diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 376fde6..d5a93c1 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -15,6 +15,29 @@ tokenFile = "/run/secrets/forgejo_actions_runner_registration_token"; labels = [ "docker:docker://node:current-bookworm" ]; settings = { + cache = { + proxy_port = 45540; + }; + runner = { + capacity = 4; + }; + }; + }; + + instances.ccchh-codeberg-org-diday = { + enable = true; + name = "ccchh runner for codeberg.org/di-day"; + url = "https://codeberg.org/"; + tokenFile = "/run/secrets/codeberg_org_diday_runner_registration_token"; + labels = [ + "docker:docker://node:current-bookworm" + "debian-latest:docker://node:current-bookworm" + "alpine-latest:docker://node:current-alpine" + ]; + settings = { + cache = { + proxy_port = 45541; + }; runner = { capacity = 4; }; @@ -28,4 +51,10 @@ group = "root"; restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ]; }; + sops.secrets."codeberg_org_diday_runner_registration_token" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "gitea-runner-ccchh\\x2dcodeberg\\x2dorg\\x2ddiday.service" ]; + }; } diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix index 8990224..71aa47a 100644 --- a/config/hosts/forgejo-actions-runner/networking.nix +++ b/config/hosts/forgejo-actions-runner/networking.nix @@ -1,6 +1,8 @@ -{ ... }: - -{ +{ lib, config, ... }: +let + runnerInstances = lib.attrValues config.services.gitea-actions-runner.instances; + runnerCachePorts = lib.map (i: i.settings.cache.proxy_port) runnerInstances; +in { networking = { interfaces.net0 = { ipv4.addresses = [ @@ -19,4 +21,7 @@ matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE"; linkConfig.Name = "net0"; }; + + # open ports for runner cache proxy so that we can use the cache action + networking.firewall.allowedTCPPorts = runnerCachePorts; } diff --git a/config/hosts/forgejo-actions-runner/secrets.yaml b/config/hosts/forgejo-actions-runner/secrets.yaml index 5debd4d..79df4d5 100644 --- a/config/hosts/forgejo-actions-runner/secrets.yaml +++ b/config/hosts/forgejo-actions-runner/secrets.yaml @@ -1,4 +1,5 @@ forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str] +codeberg_org_diday_runner_registration_token: ENC[AES256_GCM,data:thTsLo/eXVPbXt4b8ldae+kGnOR4GbYKOqr1hVJgaL7wZ5GgqWSPcOuhow96Jw==,iv:Fzi+DsKj+4PrwQGEosUntm9l7s78NwzhkmF6e/sfF+s=,tag:oa7mnbGR0J5xi9ruCgRJtQ==,type:str] sops: age: - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d @@ -19,8 +20,8 @@ sops: TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9 DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T00:29:52Z" - mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str] + lastmodified: "2026-02-18T09:51:37Z" + mac: ENC[AES256_GCM,data:4fWsE3U6WxRqlKHKC4ipE+RQ7MPjiZZcTFMSblxty7JjJHAdKUHbthFB+R8gIWxZEjX5WG+IPgUP+AcCLSI9fdcXMqIFMuDun2hiktwqxzLPGYAoCXdTBAd1uCUagvB/rFty6y8umD4J5ITgEGba9pvGdUcng9WVRV+LGDftS1g=,iv:tD9tlcylQWapNCARxPXrKofZXf2BHTt2c4PQqFNj6X8=,tag:pQ8lOqJEFCcCcJot3BYTmQ==,type:str] pgp: - created_at: "2026-02-17T22:21:57Z" enc: |- @@ -145,4 +146,4 @@ sops: -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 3532c25..35da7f5 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -18,6 +18,8 @@ ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix + ./staging.did.hamburg.ccc.de.nix + ./did.hamburg.ccc.de.nix ./historic-easterhegg ]; } diff --git a/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix new file mode 100644 index 0000000..923053e --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix @@ -0,0 +1,68 @@ +{ ... }: + +let + domain = "did.hamburg.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "diday-website-deploy"; +in +{ + # security.acme.certs."${domain}".extraDomainNames = []; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + error_page 404 /404.html; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix new file mode 100644 index 0000000..ad2b246 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix @@ -0,0 +1,59 @@ +{ ... }: + +let + domain = "staging.did.hamburg.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "diday-website-deploy"; +in +{ + # security.acme.certs."${domain}".extraDomainNames = []; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + error_page 404 /404.html; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; +}