current
1{lib, ...}: {
2 den.aspects.services.provides.forgejo-runner.nixos = {config, ...}: {
3 # If you would like to use docker runners in combination with cache actions,
4 # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
5 # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
6 networking.firewall.trustedInterfaces =
7 if (config.networking.nftables.enable)
8 then ["br-*"]
9 else ["br-+"];
10 };
11
12 den.aspects.services.provides.forgejo-runner.provides.instance = {
13 instance,
14 name ? instance,
15 servers ? {},
16 labels ? [],
17 settings ? {},
18 }: {
19 nixos = {config, ...}: {
20 assertions = [
21 {
22 assertion = lib.all (s: lib.hasAttr "tokenFileAged" s) (lib.attrValues servers);
23 message = "All forgejo runner server should has tokenFileAged.";
24 }
25 ];
26
27 services.forgejo-runner.instances.${instance} = {
28 enable = true;
29 inherit name labels;
30 servers =
31 lib.mapAttrs (server: v: {
32 inherit (v) url uuid;
33 tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-${server}-token".path;
34 labels = v.labels or [];
35 })
36 servers;
37 settings = lib.mkMerge [
38 {
39 cache = {
40 enabled = true;
41 host = "172.17.0.1";
42 };
43 container = {
44 # Use host for mihomo to avoid network error
45 # See https://github.com/MetaCubeX/mihomo/issues/1260
46 # See also https://github.com/SagerNet/sing-box/issues/2700
47 network = lib.optionalString (config.services.mihomo.enable) "host";
48 enable_ipv6 = true;
49 options = "--cap-add sys_admin --cap-add mknod --device /dev/fuse";
50 };
51 }
52 settings
53 ];
54 };
55
56 users.users."forgejo-runner-${instance}" = {
57 isSystemUser = true;
58 useDefaultShell = true;
59 group = "forgejo-runner-${instance}";
60 };
61 users.groups."forgejo-runner-${instance}" = {};
62
63 systemd.services."forgejo-runner-${instance}".serviceConfig = {
64 DynamicUser = lib.mkForce false;
65 User = "forgejo-runner-${instance}";
66 Group = "forgejo-runner-${instance}";
67 };
68
69 vaultix.secrets =
70 lib.mapAttrs' (
71 server: v:
72 lib.nameValuePair
73 "forgejo-runner-${instance}-${server}-token"
74 {
75 file = v.tokenFileAged;
76 owner = "forgejo-runner-${instance}";
77 group = "forgejo-runner-${instance}";
78 mode = "0440";
79 }
80 )
81 servers;
82 };
83 };
84}