hack: Use host dns and ca-cert for gitea runner

2026-01-24 21:04:39 +01:00
parent f19d7c2881
commit 6e57520557
2 changed files with 33 additions and 2 deletions
--- a/modules/gitea-runner.nix
+++ b/modules/gitea-runner.nix
@@ -32,6 +32,13 @@ let
    # Add SSL CA certs
    mkdir -p $out/etc/ssl/certs
    cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
+
+    # HACK: Add our k8s ca-issuer certs to container
+    chmod +w $out/etc/ssl/certs/ca-bundle.crt
+    cat << 'EOF' >> $out/etc/ssl/certs/ca-bundle.crt
+    ${lib.concatStringsSep "\n" config.security.pki.certificates}
+    EOF
+    ln -s ca-bundle.crt $out/etc/ssl/certs/ca-certificates.crt
  '';

  configuration = {
@@ -42,7 +49,7 @@ let
        after = [ "podman.service" ];
        requires = [ "podman.service" ];
        path = [
-          pkgs.podman
+          config.virtualisation.podman.package
          pkgs.gnutar
          pkgs.shadow
          pkgs.getent
@@ -103,7 +110,7 @@ let
        # thus breaking a deployment.
        # You'll have to restart the runner manually
        # or reboot the system after a deployment!
-        restartIfChanged = false;
+        # restartIfChanged = false;
        serviceConfig = {
          # LoadCredential = "TOKEN_FILE:/run/gitea/gitea-runner-token";
          # EnvironmentFile = [ "$CREDENTIALS_DIRECTORY/TOKEN_FILE" ];
@@ -207,6 +214,8 @@ let
            "-e PATH=/bin"
            "-e NIX_PATH=nixpkgs=${builtins.toString pkgs.path}"
            "-e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+            "-e GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
+            "-e NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-bundle.crt"
            "-v /nix:/nix"
            "-v ${storeDeps}/bin:/bin"
            "-v ${storeDeps}/etc/ssl:/etc/ssl"
--- a/tos/hashmap/default.nix
+++ b/tos/hashmap/default.nix
@@ -10,6 +10,10 @@
    search = [ "obx" ];
    firewall.allowedTCPPorts = [ ];
    firewall.extraCommands = '''';
+    firewall.interfaces."podman+" = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
    resolvconf = {
      enable = false;
    };
@@ -131,6 +135,7 @@
    # Enable Docker compatibility socket
    podman.dockerCompat = true;
    podman.dockerSocket.enable = true;
+    podman.defaultNetwork.settings.dns_enabled = true;
    oci-containers.backend = "podman";
    containers.storage.settings = {
      storage.graphroot = "/var/lib/containers/storage";
@@ -139,6 +144,7 @@
    containers.containersConf.settings = {
      # podman seems to not work with systemd-resolved
      containers.dns_servers = [
+        "100.100.100.100"
        "8.8.8.8"
        "8.8.4.4"
      ];
@@ -206,6 +212,22 @@
    '';
  };

+  security.pki.certificates = [
+    ''
+      -----BEGIN CERTIFICATE-----
+      MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
+      MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
+      MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
+      BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
+      D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
+      BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+      BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
+      JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
+      m9H0cfSnZwsuwl6yETI=
+      -----END CERTIFICATE-----
+    ''
+  ];
+
  imports = [
    ./users.nix
    ./hardware-configuration.nix