feat: Migrate CI to gitea

2025-12-18 12:35:35 -05:00
parent d205211c7d
commit a23ec91c9c
13 changed files with 167 additions and 175 deletions
--- a/sw/builders/default.nix
+++ b/sw/builders/default.nix
@@ -1,7 +1,7 @@
 # ============================================================================
 # Builders Software Configuration
 # ============================================================================
-# Imports builder-specific programs and services (GitHub Actions runners, etc.)
+# Imports builder-specific programs and services (Gitea Actions runners, etc.)

 {
  config,
--- a/sw/builders/services.nix
+++ b/sw/builders/services.nix
@@ -11,29 +11,25 @@ let
  cfg = config.athenix.sw;
  builderCfg = cfg.builders;
 in
-mkIf builderCfg.githubRunner.enable {
-  services.github-runners.${builderCfg.githubRunner.name} = {
+mkIf builderCfg.giteaRunner.enable {
+  services.gitea-actions-runner.instances.${builderCfg.giteaRunner.name} = {
    enable = true;
-    url = builderCfg.githubRunner.url;
-    tokenFile = builderCfg.githubRunner.tokenFile;
-    extraLabels = builderCfg.githubRunner.extraLabels;
-    user = builderCfg.githubRunner.user;
-    workDir = builderCfg.githubRunner.workDir;
-    replace = builderCfg.githubRunner.replace;
+    url = builderCfg.giteaRunner.url;
+    tokenFile = builderCfg.giteaRunner.tokenFile;
+    labels = builderCfg.giteaRunner.extraLabels;
+    name = builderCfg.giteaRunner.name;
  };

-  # Configure the systemd service for better handling of cleanup and restarts
-  systemd.services."github-runner-${builderCfg.githubRunner.name}" = {
+  # Configure the systemd service for better handling in LXC containers
+  systemd.services."gitea-runner-${builderCfg.giteaRunner.name}" = {
    unitConfig = {
      # Only start the service if token file exists
      # This allows graceful deployment before the token is manually installed
-      ConditionPathExists = builderCfg.githubRunner.tokenFile;
+      ConditionPathExists = builderCfg.giteaRunner.tokenFile;
    };
    serviceConfig = {
      # Give the service more time to stop cleanly
-      TimeoutStopSec = 60;
-      # Restart on failure, but not immediately
-      RestartSec = 10;
+      TimeoutStopSec = mkForce 60;

      # Disable all namespace isolation features that don't work in LXC containers
      PrivateMounts = mkForce false;
@@ -50,80 +46,6 @@ mkIf builderCfg.githubRunner.enable {
      ProtectKernelTunables = mkForce false;
      ProtectKernelModules = mkForce false;
      ProtectControlGroups = mkForce false;
-
-      # Use LoadCredential to securely pass the token file to the service
-      # This allows the service to read the token even when running as non-root
-      LoadCredential = "token:${builderCfg.githubRunner.tokenFile}";
-
-      # Don't override ExecStartPre - let the default module handle configuration
-      # Just make the cleanup more tolerant by wrapping the original script
-      ExecStartPre = mkForce (
-        let
-          # Get the runner package and scripts
-          runnerPkg = pkgs.github-runner;
-
-          # Create wrapper scripts that are failure-tolerant
-          unconfigureWrapper = pkgs.writeShellScript "github-runner-unconfigure-wrapper.sh" ''
-            set +e  # Don't fail on errors
-
-            runnerDir="$1"
-            stateDir="$2"
-            logDir="$3"
-
-            # If directory is busy, just skip cleanup with a warning
-            if [ -d "$runnerDir" ]; then
-              echo "Attempting cleanup of $runnerDir..."
-              find "$runnerDir" -mindepth 1 -maxdepth 1 -delete 2>/dev/null || {
-                echo "Warning: Cleanup had issues (directory may be in use), continuing anyway..."
-              }
-            fi
-
-            exit 0
-          '';
-
-          configureScript = pkgs.writeShellScript "github-runner-configure.sh" ''
-            set -e
-
-            runnerDir="${builderCfg.githubRunner.workDir}/${builderCfg.githubRunner.name}"
-
-            # Read token from systemd credential (passed via LoadCredential)
-            if [ -n "''${CREDENTIALS_DIRECTORY:-}" ] && [ -f "''${CREDENTIALS_DIRECTORY}/token" ]; then
-              token=$(cat "''${CREDENTIALS_DIRECTORY}/token")
-            else
-              echo "Error: Token credential not available"
-              exit 1
-            fi
-
-            cd "$runnerDir"
-
-            # Configure the runner, optionally replacing existing registration
-            if [ ! -f ".runner" ] || [ "${
-              if builderCfg.githubRunner.replace then "true" else "false"
-            }" = "true" ]; then
-              echo "Configuring GitHub Actions runner..."
-              ${runnerPkg}/bin/Runner.Listener configure \
-                --unattended \
-                --url "${builderCfg.githubRunner.url}" \
-                --token "$token" \
-                --name "$(hostname)" \
-                --labels "${lib.concatStringsSep "," builderCfg.githubRunner.extraLabels}" \
-                --work "_work" \
-                ${if builderCfg.githubRunner.replace then "--replace" else ""}
-            else
-              echo "Runner already configured, skipping configuration."
-            fi
-          '';
-        in
-        [
-          "-${unconfigureWrapper} ${builderCfg.githubRunner.workDir}/${builderCfg.githubRunner.name} ${builderCfg.githubRunner.workDir} /var/log/github-runner/${builderCfg.githubRunner.name}"
-          "${configureScript}"
-        ]
-      );
    };
  };
-
-  # Ensure the work directory exists with proper ownership
-  systemd.tmpfiles.rules = [
-    "d ${builderCfg.githubRunner.workDir} 0755 ${builderCfg.githubRunner.user} ${builderCfg.githubRunner.user} -"
-  ];
 }
--- a/sw/default.nix
+++ b/sw/default.nix
@@ -79,21 +79,21 @@ in
    builders = mkOption {
      type = types.submodule {
        options = {
-          githubRunner = {
-            enable = mkEnableOption "GitHub Actions self-hosted runner";
+          giteaRunner = {
+            enable = mkEnableOption "Gitea Actions self-hosted runner";

            url = mkOption {
              type = types.str;
-              description = "GitHub repository URL for the runner";
+              description = "Gitea instance URL for the runner";
            };

            tokenFile = mkOption {
              type = types.path;
-              default = "/var/lib/github-runner-token";
+              default = "/var/lib/gitea-runner-token";
              description = ''
-                Path to file containing GitHub PAT token.
-                Generate at: https://github.com/settings/tokens
-                The token must have repo access.
+                Path to file containing Gitea runner token.
+                Generate in Gitea repository settings under Actions > Runners.
+                The token must have runner registration access.
              '';
            };

@@ -103,28 +103,10 @@ in
              description = "Extra labels to identify this runner in workflows";
            };

-            user = mkOption {
-              type = types.str;
-              default = "engr-ugaif";
-              description = "User to run the runner as";
-            };
-
-            workDir = mkOption {
-              type = types.str;
-              default = "/var/lib/github-runner";
-              description = "Working directory for runner";
-            };
-
            name = mkOption {
              type = types.str;
-              default = "nixos-systems";
-              description = "Name of the GitHub runner service";
-            };
-
-            replace = mkOption {
-              type = types.bool;
-              default = false;
-              description = "Replace existing runner registration on start";
+              default = "athenix";
+              description = "Name of the Gitea runner service";
            };
          };
        };