Alo/alo-cluster
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add CI/CD infrastructure for animaltrack

Browse Source 
New services:
- animaltrack.hcl: Python app with health checks and auto_revert
- act-runner.hcl: Gitea Actions runner on Nomad

New infrastructure:
- nix-runner/: Custom Nix Docker image for CI with modern Nix,
  local cache (c3), and bundled tools (skopeo, jq, etc.)

Modified:
- gitea.hcl: Enable Gitea Actions

The CI workflow (in animaltrack repo) builds Docker images with Nix,
pushes to Gitea registry, and triggers Nomad deployments with
automatic rollback on health check failure.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Petru
2026-01-05 07:17:31 +00:00
parent 3b8cd7b742
commit c548ead4f7
5 changed files with 286 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
nix-runner/flake.lock generated Normal file
View File

@@ -0,0 +1,61 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1767379071,
"narHash": "sha256-EgE0pxsrW9jp9YFMkHL9JMXxcqi/OoumPJYwf+Okucw=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fb7944c166a3b630f177938e478f0378e64ce108",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

58
nix-runner/flake.nix Normal file
View File

@@ -0,0 +1,58 @@
# ABOUTME: Flake to build a custom Nix Docker image for Gitea Actions.
# ABOUTME: Includes coreutils (/bin/sleep), modern Nix with flakes, and CI tools.
{
description = "Nix runner image for Gitea Actions";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs = { self, nixpkgs, flake-utils }:
flake-utils.lib.eachDefaultSystem (system:
let
pkgs = import nixpkgs { inherit system; };
in {
packages.default = pkgs.dockerTools.buildImage {
name = "gitea.v.paler.net/ppetru/nix-runner";
tag = "v4";
copyToRoot = pkgs.buildEnv {
name = "image-root";
paths = with pkgs; [
# Core utilities (provides /bin/sleep that act_runner needs)
coreutils-full
bash
# Nix itself
nix
# For actions that need node
nodejs_20
# Common CI tools
git
curl
jq
skopeo
# CA certificates for HTTPS
cacert
];
pathsToLink = [ "/bin" "/etc" ];
};
# Create temp directories without runAsRoot (which needs KVM)
extraCommands = ''
mkdir -p -m 1777 tmp
mkdir -p -m 1777 var/tmp
'';
config = {
Env = [
"NIX_PAGER=cat"
"USER=root"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_CONFIG=experimental-features = nix-command flakes\nsandbox = false\nbuild-users-group =\nsubstituters = http://c3.mule-stork.ts.net:8501 https://cache.nixos.org\ntrusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= c3:sI3l1RN80xdehzXLA8u2P6352B0SyRPs2XiYy/YWYro="
];
};
};
});
}

75
services/act-runner.hcl Normal file
View File

@@ -0,0 +1,75 @@
# ABOUTME: Gitea Actions runner for CI/CD pipelines.
# ABOUTME: Runs containerized actions with Docker-in-Docker support.
# Setup required before running:
# sudo mkdir -p /data/services/act-runner
# nomad var put secrets/act-runner registration_token="<token-from-gitea-ui>"
job "act-runner" {
datacenters = ["alo"]
type = "service"
group "runner" {
network {
mode = "host"
}
task "runner" {
driver = "docker"
config {
image = "gitea/act_runner:latest"
network_mode = "host"
privileged = true
volumes = [
"/var/run/docker.sock:/var/run/docker.sock",
"/data/services/act-runner:/data",
"local/config.yaml:/.runner/config.yaml",
]
}
template {
destination = "local/config.yaml"
data = <<EOH
log:
level: info
runner:
file: /data/.runner
capacity: 2
timeout: 3h
labels:
- "ubuntu-latest:docker://node:20-bookworm"
- "nix:docker://nixos/nix:latest"
cache:
enabled: true
dir: /data/cache
container:
network: "host"
privileged: true
valid_volumes:
- /data/services/**
EOH
}
env {
GITEA_INSTANCE_URL = "https://gitea.v.paler.net"
GITEA_RUNNER_LABELS = "ubuntu-latest:docker://node:20-bookworm,nix:docker://gitea.v.paler.net/ppetru/nix-runner:v4"
}
# Template needed for nomadVar interpolation (secrets) and Nomad runtime vars
template {
destination = "secrets/env.env"
env = true
data = <<EOH
GITEA_RUNNER_REGISTRATION_TOKEN={{ with nomadVar "secrets/act-runner" }}{{ .registration_token }}{{ end }}
GITEA_RUNNER_NAME={{ env "NOMAD_ALLOC_ID" }}
EOH
}
resources {
cpu = 2000
memory = 2048
}
}
}
}

87
services/animaltrack.hcl Normal file
View File

@@ -0,0 +1,87 @@
# ABOUTME: Nomad job for AnimalTrack - poultry farm management app.
# ABOUTME: Runs FastHTML Python app with SQLite, behind Traefik with OIDC auth.
# Setup required before running:
# sudo mkdir -p /data/services/animaltrack && sudo chown 1000:1000 /data/services/animaltrack
# nomad var put secrets/animaltrack csrf_secret="$(nix shell nixpkgs#openssl -c openssl rand -base64 32)"
job "animaltrack" {
datacenters = ["alo"]
# Force re-pull of :latest images on each nomad run
meta {
uuid = uuidv4()
}
update {
max_parallel = 1
health_check = "checks"
min_healthy_time = "30s"
healthy_deadline = "5m"
progress_deadline = "10m"
auto_revert = true
}
group "web" {
network {
port "http" {
to = 3366
}
}
task "app" {
driver = "docker"
user = "1000"
config {
image = "gitea.v.paler.net/ppetru/animaltrack:latest"
ports = ["http"]
force_pull = true
volumes = ["/data/services/animaltrack:/var/lib/animaltrack"]
}
env {
DB_PATH = "/var/lib/animaltrack/animaltrack.db"
AUTH_HEADER_NAME = "X-Oidc-Username"
SEED_ON_START = "true"
TRUSTED_PROXY_IPS = "192.168.1.0/24"
}
# Template needed for nomadVar interpolation (secrets)
template {
destination = "secrets/env.env"
env = true
data = <<EOH
CSRF_SECRET={{ with nomadVar "secrets/animaltrack" }}{{ .csrf_secret }}{{ end }}
EOH
}
resources {
memory = 512
}
service {
name = "animaltrack"
port = "http"
tags = [
"traefik.enable=true",
"traefik.http.routers.animaltrack.entryPoints=websecure",
"traefik.http.routers.animaltrack.middlewares=oidc-auth@file",
]
check {
type = "http"
path = "/healthz"
interval = "10s"
timeout = "5s"
check_restart {
limit = 3
grace = "60s"
}
}
}
}
}
}

6
services/gitea.hcl
View File

@@ -19,7 +19,9 @@ job "gitea" {
driver = "docker" driver = "docker"
config { config {
image = "gitea/gitea:latest-rootless" # TODO: revert to latest once 1.25.1+ is released
#image = "gitea/gitea:latest-rootless"
image = "gitea/gitea:1.25-nightly-rootless"
ports = [ ports = [
"http", "http",
"ssh", "ssh",
@@ -42,6 +44,8 @@ job "gitea" {
GITEA__mailer__FROM = "gitea@paler.net" GITEA__mailer__FROM = "gitea@paler.net"
GITEA__mailer__PROTOCOL = "smtp" GITEA__mailer__PROTOCOL = "smtp"
GITEA__mailer__SMTP_ADDR = "192.168.1.1" GITEA__mailer__SMTP_ADDR = "192.168.1.1"
GITEA__actions__ENABLED = "true"
GITEA__actions__DEFAULT_ACTIONS_URL = "https://gitea.com"
} }
service { service {