Commit ae7c7f4
Changed files (8)
modules
hosts
pardofelis
services
forgejo-runner
modules/hosts/pardofelis/services/default.nix
@@ -2,6 +2,18 @@
inherit (den.lib) __findFile;
in {
den.aspects.pardofelis.includes = [
+ <services/forgejo-runner>
+ (<services/forgejo-runner/instance> {
+ instance = "local";
+ name = "runner@local.pardofelis.hpcesia.com";
+ url = "https://repo.hpcesia.com/";
+ tokenFileAged = ./forgejo-runner-local-token.age;
+ labels = [
+ "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+ "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
+ ];
+ })
+
<services/podman>
];
}
modules/hosts/pardofelis/services/forgejo-runner-local-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 oqyjfZ4+i4zeHtzvsbbcDHNe3G4/Ma3OI8zfU2+wO1M
+yGOEbBIGx6wAsPjCfv4gFtvvCglDuAgTrqaM4/HoddQ
+-> $f)-grease nF~D
+U1h152PEXQ0MNal+xJ1oU22VOpeT6wXJfwpQe8ab+pBL
+--- 3KSb1iICSlVFyy+unhZaZ+LvXNGHMXpJKEnHwiYdFzU
+�r*��2���l��Rp[ۿ2Y����0/�A*h��Vqk�T���]�+������]ټm>A�;�v"�`�)��J(n�3X=
\ No newline at end of file
modules/hosts/pardofelis/default.nix
@@ -54,7 +54,6 @@
"caddy"
"fail2ban"
"forgejo"
- "forgejo-runner"
"freshrss"
"goatcounter"
"gokapi"
modules/services/forgejo-runner/default.nix
@@ -1,62 +0,0 @@
-{lib, ...}: {
- flake.modules.nixos."services/forgejo-runner" = {
- pkgs,
- config,
- ...
- }: {
- services.gitea-actions-runner = {
- package = pkgs.forgejo-runner;
- instances.default = {
- enable = true;
- name = "runner-pardofelis";
- url = "https://repo.hpcesia.com/";
- tokenFile = config.vaultix.templates."forgejo-runner-token-file".path;
- labels = [
- "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
- "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
- ];
- settings = {
- cache = {
- host = "172.17.0.1";
- };
- container = {
- network = "";
- enable_ipv6 = true;
- privileged = true; # For docker-in-docker
- options = "-v /var/run/docker.sock:/var/run/docker.sock";
- };
- };
- };
- };
-
- users.users.gitea-runner = {
- isSystemUser = true;
- useDefaultShell = true;
- group = "gitea-runner";
- };
- users.groups.gitea-runner = {};
-
- systemd.services.gitea-runner-default.serviceConfig = {
- DynamicUser = lib.mkForce false;
- User = "gitea-runner";
- Group = "gitea-runner";
- };
-
- # If you would like to use docker runners in combination with cache actions,
- # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
- # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
- networking.firewall.trustedInterfaces =
- if (config.networking.nftables.enable)
- then ["br-*"]
- else ["br-+"];
-
- vaultix.templates.forgejo-runner-token-file = {
- content = "TOKEN=${config.vaultix.placeholder.forgejo-runner-token}";
- owner = "root";
- group = "gitea-runner";
- mode = "0440";
- };
-
- vaultix.secrets.forgejo-runner-token.file = ./token.age;
- };
-}
modules/services/forgejo-runner/token.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> X25519 clO8bSrHnd/KHuYo7Xkqw/6baJEo9a1/ecNYi+XOZnw
-PE9dbuL+IdV4qmr/Z8yYMXzTn/wJI7MLayhrlpKF2y0
--> ;}~-grease +'=Z/-R
-fAWVJWgVFtYQG5C4469TozaE
---- +8ALW8z7BEUzySVDX9X28PDZlDynpR06sqkbf0BJp6o
-R�o��Q}C��k���n�'@^aKMZ��Qp+sb�Ft���i��l��&Pew��9��,�����C�H�%��`��
\ No newline at end of file
modules/services/forgejo-runner.nix
@@ -0,0 +1,73 @@
+{lib, ...}: {
+ den.aspects.services.provides.forgejo-runner = {
+ nixos = {
+ pkgs,
+ config,
+ ...
+ }: {
+ services.gitea-actions-runner = {
+ package = lib.mkDefault pkgs.forgejo-runner;
+ };
+ # If you would like to use docker runners in combination with cache actions,
+ # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
+ # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
+ networking.firewall.trustedInterfaces =
+ if (config.networking.nftables.enable)
+ then ["br-*"]
+ else ["br-+"];
+ };
+ };
+
+ den.aspects.services.provides.forgejo-runner.provides.instance = {
+ instance,
+ name ? "runner-${instance}",
+ url,
+ tokenFileAged,
+ labels ? [],
+ settings ? {},
+ }: {
+ nixos = {config, ...}: {
+ services.gitea-actions-runner = {
+ instances.${instance} = {
+ enable = true;
+ inherit name url labels;
+ tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-token".path;
+ settings = lib.mkMerge [
+ {
+ cache = {
+ host = "172.17.0.1";
+ };
+ container = {
+ network = "";
+ enable_ipv6 = true;
+ privileged = true; # For docker-in-docker
+ options = "-v /var/run/docker.sock:/var/run/docker.sock";
+ };
+ }
+ settings
+ ];
+ };
+ };
+
+ users.users."forgejo-runner-${instance}" = {
+ isSystemUser = true;
+ useDefaultShell = true;
+ group = "forgejo-runner-${instance}";
+ };
+ users.groups."forgejo-runner-${instance}" = {};
+
+ systemd.services."forgejo-runner-${instance}".serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = "forgejo-runner-${instance}";
+ Group = "forgejo-runner-${instance}";
+ };
+
+ vaultix.secrets."forgejo-runner-${instance}-token" = {
+ file = tokenFileAged;
+ owner = "forgejo-runner-${instance}";
+ group = "forgejo-runner-${instance}";
+ mode = "0440";
+ };
+ };
+ };
+}
secrets/cache/pardofelis/20035d64d3f56c4311ce7c9bb7d7bba397c220cd6cd5c276a66ed9b483cf683d
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw NuG90Ey/xUqbBjLuejPyF0i3EqdFFqdLd5hy1xEoPQo
+JP5xEZGQSUqDFnKfPZpU6hD9T8JC2c49I90sI4FbbsY
+-> N%EYL-grease
+xmAFlWb1tBeMudcwTaY7kcweML/fQNkn6BVJGqjxkzPcydCmm7BePC4
+--- Qeeb050TT3i67cEUi1b2NA4iUaUZ3wJfRScYKWugkDg
+�G��㔡ʟ������9T����~��IWX�L��H� �iA%k>"JA�J!�%z����ۨ^(4�w9�R�!�rn�
\ No newline at end of file
secrets/cache/pardofelis/e9bfd545578ea28d35f696f0017b025b69452da09b5becabaa1f889bddc90788
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 B1HLiw yrlRfSVe+It4aXkfEY+HDvGNqUrbkiobHyOfaEbFWXI
-+BxBtYaVJtV18Oc6ZwDzkJZsEXEBJ7mSQ+V/WvaDktw
--> Ko-grease
-qX2nSKwbKy0b36x8haphKQLv9bveCIv774BQp4TIsmUCyNcnKM1BkpjGQtFiCuMw
-RReQC8jU91te/6eu/ac
---- xZx/m7ivX4kPkuUGr6HVn6bVJEi5FRC8ahO/nqc7mGA
-y�
-����I+`r���K�>�I����raa:y.������ ~8{/)u#V��?�#��ьL ���.���O�C
\ No newline at end of file