Commit 5975ffd

HPCesia <me@hpcesia.com>
2025-10-05 13:21:16
refactor: migrate forgejo-runner
1 parent a8b437d
Changed files (5)
hosts
chaser-pardofelis
modules
hosts
chaser-pardofelis
services
secrets
hosts/chaser-pardofelis/forgejo-runner.nix
@@ -1,62 +0,0 @@
-{
-  pkgs,
-  lib,
-  config,
-  ...
-}: {
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-runner;
-    instances.default = {
-      enable = true;
-      name = "runner-pardofelis";
-      url = "https://repo.hpcesia.com/";
-      tokenFile = config.sops.templates."forgejo-runner-token-file".path;
-      labels = [
-        "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
-        "nixos-latest:host"
-      ];
-      settings = {
-        container = {
-          network = "";
-          enable_ipv6 = true;
-        };
-      };
-      hostPackages = with pkgs; [
-        bash
-        coreutils
-        gnused
-        gnutar
-        gnumake
-        curl
-        wget
-        gitMinimal
-        nix
-      ];
-    };
-  };
-
-  users.users.gitea-runner = {
-    isSystemUser = true;
-    useDefaultShell = true;
-    group = "gitea-runner";
-  };
-  users.groups.gitea-runner = {};
-
-  sops.templates.forgejo-runner-token-file = {
-    content = "TOKEN=${config.sops.placeholder.forgejo-runner-token}";
-    owner = "root";
-    group = "gitea-runner";
-    mode = "0440";
-  };
-
-  systemd.services.gitea-runner-default.serviceConfig = {
-    DynamicUser = lib.mkForce false;
-    User = "gitea-runner";
-    Group = "gitea-runner";
-  };
-
-  # If you would like to use docker runners in combination with cache actions,
-  # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
-  # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
-  networking.firewall.trustedInterfaces = ["br-+"];
-}
modules/hosts/chaser-pardofelis/default.nix
@@ -23,6 +23,7 @@
           "artalk"
           "caddy"
           "forgejo"
+          "forgejo-runner"
           "freshrss"
           "goatcounter"
           "gotosocial"
modules/services/forgejo-runner/default.nix
@@ -0,0 +1,65 @@
+{lib, ...}: {
+  flake.modules.nixos."services/forgejo-runner" = {
+    pkgs,
+    config,
+    ...
+  }: {
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-runner;
+      instances.default = {
+        enable = true;
+        name = "runner-pardofelis";
+        url = "https://repo.hpcesia.com/";
+        tokenFile = config.vaultix.templates."forgejo-runner-token-file".path;
+        labels = [
+          "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
+          "nixos-latest:host"
+        ];
+        settings = {
+          container = {
+            network = "";
+            enable_ipv6 = true;
+          };
+        };
+        hostPackages = with pkgs; [
+          bash
+          coreutils
+          gnused
+          gnutar
+          gnumake
+          curl
+          wget
+          gitMinimal
+          nix
+        ];
+      };
+    };
+
+    users.users.gitea-runner = {
+      isSystemUser = true;
+      useDefaultShell = true;
+      group = "gitea-runner";
+    };
+    users.groups.gitea-runner = {};
+
+    systemd.services.gitea-runner-default.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = "gitea-runner";
+      Group = "gitea-runner";
+    };
+
+    # If you would like to use docker runners in combination with cache actions,
+    # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
+    # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
+    networking.firewall.trustedInterfaces = ["br-+"];
+
+    vaultix.templates.forgejo-runner-token-file = {
+      content = "TOKEN=${config.vaultix.placeholder.forgejo-runner-token}";
+      owner = "root";
+      group = "gitea-runner";
+      mode = "0440";
+    };
+
+    vaultix.secrets.forgejo-runner-token.file = ./token.age;
+  };
+}
modules/services/forgejo-runner/token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 clO8bSrHnd/KHuYo7Xkqw/6baJEo9a1/ecNYi+XOZnw
+PE9dbuL+IdV4qmr/Z8yYMXzTn/wJI7MLayhrlpKF2y0
+-> ;}~-grease +'=Z/-R
+fAWVJWgVFtYQG5C4469TozaE
+--- +8ALW8z7BEUzySVDX9X28PDZlDynpR06sqkbf0BJp6o
+R�o��Q}C��k���n�'@^aKMZ��Qp+sb�Ft���i��l��&Pew��9��,�����C�H�%��`��
\ No newline at end of file
secrets/cache/pardofelis/e9bfd545578ea28d35f696f0017b025b69452da09b5becabaa1f889bddc90788
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw yrlRfSVe+It4aXkfEY+HDvGNqUrbkiobHyOfaEbFWXI
++BxBtYaVJtV18Oc6ZwDzkJZsEXEBJ7mSQ+V/WvaDktw
+-> Ko-grease
+qX2nSKwbKy0b36x8haphKQLv9bveCIv774BQp4TIsmUCyNcnKM1BkpjGQtFiCuMw
+RReQC8jU91te/6eu/ac
+--- xZx/m7ivX4kPkuUGr6HVn6bVJEi5FRC8ahO/nqc7mGA
+y�
+����I+`r���K�>�I����raa:y.������	~8{/)u#V��?�#��ьL ���.���O�C
\ No newline at end of file