den
 1{lib, ...}: {
 2  den.aspects.services.provides.forgejo-runner = {
 3    nixos = {
 4      pkgs,
 5      config,
 6      ...
 7    }: {
 8      services.gitea-actions-runner = {
 9        package = lib.mkDefault pkgs.forgejo-runner;
10      };
11      # If you would like to use docker runners in combination with cache actions,
12      # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
13      # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
14      networking.firewall.trustedInterfaces =
15        if (config.networking.nftables.enable)
16        then ["br-*"]
17        else ["br-+"];
18    };
19  };
20
21  den.aspects.services.provides.forgejo-runner.provides.instance = {
22    instance,
23    name ? "runner-${instance}",
24    url,
25    tokenFileAged,
26    labels ? [],
27    settings ? {},
28  }: {
29    nixos = {config, ...}: {
30      services.gitea-actions-runner = {
31        instances.${instance} = {
32          enable = true;
33          inherit name url labels;
34          tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-token".path;
35          settings = lib.mkMerge [
36            {
37              cache = {
38                host = "172.17.0.1";
39              };
40              container = {
41                network = "";
42                enable_ipv6 = true;
43                privileged = true; # For docker-in-docker
44                options = "-v /var/run/docker.sock:/var/run/docker.sock";
45              };
46            }
47            settings
48          ];
49        };
50      };
51
52      users.users."forgejo-runner-${instance}" = {
53        isSystemUser = true;
54        useDefaultShell = true;
55        group = "forgejo-runner-${instance}";
56      };
57      users.groups."forgejo-runner-${instance}" = {};
58
59      systemd.services."forgejo-runner-${instance}".serviceConfig = {
60        DynamicUser = lib.mkForce false;
61        User = "forgejo-runner-${instance}";
62        Group = "forgejo-runner-${instance}";
63      };
64
65      vaultix.secrets."forgejo-runner-${instance}-token" = {
66        file = tokenFileAged;
67        owner = "forgejo-runner-${instance}";
68        group = "forgejo-runner-${instance}";
69        mode = "0440";
70      };
71    };
72  };
73}