From 351ca1d128358b02619c76889a5639fc712e71f8 Mon Sep 17 00:00:00 2001 From: NexVeridian Date: Wed, 27 Aug 2025 19:32:29 -0700 Subject: [PATCH] feat: forgejo --- .forgejo/workflows/docker.yml | 5 +- .github/workflows/docker.yml | 9 +- content/blog/attic-compose.md | 265 +++++++++++++++-- .../blog/forgejo-github-to-forgejo-actions.md | 268 ++++++++++++++++++ .../blog/forgejo-pushing-container-images.md | 145 ++++++++++ content/blog/forgejo-setup.md | 163 +++++++++++ 6 files changed, 824 insertions(+), 31 deletions(-) create mode 100644 content/blog/forgejo-github-to-forgejo-actions.md create mode 100644 content/blog/forgejo-pushing-container-images.md create mode 100644 content/blog/forgejo-setup.md diff --git a/.forgejo/workflows/docker.yml b/.forgejo/workflows/docker.yml index d6ee7cd..c84cbcf 100644 --- a/.forgejo/workflows/docker.yml +++ b/.forgejo/workflows/docker.yml @@ -19,8 +19,9 @@ jobs: id-token: write steps: - - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure nexveridian-web -- --priority 30 || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true - name: Install Node.js @@ -31,7 +32,7 @@ jobs: ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm echo "$HOME/.local/bin" >> $GITHUB_PATH - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Install skopeo run: | diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 6e7c76d..3e7c894 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -39,9 +39,10 @@ jobs: # Install Nix - name: Install Nix uses: DeterminateSystems/nix-installer-action@main - # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.nexveridian.com ${{ secrets.ATTIC_TOKEN }} || true - # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create NexVeridian-web || true - # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use NexVeridian-web || true + # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create nexveridian-web || true + # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure nexveridian-web -- --priority 30 || true + # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use nexveridian-web || true # Set up BuildKit Docker container builder to be able to build # multi-platform images and export cache @@ -90,5 +91,5 @@ jobs: # - run: | # for i in {1..10}; do - # nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push NexVeridian-web /nix/store/*/ && break || [ $i -eq 5 ] || sleep 5 + # nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nexveridian-web /nix/store/*/ && break || [ $i -eq 5 ] || sleep 5 # done diff --git a/content/blog/attic-compose.md b/content/blog/attic-compose.md index db8feee..dc80bb8 100644 --- a/content/blog/attic-compose.md +++ b/content/blog/attic-compose.md @@ -4,7 +4,7 @@ date = 2025-05-06 # description = "Deploying Attic Nix Binary Cache With Docker Compose." [taxonomies] -tags = ["nix", "docker", "CI", "cache", "github-actions"] +tags = ["nix", "docker", "CI", "actions", "cache", "github-actions"] +++ ## Server Install @@ -22,34 +22,38 @@ services: - 8080:8080 networks: attic: - db: + pgattic: volumes: - ./server.toml:/attic/server.toml - attic-data:/attic/storage env_file: - prod.env depends_on: - db: - condition: service_healthy + pgattic: + condition: service_healthy healthcheck: - test: - [ - "CMD-SHELL", - "wget --no-verbose --tries=1 --spider http://attic:8080 || exit 1", - ] - interval: 30s - timeout: 10s - retries: 5 - start_period: 60s + test: + [ + "CMD-SHELL", + "wget --no-verbose --tries=1 --spider http://attic:8080 || exit 1", + ] + interval: 15s + timeout: 10s + retries: 10 + start_period: 15s + deploy: + resources: + reservations: + cpus: 1.0 - db: - container_name: db - image: postgres:17.2-alpine + pgattic: + container_name: pgattic + image: postgres:17.6-alpine restart: unless-stopped ports: - 5432:5432 networks: - db: + pgattic: volumes: - postgres-data:/var/lib/postgresql/data env_file: @@ -66,7 +70,7 @@ volumes: networks: attic: - db: + pgattic: ``` ### Example `server.toml` @@ -74,7 +78,7 @@ networks: listen = "[::]:8080" [database] -url = "postgres://attic:attic@db:5432/attic_prod" +url = "postgres://attic:attic@pgattic:5432/attic_prod" [storage] type = "local" @@ -117,8 +121,12 @@ attic: - "traefik.http.routers.attic.rule=Host(`nix.example.com`)" - "traefik.http.routers.attic.entrypoints=websecure" - "traefik.http.routers.attic.tls.certresolver=myhttpchallenge" + + - "traefik.http.routers.attic-http.rule=Host(`nix.example.com`)" + - "traefik.http.routers.attic-http.entrypoints=web" + - "traefik.http.routers.attic-http.service=attic" + - "traefik.http.services.attic.loadbalancer.server.port=8080" - - "traefik.http.routers.attic-http.middlewares=redirect-to-https" - "traefik.docker.network=" ``` @@ -165,6 +173,22 @@ attic push /nix/store/*/ ## Github Actions Install Add the token named from `just create_token`, named ATTIC_TOKEN, to your repository secrets `https://github.com///settings/secrets/actions` ```yaml +name: nix + +on: + pull_request: + branches: [main] + push: + schedule: + - cron: 0 0 * * 1 + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref && github.ref || github.run_id }} + cancel-in-progress: true + +env: + CARGO_TERM_COLOR: always + steps: - uses: actions/checkout@v3 - uses: nixbuild/nix-quick-install-action@v32 @@ -183,6 +207,7 @@ steps: - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true # For cacheing the attic package in github actions storage @@ -200,13 +225,203 @@ steps: purge-primary-key: never # `nix-fast-build` is faster then `nix flake check` in my testing - # - run: nix flake check --all-systems + # - name: check + # run: | + # nix flake check --all-systems + # `--attic-cache` will fail if the cache is down # - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --attic-cache --no-nom --skip-cached - - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --no-nom --skip-cached + - name: check + run: | + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --no-nom --skip-cached - - run: | - for i in {1..10}; do - nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push /nix/store/*/ && break || [ $i -eq 5 ] || sleep 5 + # Paths will be invalid if tests fail, need to push all other paths + - name: Push to attic + if: always() + run: | + valid_paths="" + for path in /nix/store/*/; do + if nix path-info "$path" >/dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi +``` + +## Github Action Install, with matrix for each derivation +```yaml +name: crane + +on: + pull_request: + branches: [main] + push: + branches: [main] + schedule: + - cron: 0 0 * * 1 + +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref && github.ref || github.run_id }} + cancel-in-progress: true + +env: + CARGO_TERM_COLOR: always + +jobs: + check-dependencies: + name: check-dependencies + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + actions: write + + strategy: + matrix: + system: [x86_64-linux] + check-type: [my-server, my-crate-fmt, my-crate-toml-fmt] + + steps: + - uses: actions/checkout@v5 + - uses: nixbuild/nix-quick-install-action@v32 + with: + nix_conf: | + keep-env-derivations = true + keep-outputs = true + + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + - run: nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build + + - name: check + run: | + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem).${{ matrix.check-type }}" --no-nom --skip-cached + + - name: Push to attic + if: always() + run: | + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push /nix/store/*/ && break || [ $i -eq 5 ] || sleep 5 + done + + check-matrix: + name: check-matrix + needs: check-dependencies + runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + actions: write + + strategy: + fail-fast: false + matrix: + system: [x86_64-linux] + check-type: [my-crate-clippy, my-crate-nextest] + + steps: + - uses: actions/checkout@v5 + - uses: nixbuild/nix-quick-install-action@v32 + with: + nix_conf: | + keep-env-derivations = true + keep-outputs = true + + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + - name: check + run: | + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem).${{ matrix.check-type }}" --no-nom --skip-cached + + - name: Push to attic + if: always() + run: | + valid_paths="" + for path in /nix/store/*/; do + if nix path-info "$path" >/dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi + done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi +``` + +## Forgejo Actions Install +See [Available runner images](../forgejo-github-to-forgejo-actions) for the `runs-on` image +```yaml +name: nix + +on: + pull_request: + branches: [main] + push: + schedule: + - cron: 0 0 * * 1 + +env: + CARGO_TERM_COLOR: always + NIX_CONFIG: "experimental-features = nix-command flakes" + +jobs: + check-dependencies: + name: check-dependencies + runs-on: nix + permissions: + contents: read + id-token: write + actions: write + + steps: + # Add secrets.ATTIC_TOKEN here https://forgejo.example.com/user/settings/actions/secrets + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + - name: Install Node.js + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs + ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node + ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - uses: actions/checkout@v5 + + - run: nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build + + - name: check + run: | + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --no-nom --skip-cached + + - name: Push to attic + if: always() + run: | + valid_paths="" + for path in /nix/store/*/; do + if nix path-info "$path" >/dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi + done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi ``` diff --git a/content/blog/forgejo-github-to-forgejo-actions.md b/content/blog/forgejo-github-to-forgejo-actions.md new file mode 100644 index 0000000..5ab68bd --- /dev/null +++ b/content/blog/forgejo-github-to-forgejo-actions.md @@ -0,0 +1,268 @@ ++++ +title = "Swapping from GitHub to Forgejo actions, with `Nix` based actions" +date = 2025-08-27 + +[taxonomies] +tags = ["forgejo", "nix", "CI", "actions", "docker"] ++++ + +## Forgejo Actions +Most actions are the mostly the same, but some things, like conncrurrency groups don't work. + +```yaml +name: nix + +on: + pull_request: + branches: [main] + push: + schedule: + - cron: 0 0 * * 1 + +env: + CARGO_TERM_COLOR: always + NIX_CONFIG: "experimental-features = nix-command flakes" + +jobs: + check-dependencies: + name: check-dependencies + # Change to a valid Forgejo runner image + # runs-on: ubuntu-latest + runs-on: nix + permissions: + contents: read + id-token: write + actions: write + + steps: + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + # Install and configure Node.js, since it's not setup in the default nix + - name: Install Node.js + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs + ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node + ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - uses: actions/checkout@v5 + + - run: nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build + + - name: check + run: | + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#nix-fast-build -- --no-nom --skip-cached + + - name: Push to attic + if: always() + run: | + valid_paths="" + for path in /nix/store/*/; do + if nix path-info "$path" >/dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi + done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push nextrack $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi +``` + +## Forgejo Actions +```json +# .runner +{ + "WARNING": "This file is automatically generated by act-runner. Do not edit it manually unless you know what you are doing. Removing this file will cause act runner to re-register as a new runner.", + "id": 1, + "uuid": "****", + "name": "", + "token": "****", + "address": "https://git.example.com", + "labels": [ + "bookworm:docker://node:24-bookworm", + "nix-base:docker://docker.nix-community.org/nixpkgs/nix-unstable:latest", + "nix:docker://git.nexveridian.com/nexveridian/action-attic:latest" + ] +} +``` + +### Available runner images +- bookworm: closest to GitHub actions +- nix-base: for bootstrapping +- nix: custom image with packages pre installed + +## Creating custom runner images +`git clone ssh://git@git.nexveridian.com:222/NexVeridian/docker-nixpkgs.git` + +### Create a copy of `images/action-attic` +```nix +{ + docker-nixpkgs, + pkgs, + attic-client, + nodejs_24, + nix-fast-build, + # add more packages here +}: +(docker-nixpkgs.nix.override { + nix = pkgs.nixVersions.latest; + + extraContents = [ + attic-client + nodejs_24 + nix-fast-build + # and the corresponding packages here + ]; +}).overrideAttrs + (prev: { + meta = (prev.meta or { }) // { + description = "Forgejo action image, with Nix and Attic client"; + }; + }) +``` + +### Edit folder name in `.forgejo/workflows/nix.yaml` +```yaml +- name: Build Nix package + run: nix-build -A action-attic +``` + + +## Pushing docker container images +With GitHub actions most people use `docker push` to push their images to a registry. + +With Forgejo actions, that probably won't work. because of docker-in-docker. Instead, you can use the `skopeo` to push your images to a registry. + +To Setup `CONTAINER_TOKEN`: +- create a token https://git.example.com/user/settings/applications +- then add the token to your secrets https://forgejo.example.com/user/settings/actions/secrets + +```yaml +name: docker + +on: + push: + branches: [main] + +env: + REGISTRY: git.nexveridian.com + IMAGE_NAME: ${{ github.repository }} + NIX_CONFIG: "experimental-features = nix-command flakes" + CONTAINER_TOKEN: ${{ secrets.CONTAINER_REGISTRY_TOKEN }} + +jobs: + build: + runs-on: nix + permissions: + contents: read + packages: write + id-token: write + + steps: + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + - name: Install Node.js + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs + ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node + ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - uses: actions/checkout@v4 + + - name: Install skopeo + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo + ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Build Nix package + run: nix build .#my-docker + + - name: Prepare repository variables + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV} + echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV} + # Extract just the repository name (everything after the last slash) + REPO_NAME=${GITHUB_REPOSITORY##*/} + echo "IMAGE_NAME=${REPO_NAME,,}" >> ${GITHUB_ENV} + + - name: Setup skopeo policy and push image + run: | + # configure container policy to accept insecure registry + mkdir -p ~/.config/containers + cat > ~/.config/containers/policy.json < ~/.docker/config.json </dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi + done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi +``` diff --git a/content/blog/forgejo-pushing-container-images.md b/content/blog/forgejo-pushing-container-images.md new file mode 100644 index 0000000..d303c27 --- /dev/null +++ b/content/blog/forgejo-pushing-container-images.md @@ -0,0 +1,145 @@ ++++ +title = "Swapping from GitHub to Forgejo actions, with `Nix` based actions" +date = 2025-08-27 + +[taxonomies] +tags = ["forgejo", "nix", "CI", "actions", "docker"] ++++ + +## Pushing container images +With GitHub actions most people use `docker push` to push their images to a registry. + +With Forgejo actions, that probably won't work. because of docker-in-docker. Instead, you can use the `skopeo` to push your images to a registry. + +To Setup `CONTAINER_TOKEN`: +- create a token https://git.example.com/user/settings/applications +- then add the token to your secrets https://forgejo.example.com/user/settings/actions/secrets + +### Note: +Forgejo create a [Automatic token](https://forgejo.org/docs/latest/user/actions/basic-concepts/#automatic-token) with each workflow run. + +But you can't use it to push images to a registry. + +```yaml +name: docker + +on: + push: + branches: [main] + +env: + REGISTRY: git.nexveridian.com + IMAGE_NAME: ${{ github.repository }} + NIX_CONFIG: "experimental-features = nix-command flakes" + CONTAINER_TOKEN: ${{ secrets.CONTAINER_REGISTRY_TOKEN }} + +jobs: + build: + runs-on: nix + permissions: + contents: read + packages: write + id-token: write + + steps: + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client login nex https://nix.example.com ${{ secrets.ATTIC_TOKEN }} || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache create || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client cache configure -- --priority 30 || true + - run: nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client use || true + + - name: Install Node.js + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#nodejs_24 -o ~/.local/nodejs + ln -sf ~/.local/nodejs/bin/node ~/.local/bin/node + ln -sf ~/.local/nodejs/bin/npm ~/.local/bin/npm + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - uses: actions/checkout@v4 + + - name: Install skopeo + run: | + mkdir -p ~/.local/bin + nix build -I nixpkgs=channel:nixos-unstable nixpkgs#skopeo -o ~/.local/skopeo + ln -sf ~/.local/skopeo/bin/skopeo ~/.local/bin/skopeo + echo "$HOME/.local/bin" >> $GITHUB_PATH + + - name: Build Nix package + run: nix build .#my-docker + + - name: Prepare repository variables + run: | + echo "REPO=${GITHUB_REPOSITORY,,}" >> ${GITHUB_ENV} + echo "OWNER=${GITHUB_REPOSITORY_OWNER,,}" >> ${GITHUB_ENV} + # Extract just the repository name (everything after the last slash) + REPO_NAME=${GITHUB_REPOSITORY##*/} + echo "IMAGE_NAME=${REPO_NAME,,}" >> ${GITHUB_ENV} + + - name: Setup skopeo policy and push image + run: | + # configure container policy to accept insecure registry + mkdir -p ~/.config/containers + cat > ~/.config/containers/policy.json < ~/.docker/config.json </dev/null 2>&1; then + valid_paths="$valid_paths $path" + fi + done + + if [ -n "$valid_paths" ]; then + for i in {1..10}; do + nix run -I nixpkgs=channel:nixos-unstable nixpkgs#attic-client push $valid_paths && break || [ $i -eq 5 ] || sleep 5 + done + fi +``` diff --git a/content/blog/forgejo-setup.md b/content/blog/forgejo-setup.md new file mode 100644 index 0000000..bc5192e --- /dev/null +++ b/content/blog/forgejo-setup.md @@ -0,0 +1,163 @@ ++++ +title = "Setting Forgejo and Forgejo actions with `Docker Compose`, with `Nix` based actions" +date = 2025-08-26 + +[taxonomies] +tags = ["forgejo", "nix", "CI", "actions", "docker"] ++++ + +## Docker Compose Configuration +```yaml +traefik: + # ... + command: + # ... + - "--entrypoints.ssh.address=:222" + ports: + # ... + - "222:222" +forgejo: + container_name: forgejo + image: codeberg.org/forgejo/forgejo:11 + environment: + - USER_UID=1000 + - USER_GID=1000 + - FORGEJO__database__DB_TYPE=postgres + - FORGEJO__database__HOST=pgforgejo:5432 + - FORGEJO__database__NAME=forgejo + - FORGEJO__database__USER=forgejo + - FORGEJO__database__PASSWD=forgejo + restart: always + networks: + - forgejo + - + volumes: + - ./forgejo:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro + # ports: + # - "3000:3000" + # - "222:22" + depends_on: + - pgforgejo + labels: + - "traefik.enable=true" + - "traefik.http.routers.forgejo.rule=Host(`git.example.com`)" + - "traefik.http.routers.forgejo.entrypoints=websecure" + - "traefik.http.routers.forgejo.tls.certresolver=myhttpchallenge" + - "traefik.http.routers.forgejo.service=forgejo" + + - "traefik.http.routers.forgejo-http.rule=Host(`git.example.com`)" + - "traefik.http.routers.forgejo-http.entrypoints=web" + - "traefik.http.routers.forgejo-http.middlewares=forgejo-redirect" + - "traefik.http.middlewares.forgejo-redirect.redirectscheme.scheme=https" + - "traefik.http.middlewares.forgejo-redirect.redirectscheme.permanent=true" + + - "traefik.http.services.forgejo.loadbalancer.server.port=3000" + - "traefik.docker.network=" + - "traefik.tcp.routers.forgejo-ssh.entrypoints=ssh" + - "traefik.tcp.routers.forgejo-ssh.rule=HostSNI(`*`)" + - "traefik.tcp.routers.forgejo-ssh.service=forgejo-ssh" + - "traefik.tcp.services.forgejo-ssh.loadbalancer.server.port=22" + +pgforgejo: + container_name: pgforgejo + image: postgres:17.6-alpine + restart: always + environment: + - POSTGRES_USER=forgejo + - POSTGRES_PASSWORD=forgejo + - POSTGRES_DB=forgejo + networks: + - forgejo + volumes: + - ./pgforgejo:/var/lib/postgresql/data + +docker-in-docker: + container_name: docker-dind + image: docker:dind + privileged: "true" + command: ["dockerd", "-H", "tcp://0.0.0.0:2375", "--tls=false"] + restart: "unless-stopped" + networks: + - forgejo + +forgejo-action: + container_name: "forgejo-action" + image: "data.forgejo.org/forgejo/runner:9" + links: + - docker-in-docker + depends_on: + docker-in-docker: + condition: service_started + environment: + DOCKER_HOST: tcp://docker-in-docker:2375 + networks: + - forgejo + # User without root privileges, but with access to `./data`. + user: 1001:1001 + volumes: + - ./forgejo-data:/data + restart: "unless-stopped" + # command: '/bin/sh -c "while : ; do sleep 1 ; done ;"' + command: '/bin/sh -c "sleep 5; forgejo-runner daemon"' +``` + +## Forgejo Actions +```json +# .runner +{ + "WARNING": "This file is automatically generated by act-runner. Do not edit it manually unless you know what you are doing. Removing this file will cause act runner to re-register as a new runner.", + "id": 1, + "uuid": "****", + "name": "", + "token": "****", + "address": "https://git.example.com", + "labels": [ + "bookworm:docker://node:24-bookworm", + "nix-base:docker://docker.nix-community.org/nixpkgs/nix-unstable:latest", + "nix:docker://git.nexveridian.com/nexveridian/action-attic:latest" + ] +} +``` + +### Available runner images +- bookworm: closest to GitHub actions +- nix-base: for bootstrapping +- nix: custom image with packages pre installed, see [Creating custom runner images](../forgejo-github-to-forgejo-actions) + +## Creating custom runner images +`git clone ssh://git@git.nexveridian.com:222/NexVeridian/docker-nixpkgs.git` + +### Create a copy of `images/action-attic` +```nix +{ + docker-nixpkgs, + pkgs, + attic-client, + nodejs_24, + nix-fast-build, + # add more packages here +}: +(docker-nixpkgs.nix.override { + nix = pkgs.nixVersions.latest; + + extraContents = [ + attic-client + nodejs_24 + nix-fast-build + # and the corresponding packages here + ]; +}).overrideAttrs + (prev: { + meta = (prev.meta or { }) // { + description = "Forgejo action image, with Nix and Attic client"; + }; + }) +``` + +### Edit folder name in `.forgejo/workflows/nix.yaml` +```yaml +- name: Build Nix package + run: nix-build -A action-attic +```