main
 1{lib, ...}: {
 2  flake.modules.nixos."services/forgejo-runner" = {
 3    pkgs,
 4    config,
 5    ...
 6  }: {
 7    services.gitea-actions-runner = {
 8      package = pkgs.forgejo-runner;
 9      instances.default = {
10        enable = true;
11        name = "runner-pardofelis";
12        url = "https://repo.hpcesia.com/";
13        tokenFile = config.vaultix.templates."forgejo-runner-token-file".path;
14        labels = [
15          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
16          "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
17        ];
18        settings = {
19          cache = {
20            host = "172.17.0.1";
21          };
22          container = {
23            network = "";
24            enable_ipv6 = true;
25            privileged = true; # For docker-in-docker
26            options = "-v /var/run/docker.sock:/var/run/docker.sock";
27          };
28        };
29      };
30    };
31
32    users.users.gitea-runner = {
33      isSystemUser = true;
34      useDefaultShell = true;
35      group = "gitea-runner";
36    };
37    users.groups.gitea-runner = {};
38
39    systemd.services.gitea-runner-default.serviceConfig = {
40      DynamicUser = lib.mkForce false;
41      User = "gitea-runner";
42      Group = "gitea-runner";
43    };
44
45    # If you would like to use docker runners in combination with cache actions,
46    # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
47    # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
48    networking.firewall.trustedInterfaces =
49      if (config.networking.nftables.enable)
50      then ["br-*"]
51      else ["br-+"];
52
53    vaultix.templates.forgejo-runner-token-file = {
54      content = "TOKEN=${config.vaultix.placeholder.forgejo-runner-token}";
55      owner = "root";
56      group = "gitea-runner";
57      mode = "0440";
58    };
59
60    vaultix.secrets.forgejo-runner-token.file = ./token.age;
61  };
62}