den
1{lib, ...}: {
2 den.aspects.services.provides.forgejo-runner = {
3 nixos = {
4 pkgs,
5 config,
6 ...
7 }: {
8 services.gitea-actions-runner = {
9 package = lib.mkDefault pkgs.forgejo-runner;
10 };
11 # If you would like to use docker runners in combination with cache actions,
12 # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
13 # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
14 networking.firewall.trustedInterfaces =
15 if (config.networking.nftables.enable)
16 then ["br-*"]
17 else ["br-+"];
18 };
19 };
20
21 den.aspects.services.provides.forgejo-runner.provides.instance = {
22 instance,
23 name ? "runner-${instance}",
24 url,
25 tokenFileAged,
26 labels ? [],
27 settings ? {},
28 }: {
29 nixos = {config, ...}: {
30 services.gitea-actions-runner = {
31 instances.${instance} = {
32 enable = true;
33 inherit name url labels;
34 tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-token".path;
35 settings = lib.mkMerge [
36 {
37 cache = {
38 host = "172.17.0.1";
39 };
40 container = {
41 network = "";
42 enable_ipv6 = true;
43 privileged = true; # For docker-in-docker
44 options = "-v /var/run/docker.sock:/var/run/docker.sock";
45 };
46 }
47 settings
48 ];
49 };
50 };
51
52 users.users."forgejo-runner-${instance}" = {
53 isSystemUser = true;
54 useDefaultShell = true;
55 group = "forgejo-runner-${instance}";
56 };
57 users.groups."forgejo-runner-${instance}" = {};
58
59 systemd.services."forgejo-runner-${instance}".serviceConfig = {
60 DynamicUser = lib.mkForce false;
61 User = "forgejo-runner-${instance}";
62 Group = "forgejo-runner-${instance}";
63 };
64
65 vaultix.secrets."forgejo-runner-${instance}-token" = {
66 file = tokenFileAged;
67 owner = "forgejo-runner-${instance}";
68 group = "forgejo-runner-${instance}";
69 mode = "0440";
70 };
71 };
72 };
73}