main
1{lib, ...}: {
2 flake.modules.nixos."services/forgejo-runner" = {
3 pkgs,
4 config,
5 ...
6 }: {
7 services.gitea-actions-runner = {
8 package = pkgs.forgejo-runner;
9 instances.default = {
10 enable = true;
11 name = "runner-pardofelis";
12 url = "https://repo.hpcesia.com/";
13 tokenFile = config.vaultix.templates."forgejo-runner-token-file".path;
14 labels = [
15 "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
16 "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
17 ];
18 settings = {
19 cache = {
20 host = "172.17.0.1";
21 };
22 container = {
23 network = "";
24 enable_ipv6 = true;
25 privileged = true; # For docker-in-docker
26 options = "-v /var/run/docker.sock:/var/run/docker.sock";
27 };
28 };
29 };
30 };
31
32 users.users.gitea-runner = {
33 isSystemUser = true;
34 useDefaultShell = true;
35 group = "gitea-runner";
36 };
37 users.groups.gitea-runner = {};
38
39 systemd.services.gitea-runner-default.serviceConfig = {
40 DynamicUser = lib.mkForce false;
41 User = "gitea-runner";
42 Group = "gitea-runner";
43 };
44
45 # If you would like to use docker runners in combination with cache actions,
46 # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
47 # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
48 networking.firewall.trustedInterfaces =
49 if (config.networking.nftables.enable)
50 then ["br-*"]
51 else ["br-+"];
52
53 vaultix.templates.forgejo-runner-token-file = {
54 content = "TOKEN=${config.vaultix.placeholder.forgejo-runner-token}";
55 owner = "root";
56 group = "gitea-runner";
57 mode = "0440";
58 };
59
60 vaultix.secrets.forgejo-runner-token.file = ./token.age;
61 };
62}