server/flake.lock
@@ -1,6 +1,85 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1696775529,
+        "narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1673295039,
+        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1682203081,
+        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1677676435,
+        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1697957990,
        "narHash": "sha256-LlyEQ4z1immaiZV+MQMUXM3KpNoRY/xZVm8mmN5j3yg=",
@@ -18,7 +97,8 @@
    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs_2"
      }
    }
  },
--- a/test-server/flake.nix
+++ b/test-server/flake.nix
@@ -1,9 +1,11 @@
 {
  description = "A very basic flake";
  inputs = {
+      # secrets management
+      agenix.url = "github:ryantm/agenix";
      nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
  };
-  outputs = { self, nixpkgs, ... }: {
+  outputs = { self, nixpkgs, agenix }@inputs: {
    nixosConfigurations.server = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [ 
@@ -12,8 +14,11 @@
        ./modules/adguard.nix
        ./modules/git.nix
        ./modules/vmware-guest.nix
+        ./modules/github-runner.nix
        #./modules/home-assistant.nix idk dont like this
+        agenix.nixosModules.default
      ];
+      specialArgs = { inherit inputs; };
    };
  };
 }
--- a/test-server/modules/github-runner.nix
+++ b/test-server/modules/github-runner.nix
@@ -0,0 +1,35 @@
+{ config, pkgs, lib, inputs, ... }:
+{
+    nixpkgs.config.permittedInsecurePackages = [
+        "nodejs-16.20.2"
+    ];
+    
+    users.groups.github-actions-runner = {};
+    users.users.github-actions-runner = {
+        isSystemUser = true;
+        passwordFile = config.age.secrets.github-runner-pw.path;
+        group = "github-actions-runner";
+        extraGroups = [ "docker" ];
+    };
+    age.secrets.github-runner-token = {
+        file = ../secrets/github-runner-token.age;
+        owner = "github-actions-runner";
+        group = "github-actions-runner";
+    };
+    age.secrets.github-runner-pw = {
+        file = ../secrets/github-runner-pw.age;
+        owner = "github-actions-runner";
+        group = "github-actions-runner";
+    };
+    systemd.tmpfiles.rules = [
+        "d /github-actions-runner 0770 github-actions-runner github-actions-runner -"
+    ];
+    services.github-runner = {
+        enable = true;
+        name = "runner-oberprofis";
+        tokenFile = config.age.secrets.github-runner-token.path;
+        url = "https://github.com/oberprofis";
+        user = "github-actions-runner";
+        workDir = "/github-actions-runner";
+    };
+}
--- a/test-server/secrets/create_secrets.md
+++ b/test-server/secrets/create_secrets.md
@@ -0,0 +1,31 @@
+agenix -e secret1.age
+
+
+example secrets.nix file
+```
+let
+  user1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL0idNvgGiucWgup/mP78zyC23uFjYq0evcWdjGQUaBH";
+  users = [ user1 ];
+
+  system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPJDyIr/FSz1cJdcoW69R+NrWzwGK/+3gJpqD1t8L2zE";
+  systems = [ system1 ];
+in
+{
+  "secret1.age".publicKeys = [ user1 system1 ];
+}
+```
+
+use secret in config
+```
+age.secrets.nextcloud = {
+  file = ./secrets/secret1.age;
+  owner = "nextcloud";
+  group = "nextcloud";
+};
+services.nextcloud = {
+  enable = true;
+  package = pkgs.nextcloud25;
+  hostName = "localhost";
+  config.adminpassFile = config.age.secrets.nextcloud.path;
+};
+```
--- a/test-server/secrets/github-runner-pw.age
+++ b/test-server/secrets/github-runner-pw.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw AgTWFlwf7Cuz40Er5yJGWS3eBr8Cmkk5FXkYAKLmJQg
+BUS6ACBSelgygiTP9icrikwPtIuSIZjYSV1l7TJ+xL0
+-> E-grease 4{$,yJ A^ !FpFte< %5b
+Txk3o2XFNHQ8zHxOuiQWfLx0O4Vk2NqEP3ZKqTHS8PUWIih6WzRh+6vp5Ya34rCd
+n1g
+--- lPdVcHYdhBlw5gNx43cbfqIGXT1ldcBeBzf7VcNlID4
+FÉxàš[cEO½:7&mð±–ã;QGÚµäøð²2cºfØ?.Š7ÿæ	ŠƒG<éÂö]7’\+f~
--- a/test-server/secrets/github-runner-token.age
+++ b/test-server/secrets/github-runner-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 yfCCMw MJo2Lt4IQxqIRygmGVYSRUiFOJ3YgAbOZ6/u8F1aCF4
+cufGP1fUOHzfSN+jbz0WiYCUBk8hC1dLMCtiDS2JaIM
+-> }K-grease :E4V
+x5K6POWZGfcwKwGc5U1nS38qHIzy3ZNW+d1/DpELVKRO+4D0wZ3vf9Tedw
+--- RmPhiYVfU4G09dKxXSq+7XAgJGU0s3UGXBZ3lMGxwEA
+²<EFBFBD>Ç(Ê€†bE¾ÄÆÎcr¥4&½-6~ÒA]<¥K]õM>éÅg\ïætª{ño<C3B1>›Šã9¬ð»	s…
--- a/test-server/secrets/secrets.nix
+++ b/test-server/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  nix-test-vm = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVqEb1U1c9UX3AF8otNyYKpIUMjc7XSjZY3IkIPGOqi root@server";
+  systems = [ nix-test-vm ];
+in
+{
+  "github-runner-token.age".publicKeys = [ nix-test-vm ];
+  "github-runner-pw.age".publicKeys = [ nix-test-vm ];
+}