current
 1{lib, ...}: {
 2  den.aspects.services.provides.forgejo-runner.nixos = {config, ...}: {
 3    # If you would like to use docker runners in combination with cache actions,
 4    # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
 5    # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
 6    networking.firewall.trustedInterfaces =
 7      if (config.networking.nftables.enable)
 8      then ["br-*"]
 9      else ["br-+"];
10  };
11
12  den.aspects.services.provides.forgejo-runner.provides.instance = {
13    instance,
14    name ? instance,
15    servers ? {},
16    labels ? [],
17    settings ? {},
18  }: {
19    nixos = {config, ...}: {
20      assertions = [
21        {
22          assertion = lib.all (s: lib.hasAttr "tokenFileAged" s) (lib.attrValues servers);
23          message = "All forgejo runner server should has tokenFileAged.";
24        }
25      ];
26
27      services.forgejo-runner.instances.${instance} = {
28        enable = true;
29        inherit name labels;
30        servers =
31          lib.mapAttrs (server: v: {
32            inherit (v) url uuid;
33            tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-${server}-token".path;
34            labels = v.labels or [];
35          })
36          servers;
37        settings = lib.mkMerge [
38          {
39            cache = {
40              enabled = true;
41              host = "172.17.0.1";
42            };
43            container = {
44              # Use host for mihomo to avoid network error
45              # See https://github.com/MetaCubeX/mihomo/issues/1260
46              # See also https://github.com/SagerNet/sing-box/issues/2700
47              network = lib.optionalString (config.services.mihomo.enable) "host";
48              enable_ipv6 = true;
49              options = "--cap-add sys_admin --cap-add mknod --device /dev/fuse";
50            };
51          }
52          settings
53        ];
54      };
55
56      users.users."forgejo-runner-${instance}" = {
57        isSystemUser = true;
58        useDefaultShell = true;
59        group = "forgejo-runner-${instance}";
60      };
61      users.groups."forgejo-runner-${instance}" = {};
62
63      systemd.services."forgejo-runner-${instance}".serviceConfig = {
64        DynamicUser = lib.mkForce false;
65        User = "forgejo-runner-${instance}";
66        Group = "forgejo-runner-${instance}";
67      };
68
69      vaultix.secrets =
70        lib.mapAttrs' (
71          server: v:
72            lib.nameValuePair
73            "forgejo-runner-${instance}-${server}-token"
74            {
75              file = v.tokenFileAged;
76              owner = "forgejo-runner-${instance}";
77              group = "forgejo-runner-${instance}";
78              mode = "0440";
79            }
80        )
81        servers;
82    };
83  };
84}