fix(gitea-runner): Use public ingress

2026-01-26 10:23:13 +01:00
parent 6e57520557
commit 320c15488a
2 changed files with 17 additions and 26 deletions
--- a/modules/gitea-runner.nix
+++ b/modules/gitea-runner.nix
@@ -32,13 +32,6 @@ let
    # Add SSL CA certs
    mkdir -p $out/etc/ssl/certs
    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
-
-    # HACK: Add our k8s ca-issuer certs to container
-    chmod +w $out/etc/ssl/certs/ca-bundle.crt
-    cat << 'EOF' >> $out/etc/ssl/certs/ca-bundle.crt
-    ${lib.concatStringsSep "\n" config.security.pki.certificates}
-    EOF
-    ln -s ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt
  '';

  configuration = {
@@ -199,8 +192,8 @@ let
    services.gitea-actions-runner = {
      instances.nix = {
        enable = true;
-        name = "nix-runner";
-        url = "https://git.svc.hel1.obx";
+        name = "nix";
+        url = "https://git.oceanbox.io";
        # Obtaining the path to the runner token file may differ
        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
        # tokenFile = config.age.secrets.gitea-runner-token.path;
@@ -214,8 +207,6 @@ let
            "-e PATH=/bin"
            "-e NIX_PATH=nixpkgs=${builtins.toString pkgs.path}"
            "-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
-            "-e GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
-            "-e NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt"
            "-v /nix:/nix"
            "-v ${storeDeps}/bin:/bin"
            "-v ${storeDeps}/etc/ssl:/etc/ssl"
--- a/tos/hashmap/default.nix
+++ b/tos/hashmap/default.nix
@@ -212,21 +212,21 @@
    '';
  };

-  security.pki.certificates = [
-    ''
-      -----BEGIN CERTIFICATE-----
-      MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
-      MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
-      MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
-      BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
-      D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
-      BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
-      BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
-      JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
-      m9H0cfSnZwsuwl6yETI=
-      -----END CERTIFICATE-----
-    ''
-  ];
+  # security.pki.certificates = [
+  #   ''
+  #     -----BEGIN CERTIFICATE-----
+  #     MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
+  #     MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
+  #     MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
+  #     BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
+  #     D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
+  #     BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+  #     BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
+  #     JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
+  #     m9H0cfSnZwsuwl6yETI=
+  #     -----END CERTIFICATE-----
+  #   ''
+  # ];

  imports = [
    ./users.nix