Compare commits
5 commits
dc688fb97d
...
8c1785331a
Author | SHA1 | Date | |
---|---|---|---|
Gabriel Simmer | 8c1785331a | ||
Gabriel Simmer | 83e2ea2a78 | ||
Gabriel Simmer | e9a99b886b | ||
Gabriel Simmer | cb5bd7bb4a | ||
Gabriel Simmer | f713cf5e51 |
56
homelab/forgejo-runner.yml
Normal file
56
homelab/forgejo-runner.yml
Normal file
|
@ -0,0 +1,56 @@
|
|||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
labels:
|
||||
app: act-runner
|
||||
name: act-runner
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: act-runner
|
||||
strategy: {}
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
labels:
|
||||
app: act-runner
|
||||
spec:
|
||||
restartPolicy: Always
|
||||
volumes:
|
||||
- name: runner-data
|
||||
emptyDir: {}
|
||||
initContainers:
|
||||
- name: runner-config-generation
|
||||
image: code.forgejo.org/forgejo/runner:2.4.0
|
||||
command: [ "sh", "-c", "cd /data && forgejo-runner create-runner-file --instance $GITEA_INSTANCE_URL --secret $RUNNER_SECRET --connect" ]
|
||||
env:
|
||||
- name: RUNNER_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: runner-secret
|
||||
key: token
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: https://git.gmem.ca
|
||||
volumeMounts:
|
||||
- name: runner-data
|
||||
mountPath: /data
|
||||
containers:
|
||||
- name: runner
|
||||
image: gitea/act_runner:nightly-dind-rootless
|
||||
imagePullPolicy: Always
|
||||
env:
|
||||
- name: DOCKER_HOST
|
||||
value: tcp://localhost:2376
|
||||
- name: DOCKER_CERT_PATH
|
||||
value: /certs/client
|
||||
- name: DOCKER_TLS_VERIFY
|
||||
value: "1"
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: https://git.gmem.ca
|
||||
securityContext:
|
||||
privileged: true
|
||||
volumeMounts:
|
||||
- name: runner-data
|
||||
mountPath: /data
|
||||
|
|
@ -48,10 +48,10 @@
|
|||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedUDPPorts = [ 41641 ];
|
||||
allowedTCPPorts = [ 22 53 80 443 ];
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 80 443 6443 10250 ];
|
||||
enable = false;
|
||||
};
|
||||
nftables.enable = true;
|
||||
nftables.enable = false;
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
|
@ -89,7 +89,7 @@
|
|||
enable = true;
|
||||
role = "agent";
|
||||
serverAddr = "https://100.77.43.133:6443";
|
||||
token = "";
|
||||
token = "K101619438e86a6ea51229321ca58dfb868582ef353adc5512480c185f5797dcf0b::server:bdc3beb6af99d94395d8464384ec60e2";
|
||||
};
|
||||
};
|
||||
|
|
@ -47,23 +47,13 @@ let
|
|||
"dns.db".file = toString ./nas/dns.db;
|
||||
}
|
||||
];
|
||||
|
||||
nas-k3s-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-23.05";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
};
|
||||
nixos-config.file = toString ./nas/k3s/configuration.nix;
|
||||
"hardware.nix".file = toString ./nas/k3s/hardware.nix;
|
||||
}
|
||||
];
|
||||
|
||||
seattle-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-unstable";
|
||||
ref = "6e287913f7b1ef537c97aa301b67c34ea46b640f";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
shallow = true;
|
||||
};
|
||||
nixos-config.file = toString ./seattle/configuration.nix;
|
||||
"hardware.nix".file = toString ./seattle/hardware.nix;
|
||||
|
@ -73,8 +63,9 @@ let
|
|||
glasgow-source = lib.evalSource [
|
||||
{
|
||||
nixpkgs.git = {
|
||||
ref = "origin/nixos-unstable";
|
||||
ref = "6e287913f7b1ef537c97aa301b67c34ea46b640f";
|
||||
url = https://github.com/NixOS/nixpkgs;
|
||||
shallow = true;
|
||||
};
|
||||
nixos-config.file = toString ./glasgow/configuration.nix;
|
||||
"hardware.nix".file = toString ./glasgow/hardware.nix;
|
||||
|
@ -84,23 +75,19 @@ let
|
|||
in {
|
||||
oracle-gitea-runner = pkgs.krops.writeDeploy "oracle-gitea-runner" {
|
||||
source = oracle-gitea-runner-source;
|
||||
target = "root@130.162.169.74";
|
||||
target = "root@143.47.229.209";
|
||||
};
|
||||
oracle-nix-cache = pkgs.krops.writeDeploy "oracle-nix-cache" {
|
||||
oracle-nginx-funnel = pkgs.krops.writeDeploy "oracle-nginx-funnel" {
|
||||
source = oracle-nix-cache-source;
|
||||
target = "root@141.147.94.210";
|
||||
target = "root@141.147.109.157";
|
||||
};
|
||||
nas = pkgs.krops.writeDeploy "nas" {
|
||||
source = nas-source;
|
||||
target = "root@192.168.50.229";
|
||||
};
|
||||
nas-k3s = pkgs.krops.writeDeploy "nas-k3s" {
|
||||
source = nas-k3s-source;
|
||||
target = "root@192.168.50.229:22001";
|
||||
};
|
||||
seattle = pkgs.krops.writeDeploy "seattle" {
|
||||
source = seattle-source;
|
||||
target = "root@192.168.50.146";
|
||||
target = "root@seattle";
|
||||
};
|
||||
glasgow = pkgs.krops.writeDeploy "glasgow" {
|
||||
source = glasgow-source;
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
# WARN: this file will get overwritten by $ cachix use <name>
|
||||
{ pkgs, lib, ... }:
|
||||
|
|
@ -1,6 +1,9 @@
|
|||
git.gmem.ca. IN SOA sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
|
||||
food.gmem.ca. IN SOA sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
|
||||
git.gmem.ca. IN A 100.116.48.47
|
||||
git.gmem.ca. IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:6274:302f
|
||||
food.gmem.ca. IN A 100.77.43.133
|
||||
food.gmem.ca. IN AAAA fd7a:115c:a1e0:ab12:4843:cd96:624d:2b85
|
||||
|
||||
gmem.ca. IN SOA sns.dns.icann.org. noc.dns.icann.org. 2015082541 7200 3600 1209600 3600
|
||||
gmem.ca. IN NS ns-1341.awsdns-39.org. ns-1824.awsdns-36.co.uk. ns-354.awsdns-44.com. ns-682.awsdns-21.net.
|
|
@ -17,7 +17,7 @@
|
|||
];
|
||||
|
||||
services.gitea-actions-runner = {
|
||||
# package = pkgs.forgejo-actions-runner;
|
||||
package = pkgs.forgejo-actions-runner;
|
||||
instances = {
|
||||
oracle-arm = {
|
||||
name = "oracle-arm";
|
||||
|
@ -39,8 +39,8 @@
|
|||
nix
|
||||
zstd
|
||||
];
|
||||
url = "https://vancouver.scorpion-ghost.ts.net/git";
|
||||
token = "";
|
||||
url = "https://git.gmem.ca";
|
||||
token = "rclEuf0ZKhWKe7IhvWZqgJpb1y84iYBJsJi7Wslh";
|
||||
settings = {
|
||||
cache.port = 4328;
|
||||
};
|
||||
|
@ -53,7 +53,7 @@
|
|||
environment.shells = with pkgs; [ zsh fish ];
|
||||
|
||||
networking = {
|
||||
hostName = "gitea-arm-runner";
|
||||
hostName = "forgejo-action-runner";
|
||||
domain = "gmem.ca";
|
||||
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
||||
firewall = {
|
||||
|
@ -79,5 +79,5 @@
|
|||
|
||||
services.openssh.enable = true;
|
||||
services.tailscale.enable = true;
|
||||
system.stateVersion = "23.05";
|
||||
system.stateVersion = "23.11";
|
||||
}
|
|
@ -47,11 +47,11 @@
|
|||
firewall = {
|
||||
trustedInterfaces = ["tailscale0"];
|
||||
checkReversePath = "loose";
|
||||
allowedTCPPorts = [ 22 53 80 443 ];
|
||||
allowedUDPPorts = [ 41641 ];
|
||||
enable = true;
|
||||
allowedTCPPorts = [ 22 80 443 6443 10250 ];
|
||||
allowedUDPPorts = [ 41641 80 443 ];
|
||||
enable = false;
|
||||
};
|
||||
nftables.enable = true;
|
||||
nftables.enable = false;
|
||||
};
|
||||
|
||||
time.timeZone = "Europe/London";
|
||||
|
@ -89,7 +89,7 @@
|
|||
enable = true;
|
||||
role = "server";
|
||||
extraFlags = toString [
|
||||
"--secrets-encryption"
|
||||
"--secrets-encryption --disable=traefik"
|
||||
];
|
||||
};
|
||||
};
|
2
pulumi/.gitignore
vendored
2
pulumi/.gitignore
vendored
|
@ -1,2 +0,0 @@
|
|||
/bin/
|
||||
/node_modules/
|
|
@ -1,6 +0,0 @@
|
|||
encryptionsalt: v1:v/2Egaf4eCE=:v1:2Vc2k1lWnahiE1Ce:83nVXz3moeXDWxGg/gjobA9cHw8zYg==
|
||||
config:
|
||||
aws:region: eu-west-2
|
||||
tailscale:apiKey:
|
||||
secure: v1:4IfYF+gWnunbS4mK:HyJkqNAOvflbV3SZYTh/0F/is4fVMYGJLaYPhOA3xqrFu1CCzy38k2ADhvvpYIbK0PxHdibN6iW9VtCKHeTXhE8rWpv97dEb
|
||||
tailscale:tailnet: gmem.ca
|
|
@ -1,3 +0,0 @@
|
|||
name: gmem-pulumi
|
||||
runtime: nodejs
|
||||
description: gmem's AWS Infra
|
|
@ -1,47 +0,0 @@
|
|||
import * as pulumi from "@pulumi/pulumi";
|
||||
import * as aws from "@pulumi/aws";
|
||||
import * as tailscale from "@pulumi/tailscale";
|
||||
|
||||
const r53_domains: { [key: string]: any } = {"gmem.ca": "", "gabrielsimmer.com": ""};
|
||||
|
||||
export = async () => {
|
||||
for (const domain in r53_domains) {
|
||||
r53_domains[domain] = new aws.route53.Zone(domain, {
|
||||
comment: "Managed by Pulumi",
|
||||
name: domain,
|
||||
}, {
|
||||
protect: true,
|
||||
}).id;
|
||||
}
|
||||
|
||||
const vancouver_ts = await tailscale.getDevice({ name: "vancouver.scorpion-ghost.ts.net" });
|
||||
new aws.route53.Record("vancouver", {
|
||||
zoneId: r53_domains["gmem.ca"],
|
||||
name: "vancouver.gmem.ca",
|
||||
type: "A",
|
||||
ttl: 300,
|
||||
records: [vancouver_ts.addresses[0]]
|
||||
});
|
||||
new aws.route53.Record("galleon", {
|
||||
zoneId: r53_domains["gmem.ca"],
|
||||
name: "galleon.gmem.ca",
|
||||
type: "A",
|
||||
ttl: 300,
|
||||
records: [vancouver_ts.addresses[0]]
|
||||
});
|
||||
new aws.route53.Record("gabrielsimmercom", {
|
||||
zoneId: r53_domains["gabrielsimmer.com"],
|
||||
name: "gabrielsimmer.com",
|
||||
type: "A",
|
||||
ttl: 3600,
|
||||
records: ["66.241.124.117"]
|
||||
});
|
||||
new aws.route53.Record("gabrielsimmercom-aaaa", {
|
||||
zoneId: r53_domains["gabrielsimmer.com"],
|
||||
name: "gabrielsimmer.com",
|
||||
type: "AAAA",
|
||||
ttl: 3600,
|
||||
records: ["2a09:8280:1::4e:42fd"]
|
||||
});
|
||||
return { "vancouver ts ip": vancouver_ts.addresses[0] };
|
||||
}
|
2404
pulumi/package-lock.json
generated
2404
pulumi/package-lock.json
generated
File diff suppressed because it is too large
Load diff
|
@ -1,13 +0,0 @@
|
|||
{
|
||||
"name": "gmem-pulumi",
|
||||
"main": "index.ts",
|
||||
"devDependencies": {
|
||||
"@types/node": "^16"
|
||||
},
|
||||
"dependencies": {
|
||||
"@pulumi/aws": "^5.0.0",
|
||||
"@pulumi/awsx": "^1.0.0",
|
||||
"@pulumi/pulumi": "^3.0.0",
|
||||
"@pulumi/tailscale": "^0.12.2"
|
||||
}
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
"compilerOptions": {
|
||||
"strict": true,
|
||||
"outDir": "bin",
|
||||
"target": "es2016",
|
||||
"module": "commonjs",
|
||||
"moduleResolution": "node",
|
||||
"sourceMap": true,
|
||||
"experimentalDecorators": true,
|
||||
"pretty": true,
|
||||
"noFallthroughCasesInSwitch": true,
|
||||
"noImplicitReturns": true,
|
||||
"forceConsistentCasingInFileNames": true
|
||||
},
|
||||
"files": [
|
||||
"index.ts"
|
||||
]
|
||||
}
|
|
@ -65,6 +65,29 @@ provider "registry.terraform.io/hetznercloud/hcloud" {
|
|||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/sharkyrawr/cloudns" {
|
||||
version = "0.0.7"
|
||||
constraints = "0.0.7"
|
||||
hashes = [
|
||||
"h1:9j02xibBw0ol2nDg7dd/w5A3IwT9Ih2fQWC3LWmPrBw=",
|
||||
"zh:00981e00a0efacc99e118cf72708b3889622afc8e997a18e29649a646bb25e83",
|
||||
"zh:357235742de49011118f173e121e1406ef26a2bdda6864cd2f13c4cc9af73d3e",
|
||||
"zh:3fa3db9190f8d44452f8d6528f7aebda15e66f5c33a8423bae32c352b157df38",
|
||||
"zh:4bae8164457b0f94bcdcfed18d7296fabc01a46ac03f6ec21e38dbf442aabddb",
|
||||
"zh:a27c5153b1fde30e7037ed19b354af8e1d9a4952ec420e5f6e09bdc148263e9e",
|
||||
"zh:aa7d6555c0a345dbb094bb903d2ae5261ced464d8b58c2e24c561970130be824",
|
||||
"zh:bc188c2ff5351453ae23e65b3baa00567cd0be8ca26c2be08fb0168a9b88d5d2",
|
||||
"zh:c8e72151976d2bcdc107a926c3d9c9cee6e5ac0ce7e446544a60cca1d35217c3",
|
||||
"zh:d648371729035dc52b0437462e9f91b24f3fea6427e043c0016e02a91c60b7eb",
|
||||
"zh:d8dc24aa0c586a12ea19e46cf14e3e6fc1ec6e3281aafaba35da9d4e26f23cd0",
|
||||
"zh:e43b20807b37db5c2bd2806350321b0bd6831c0675abe0d74d42c1cc894f711d",
|
||||
"zh:fa101cec498688add26a3f5cee96bc409d09e1d611b4e934d4233a56d812f81b",
|
||||
"zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25",
|
||||
"zh:fd5bc423d1d68aa6905ba01e0e5e3f552e4f656f636117cd26e1f2394a6d1bf4",
|
||||
"zh:fe80010ea109e573561da1c93d91af7d8525387e0d2ff1185672f7464fb26956",
|
||||
]
|
||||
}
|
||||
|
||||
provider "registry.terraform.io/vercel/vercel" {
|
||||
version = "0.14.0"
|
||||
constraints = "0.14.0"
|
||||
|
|
|
@ -27,16 +27,6 @@ resource "aws_route53_record" "gabrielsimmercom-a" {
|
|||
]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "gabrielsimmercom-aaaa" {
|
||||
zone_id = aws_route53_zone.gabrielsimmercom.zone_id
|
||||
name = "gabrielsimmer.com"
|
||||
type = "AAAA"
|
||||
ttl = 3600
|
||||
records = [
|
||||
"2a09:8280:1::4e:42fd"
|
||||
]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "gabrielsimmercom-next" {
|
||||
zone_id = aws_route53_zone.gabrielsimmercom.zone_id
|
||||
name = "next"
|
||||
|
|
|
@ -23,7 +23,15 @@ resource "aws_route53_record" "git" {
|
|||
name = "git"
|
||||
type = "A"
|
||||
ttl = 300
|
||||
records = ["141.147.94.210"]
|
||||
records = ["141.147.109.157"]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "food" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "food"
|
||||
type = "A"
|
||||
ttl = 300
|
||||
records = ["141.147.109.157"]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "nix-cache" {
|
||||
|
@ -116,10 +124,27 @@ resource "aws_route53_record" "gmem-ca-mail-txt" {
|
|||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "gmem.ca"
|
||||
type = "TXT"
|
||||
records = ["v=spf1 include:spf.messagingengine.com ?all"]
|
||||
records = ["v=spf1 include:spf.messagingengine.com include:spf.mushu.services.floofy.tech ?all"]
|
||||
ttl = 300
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "postal-dkim" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "postal-d6U33J._domainkey"
|
||||
type = "TXT"
|
||||
ttl = 300
|
||||
records = ["v=DKIM1; t=s; h=sha256; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCoSvi65zRk8yn0IySfXWyNzeQpz8DEg8ZnmR/Kqq+Ga890KoINkQHB0toQu/iURjmLo+2mYKMxkAMWZPEsKaNsBCLBB55NCvq3/jeJdjOKYLplc51KSdxSb3AGokGqwCDhQ8u+MJty/R3QOHbzndddQTnSG0ApDkJNiPdFVnXnewIDAQAB;"]
|
||||
}
|
||||
|
||||
resource "aws_route53_record" "postal-cname" {
|
||||
zone_id = aws_route53_zone.gmemca.zone_id
|
||||
name = "psrp"
|
||||
type = "CNAME"
|
||||
ttl = 300
|
||||
records = ["rp.mushu.services.floofy.tech"]
|
||||
}
|
||||
|
||||
|
||||
# S3 bucket static site
|
||||
resource "aws_s3_bucket" "gmem-ca-static_site" {
|
||||
bucket = "gmem.ca"
|
||||
|
|
|
@ -15,6 +15,10 @@ terraform {
|
|||
cloudflare = {
|
||||
source = "cloudflare/cloudflare"
|
||||
version = "3.33.1"
|
||||
}
|
||||
cloudns = {
|
||||
source = "SharkyRawr/cloudns"
|
||||
version = "0.0.7"
|
||||
}
|
||||
}
|
||||
backend "s3" {
|
||||
|
@ -40,3 +44,5 @@ provider "hcloud" {}
|
|||
variable "tailscale_key" {
|
||||
type = string
|
||||
}
|
||||
|
||||
provider "cloudns" {}
|
||||
|
|
Loading…
Reference in a new issue