oceanbox/platform
6
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(gitea-runner): Use public ingress

Browse Source
This commit is contained in:
Moritz Jörg
2026-01-26 10:23:13 +01:00
parent 6e57520557
commit 320c15488a
2 changed files with 17 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
modules/gitea-runner.nix
View File

@@ -32,13 +32,6 @@ let
# Add SSL CA certs # Add SSL CA certs
mkdir -p $out/etc/ssl/certs mkdir -p $out/etc/ssl/certs
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
# HACK: Add our k8s ca-issuer certs to container
chmod +w $out/etc/ssl/certs/ca-bundle.crt
cat << 'EOF' >> $out/etc/ssl/certs/ca-bundle.crt
${lib.concatStringsSep "\n" config.security.pki.certificates}
EOF
ln -s ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt
''; '';
configuration = { configuration = {
@@ -199,8 +192,8 @@ let
services.gitea-actions-runner = { services.gitea-actions-runner = {
instances.nix = { instances.nix = {
enable = true; enable = true;
name = "nix-runner"; name = "nix";
url = "https://git.svc.hel1.obx"; url = "https://git.oceanbox.io";
# Obtaining the path to the runner token file may differ # Obtaining the path to the runner token file may differ
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
# tokenFile = config.age.secrets.gitea-runner-token.path; # tokenFile = config.age.secrets.gitea-runner-token.path;
@@ -214,8 +207,6 @@ let
"-e PATH=/bin" "-e PATH=/bin"
"-e NIX_PATH=nixpkgs=${builtins.toString pkgs.path}" "-e NIX_PATH=nixpkgs=${builtins.toString pkgs.path}"
"-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
"-e GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
"-e NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt"
"-v /nix:/nix" "-v /nix:/nix"
"-v ${storeDeps}/bin:/bin" "-v ${storeDeps}/bin:/bin"
"-v ${storeDeps}/etc/ssl:/etc/ssl" "-v ${storeDeps}/etc/ssl:/etc/ssl"

30
tos/hashmap/default.nix
View File

@@ -212,21 +212,21 @@
''; '';
}; };
security.pki.certificates = [ # security.pki.certificates = [
'' # ''
-----BEGIN CERTIFICATE----- # -----BEGIN CERTIFICATE-----
MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET # MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4 # MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB # MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k # BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l # D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O # BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E # BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT # JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
m9H0cfSnZwsuwl6yETI= # m9H0cfSnZwsuwl6yETI=
-----END CERTIFICATE----- # -----END CERTIFICATE-----
'' # ''
]; # ];
imports = [ imports = [
./users.nix ./users.nix