Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

github-runner (stormwing)

This container is a GitHub Actions runner for CI/CD tasks related to Garuda Linux projects.

General

With this container, we provide a GitHub runner as well as (more recently), a GitLab runner. This container does not have the regular Garuda configurations because it is considered untrusted. Access needs to happen by running nixos-container root-login on immortalis (click me).

Restarting containers

This can happen via the following command:

sudo systemctl restart docker-compose-gitlab-runner-root

Watchtower additionally keeps the containers up to date.

Nix expression

{
  keys,
  ...
}:
{
  # No default modules, untrusted container!
  # imports = sources.defaultModules ++ [
  #   ./garuda/garuda.nix
  # ];

  imports = [
    ../../modules/hardening.nix
    ../../modules/motd.nix
    ../../services/compose-runner/compose-runner.nix
  ];

  # Common Docker configurations
  virtualisation.docker = {
    autoPrune.enable = true;
    autoPrune.flags = [ "-a" ];
  };

  # This container is just for compose stuff
  garuda.services.compose-runner.github-runner = {
    envfile = "/var/.github-runner.env";
    source = ../../../compose/github-runner;
  };
  garuda.services.compose-runner.gitlab-runner = {
    source = ../../../compose/gitlab-runner;
  };

  # Enable SSH
  services.openssh.enable = true;

  # No custom users - only Pedro and root via nixos-container root-login
  users = {
    allowNoPasswordLogin = true;
    mutableUsers = false;
    users.pedrohlc = {
      home = "/home/pedrohlc";
      isNormalUser = true;
      openssh.authorizedKeys.keyFiles = [ keys.pedrohlc ];
    };
  };

  # Make Pedro god here
  nix.settings.trusted-users = [ "pedrohlc" ];
  security.sudo.extraRules = [
    {
      users = [ "pedrohlc" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];

  # OOM prevention
  systemd.oomd = {
    enable = true; # This is actually the default, anyways...
    enableSystemSlice = true;
    enableUserSlices = true;
  };

  system.stateVersion = "25.05";
}

Docker containers (GitHub)

services:
  github-runner:
    image: myoung34/github-runner:latest
    container_name: github-runner
    privileged: true
    environment:
      ACCESS_TOKEN: ${ACCESS_TOKEN:-?err}
      EPHEMERAL: true
      LABELS: nyxbuilder
      ORG_NAME: chaotic-cx
      RUNNER_NAME: immortalis
      RUNNER_SCOPE: org
      RUNNER_WORKDIR: /var/cache/github-runner/work
    volumes: ['/var/cache/github-runner/work:/var/cache/github-runner/work']
    restart: 'no'

Docker containers (GitLab)

services:
  github-runner:
    image: myoung34/github-runner:latest
    container_name: github-runner
    privileged: true
    environment:
      ACCESS_TOKEN: ${ACCESS_TOKEN:-?err}
      EPHEMERAL: true
      LABELS: nyxbuilder
      ORG_NAME: chaotic-cx
      RUNNER_NAME: immortalis
      RUNNER_SCOPE: org
      RUNNER_WORKDIR: /var/cache/github-runner/work
    volumes: ['/var/cache/github-runner/work:/var/cache/github-runner/work']
    restart: 'no'