Setting up Forgejo Actions with Podman image build locally by Nix

PopeRigby · January 15, 2025, 9:18pm

I’m attempting to setup the Forgejo Actions runner to load a Podman image I’ve built locally with Nix, but I’m running into issues.

This is what I have so far:

{
  config,
  lib,
  pkgs,
  ...
}:

let
  inherit (lib) mkForce getExe;

  actionsImage = pkgs.dockerTools.streamLayeredImage {
    name = "actions-image";
    tag = "latest";
    contents = with pkgs; [
      bash
      git
      nix
      nodejs
    ];
    config = {
      Cmd = [ "bash" ];
    };
  };
in
{
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances.default = {
      enable = true;
      name = config.networking.hostName;
      url = "https://codeberg.org";
      tokenFile = config.sops.templates.forgejo-actions-codeberg-token.path;
      labels = [ "haddock:docker://localhost/${actionsImage.imageName}:latest" ];
      settings = {
        cache.enabled = true;
        network = "host";
        # options = "-e NIX_REMOTE=daemon -v /nix/:/nix/ -v /nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
        # valid_volumes = [ "/nix/" ];
      };
    };
  };

  systemd.services.gitea-runner-default = {
    preStart = "${actionsImage} | ${getExe config.virtualisation.podman.package} load";
    serviceConfig = {
      DynamicUser = mkForce false;
      User = mkForce "forgejo_actions";
    };
  };

  virtualisation.podman.enable = true;

  users = {
    users.forgejo_actions = {
      isSystemUser = true;
      group = "forgejo_actions";
      # The runner needs permission to access the Podman socket
      extraGroups = [ "podman" ];
    };
    groups.forgejo_actions = { };
  };

  sops = {
    templates.forgejo-actions-codeberg-token = {
      content = ''
        TOKEN=${config.sops.placeholder."haddock/forgejo_actions/tokens/codeberg"}
      '';
      owner = "forgejo_actions";
    };
    secrets."haddock/forgejo_actions/tokens/codeberg".owner = "forgejo_actions";
  };
}

I was basing it off of this: nur-combined/repos/eownerdead/hosts/nixos/actions.nix at 0caa434c479a92f0e8e0a86b728358c731c0ec0b · nix-community/nur-combined · GitHub

I’m getting this error when trying to run any actions though, which leads me to believe it isn’t able to find the image after loading it into Podman:

docker pull image=localhost/actions-image:latest platform= username= forcePull=false
Error response from daemon: {"message":"tls: internal error"}

Mic92 · January 15, 2025, 9:29pm

This is what I am using: clan-infra/actions-runner.nix at main - clan-infra - gitea: Gitea Service

PopeRigby · January 15, 2025, 9:31pm

Thank you. This looks quite complex though. Do you mind explaining some of it? I don’t even see where you’re building the image.

Mic92 · January 15, 2025, 9:42pm

image gets build here: clan-infra/actions-runner.nix at d4082bf5beb361e7aa107a32e86021b7acb1e20e - clan-infra - gitea: Gitea Service

Mic92 · January 15, 2025, 9:43pm

All of the nix store dependencies gets bind mounted: clan-infra/actions-runner.nix at d4082bf5beb361e7aa107a32e86021b7acb1e20e - clan-infra - gitea: Gitea Service

PopeRigby · January 17, 2025, 5:11am

I see you importing the image, but not where it’s actually built.

All of the nix store dependencies gets bind mounted: clan-infra/actions-runner.nix at d4082bf5beb361e7aa107a32e86021b7acb1e20e - clan-infra - gitea: Gitea Service

Oh interesting. Why do you bind mount them instead of just building the container with the dependencies?

Mic92 · January 17, 2025, 12:37pm

I would love if I could just could build all container by bind mounting nix store paths. It would be much faster than the overlay infrastructure that docker imposes. All the wasted disk storage and file system overhead that comes from overlay layer filesystem lookups.

PopeRigby · January 17, 2025, 10:40pm

Why not just run baremetal then?