Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail #209

Merged

eblume merged 7 commits from feature/k3s-ringtail-runner into main 2026-02-18 21:15:31 -08:00

Conversation 0 Commits 7 Files changed 16 +499 -17

eblume commented 2026-02-18 19:20:21 -08:00

Owner

Copy link

Summary

Extends ringtail from a desktop/gaming NixOS box into an infrastructure node with a k3s cluster, secrets management, and a Forgejo Actions
runner for building containers with Nix.

K3s cluster

• Single-node k3s with Traefik/ServiceLB/metrics-server disabled (minimal footprint)
• TLS SAN set to ringtail.tail8d86e.ts.net so ArgoCD on indri can manage it via Tailscale
• Containerd registry mirrors pull through Zot on indri (k3s-registries.yaml)
• Tailscale interface added to trustedInterfaces for cross-node ArgoCD access
• kubectl added to system packages

1Password Connect + External Secrets Operator

• Four new ArgoCD apps targeting k3s-ringtail: 1password-connect-ringtail, external-secrets-crds-ringtail, external-secrets-ringtail,
  external-secrets-config-ringtail
• Reuses the same Helm charts/values as indri, just pointed at ringtail's k3s API server
• Bootstrap secrets (op-credentials, onepassword-token) provisioned by Ansible pre_tasks via op read, then applied to the 1password
  namespace in post_tasks

Systemd Forgejo Actions runner

• Native services.gitea-actions-runner with forgejo-runner package — no DinD, no k8s pod, runs directly on the NixOS host
• Label nix-container-builder:host — jobs execute on the host with nix, skopeo, nodejs, etc. in PATH
• Registration token fetched from 1Password (Forgejo Secrets/runner_reg) by Ansible and written to /etc/forgejo-runner/token.env
• Runner's dynamic user (gitea-runner) added to nix.settings.trusted-users for nix daemon access

Nix container build workflow

• New .forgejo/workflows/build-container-nix.yaml triggers on *-nix-v[0-9]* tags (e.g. nettest-nix-v1.0.0)
• Builds with nix build -f containers/<name>/default.nix, pushes to Zot via skopeo copy
• Existing Dockerfile workflow guarded with if: !contains(github.ref_name, '-nix-v') to avoid double-triggering

Mise task updates

• container-tag-and-release auto-detects default.nix vs Dockerfile and uses the appropriate tag format (-nix-v vs -v)
• container-list shows build type indicator ([nix] / [dockerfile])

Post-merge

1. mise run provision-ringtail — deploys k3s token, runner token, NixOS rebuild
2. Register k3s cluster in ArgoCD (first time only):

   ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \
     sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml
   set -x KUBECONFIG /tmp/k3s-ringtail.yaml
   argocd cluster add default --name k3s-ringtail
   

3. Sync ArgoCD apps in order: 1password-connect-ringtail -> external-secrets-crds-ringtail -> external-secrets-ringtail ->
   external-secrets-config-ringtail
4. Verify runner: ssh ringtail 'systemctl status gitea-runner-nix-container-builder'
5. Check Forgejo admin panel for ringtail-nix-builder runner online
6. Test: create containers//default.nix, tag with -nix-v0.1.0

## Summary Extends ringtail from a desktop/gaming NixOS box into an infrastructure node with a k3s cluster, secrets management, and a Forgejo Actions runner for building containers with Nix. ### K3s cluster - Single-node k3s with Traefik/ServiceLB/metrics-server disabled (minimal footprint) - TLS SAN set to `ringtail.tail8d86e.ts.net` so ArgoCD on indri can manage it via Tailscale - Containerd registry mirrors pull through Zot on indri (`k3s-registries.yaml`) - Tailscale interface added to `trustedInterfaces` for cross-node ArgoCD access - `kubectl` added to system packages ### 1Password Connect + External Secrets Operator - Four new ArgoCD apps targeting `k3s-ringtail`: `1password-connect-ringtail`, `external-secrets-crds-ringtail`, `external-secrets-ringtail`, `external-secrets-config-ringtail` - Reuses the same Helm charts/values as indri, just pointed at ringtail's k3s API server - Bootstrap secrets (`op-credentials`, `onepassword-token`) provisioned by Ansible pre_tasks via `op read`, then applied to the `1password` namespace in post_tasks ### Systemd Forgejo Actions runner - Native `services.gitea-actions-runner` with `forgejo-runner` package — no DinD, no k8s pod, runs directly on the NixOS host - Label `nix-container-builder:host` — jobs execute on the host with `nix`, `skopeo`, `nodejs`, etc. in PATH - Registration token fetched from 1Password (`Forgejo Secrets/runner_reg`) by Ansible and written to `/etc/forgejo-runner/token.env` - Runner's dynamic user (`gitea-runner`) added to `nix.settings.trusted-users` for nix daemon access ### Nix container build workflow - New `.forgejo/workflows/build-container-nix.yaml` triggers on `*-nix-v[0-9]*` tags (e.g. `nettest-nix-v1.0.0`) - Builds with `nix build -f containers/<name>/default.nix`, pushes to Zot via `skopeo copy` - Existing Dockerfile workflow guarded with `if: !contains(github.ref_name, '-nix-v')` to avoid double-triggering ### Mise task updates - `container-tag-and-release` auto-detects `default.nix` vs `Dockerfile` and uses the appropriate tag format (`-nix-v` vs `-v`) - `container-list` shows build type indicator (`[nix]` / `[dockerfile]`) ## Post-merge 1. `mise run provision-ringtail` — deploys k3s token, runner token, NixOS rebuild 2. Register k3s cluster in ArgoCD (first time only): ```fish ssh ringtail 'sudo cat /etc/rancher/k3s/k3s.yaml' | \ sed 's|127.0.0.1|ringtail.tail8d86e.ts.net|' > /tmp/k3s-ringtail.yaml set -x KUBECONFIG /tmp/k3s-ringtail.yaml argocd cluster add default --name k3s-ringtail 3. Sync ArgoCD apps in order: 1password-connect-ringtail -> external-secrets-crds-ringtail -> external-secrets-ringtail -> external-secrets-config-ringtail 4. Verify runner: ssh ringtail 'systemctl status gitea-runner-nix-container-builder' 5. Check Forgejo admin panel for ringtail-nix-builder runner online 6. Test: create containers/<name>/default.nix, tag with <name>-nix-v0.1.0

eblume added 1 commit 2026-02-18 19:20:21 -08:00

Add k3s cluster on ringtail with amd64 Forgejo runner ... 961151ed30

Enable k3s single-node server on ringtail (NixOS) for native amd64
container builds. Includes ArgoCD Application and manifests for a
Forgejo Actions runner with the `k8s-amd64` label, Ansible bootstrap
tasks for k3s token and runner secret, and containerd registry mirrors
pulling through Zot on indri.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-18 19:40:40 -08:00

Add 1Password Connect + External Secrets to ringtail k3s ... 0d3269e8d6

Deploy the full ESO stack on ringtail, matching the indri pattern:
- 4 ArgoCD apps (1password-connect, external-secrets-crds, external-secrets,
  external-secrets-config) targeting ringtail k3s cluster
- ExternalSecret for forgejo-runner-amd64 token (replaces Ansible-managed secret)
- Ansible playbook bootstraps 1Password Connect credentials instead of
  directly managing runner tokens

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-18 20:21:53 -08:00

Replace k8s Forgejo runner with systemd nix-container-builder ... c098199f8b

Remove the DinD-based k8s runner and add a native systemd Forgejo
Actions runner on ringtail for building containers with nix build
and pushing via skopeo. The runner uses the NixOS
services.gitea-actions-runner module with host execution (no
containers), and Ansible provisions the registration token from
1Password. Adds a new build-container-nix workflow for -nix- tags
and updates mise tasks to support both Dockerfile and Nix builds.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume changed title from Add k3s cluster on ringtail with amd64 Forgejo runner to Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail 2026-02-18 20:24:39 -08:00

eblume added 1 commit 2026-02-18 20:29:07 -08:00

Remove unnecessary --dest-tls-verify=false from skopeo push ... c2ce60c8c9

Caddy provides valid TLS for registry.ops.eblu.me.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-18 20:44:25 -08:00

Fix bash path for NixOS in ringtail playbook ... 753fe90b49

NixOS doesn't have /bin/bash. Use /run/current-system/sw/bin/bash
which is the stable PATH-resolved location on NixOS.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-18 20:46:12 -08:00

Rename runner instance to avoid systemd hyphen escaping ... 8aa85ca116

instances.nix-container-builder becomes nix_container_builder so
the service unit is gitea-runner-nix_container_builder.service
instead of gitea-runner-nix\x2dcontainer\x2dbuilder.service.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume added 1 commit 2026-02-18 20:58:36 -08:00

Add k3s-ringtail kubectl config task and services-check entries ... 382dcd1e71

New mise task ensure-k3s-ringtail-kubectl-config fetches certs from
ringtail and writes a kubeconfig to ~/.kube/k3s-ringtail/config.yml.
services-check now verifies k3s, k3s API reachability, and the
forgejo-runner systemd service on ringtail.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

eblume merged commit 918df9e642 into main 2026-02-18 21:15:31 -08:00

eblume referenced this pull request from a commit 2026-02-18 21:15:31 -08:00

Add k3s, 1Password Connect, and systemd nix-container-builder to ringtail (#209)

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

eblume/blumeops!209

No description provided.