Commit ae7c7f4

HPCesia <me@hpcesia.com>
2026-03-20 07:25:13
refactor: den aspect - services/forgejo-runner
den
1 parent 6e883c6
modules/hosts/pardofelis/services/default.nix
@@ -2,6 +2,18 @@
   inherit (den.lib) __findFile;
 in {
   den.aspects.pardofelis.includes = [
+    <services/forgejo-runner>
+    (<services/forgejo-runner/instance> {
+      instance = "local";
+      name = "runner@local.pardofelis.hpcesia.com";
+      url = "https://repo.hpcesia.com/";
+      tokenFileAged = ./forgejo-runner-local-token.age;
+      labels = [
+        "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+        "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
+      ];
+    })
+
     <services/podman>
   ];
 }
modules/hosts/pardofelis/services/forgejo-runner-local-token.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 oqyjfZ4+i4zeHtzvsbbcDHNe3G4/Ma3OI8zfU2+wO1M
+yGOEbBIGx6wAsPjCfv4gFtvvCglDuAgTrqaM4/HoddQ
+-> $f)-grease nF~D
+U1h152PEXQ0MNal+xJ1oU22VOpeT6wXJfwpQe8ab+pBL
+--- 3KSb1iICSlVFyy+unhZaZ+LvXNGHMXpJKEnHwiYdFzU
+�r*��2���l��Rp[ۿ2Y����0/�A*h��Vqk�T���]�+������]ټm>A�;�v"�`�)��J(n�3X=
\ No newline at end of file
modules/hosts/pardofelis/default.nix
@@ -54,7 +54,6 @@
           "caddy"
           "fail2ban"
           "forgejo"
-          "forgejo-runner"
           "freshrss"
           "goatcounter"
           "gokapi"
modules/services/forgejo-runner/default.nix
@@ -1,62 +0,0 @@
-{lib, ...}: {
-  flake.modules.nixos."services/forgejo-runner" = {
-    pkgs,
-    config,
-    ...
-  }: {
-    services.gitea-actions-runner = {
-      package = pkgs.forgejo-runner;
-      instances.default = {
-        enable = true;
-        name = "runner-pardofelis";
-        url = "https://repo.hpcesia.com/";
-        tokenFile = config.vaultix.templates."forgejo-runner-token-file".path;
-        labels = [
-          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest"
-          "nixos-latest:docker://repo.hpcesia.com/hpcesia/nix-act-image:latest-x86_64"
-        ];
-        settings = {
-          cache = {
-            host = "172.17.0.1";
-          };
-          container = {
-            network = "";
-            enable_ipv6 = true;
-            privileged = true; # For docker-in-docker
-            options = "-v /var/run/docker.sock:/var/run/docker.sock";
-          };
-        };
-      };
-    };
-
-    users.users.gitea-runner = {
-      isSystemUser = true;
-      useDefaultShell = true;
-      group = "gitea-runner";
-    };
-    users.groups.gitea-runner = {};
-
-    systemd.services.gitea-runner-default.serviceConfig = {
-      DynamicUser = lib.mkForce false;
-      User = "gitea-runner";
-      Group = "gitea-runner";
-    };
-
-    # If you would like to use docker runners in combination with cache actions,
-    # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
-    # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
-    networking.firewall.trustedInterfaces =
-      if (config.networking.nftables.enable)
-      then ["br-*"]
-      else ["br-+"];
-
-    vaultix.templates.forgejo-runner-token-file = {
-      content = "TOKEN=${config.vaultix.placeholder.forgejo-runner-token}";
-      owner = "root";
-      group = "gitea-runner";
-      mode = "0440";
-    };
-
-    vaultix.secrets.forgejo-runner-token.file = ./token.age;
-  };
-}
modules/services/forgejo-runner/token.age
@@ -1,7 +0,0 @@
-age-encryption.org/v1
--> X25519 clO8bSrHnd/KHuYo7Xkqw/6baJEo9a1/ecNYi+XOZnw
-PE9dbuL+IdV4qmr/Z8yYMXzTn/wJI7MLayhrlpKF2y0
--> ;}~-grease +'=Z/-R
-fAWVJWgVFtYQG5C4469TozaE
---- +8ALW8z7BEUzySVDX9X28PDZlDynpR06sqkbf0BJp6o
-R�o��Q}C��k���n�'@^aKMZ��Qp+sb�Ft���i��l��&Pew��9��,�����C�H�%��`��
\ No newline at end of file
modules/services/forgejo-runner.nix
@@ -0,0 +1,73 @@
+{lib, ...}: {
+  den.aspects.services.provides.forgejo-runner = {
+    nixos = {
+      pkgs,
+      config,
+      ...
+    }: {
+      services.gitea-actions-runner = {
+        package = lib.mkDefault pkgs.forgejo-runner;
+      };
+      # If you would like to use docker runners in combination with cache actions,
+      # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
+      # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
+      networking.firewall.trustedInterfaces =
+        if (config.networking.nftables.enable)
+        then ["br-*"]
+        else ["br-+"];
+    };
+  };
+
+  den.aspects.services.provides.forgejo-runner.provides.instance = {
+    instance,
+    name ? "runner-${instance}",
+    url,
+    tokenFileAged,
+    labels ? [],
+    settings ? {},
+  }: {
+    nixos = {config, ...}: {
+      services.gitea-actions-runner = {
+        instances.${instance} = {
+          enable = true;
+          inherit name url labels;
+          tokenFile = config.vaultix.secrets."forgejo-runner-${instance}-token".path;
+          settings = lib.mkMerge [
+            {
+              cache = {
+                host = "172.17.0.1";
+              };
+              container = {
+                network = "";
+                enable_ipv6 = true;
+                privileged = true; # For docker-in-docker
+                options = "-v /var/run/docker.sock:/var/run/docker.sock";
+              };
+            }
+            settings
+          ];
+        };
+      };
+
+      users.users."forgejo-runner-${instance}" = {
+        isSystemUser = true;
+        useDefaultShell = true;
+        group = "forgejo-runner-${instance}";
+      };
+      users.groups."forgejo-runner-${instance}" = {};
+
+      systemd.services."forgejo-runner-${instance}".serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "forgejo-runner-${instance}";
+        Group = "forgejo-runner-${instance}";
+      };
+
+      vaultix.secrets."forgejo-runner-${instance}-token" = {
+        file = tokenFileAged;
+        owner = "forgejo-runner-${instance}";
+        group = "forgejo-runner-${instance}";
+        mode = "0440";
+      };
+    };
+  };
+}
secrets/cache/pardofelis/20035d64d3f56c4311ce7c9bb7d7bba397c220cd6cd5c276a66ed9b483cf683d
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw NuG90Ey/xUqbBjLuejPyF0i3EqdFFqdLd5hy1xEoPQo
+JP5xEZGQSUqDFnKfPZpU6hD9T8JC2c49I90sI4FbbsY
+-> N%EYL-grease
+xmAFlWb1tBeMudcwTaY7kcweML/fQNkn6BVJGqjxkzPcydCmm7BePC4
+--- Qeeb050TT3i67cEUi1b2NA4iUaUZ3wJfRScYKWugkDg
+�G��㔡ʟ������9T����~��IWX�L��H�	�iA%k>"JA�J!�%z����ۨ^(4�w9�R�!�rn�
\ No newline at end of file
secrets/cache/pardofelis/e9bfd545578ea28d35f696f0017b025b69452da09b5becabaa1f889bddc90788
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 B1HLiw yrlRfSVe+It4aXkfEY+HDvGNqUrbkiobHyOfaEbFWXI
-+BxBtYaVJtV18Oc6ZwDzkJZsEXEBJ7mSQ+V/WvaDktw
--> Ko-grease
-qX2nSKwbKy0b36x8haphKQLv9bveCIv774BQp4TIsmUCyNcnKM1BkpjGQtFiCuMw
-RReQC8jU91te/6eu/ac
---- xZx/m7ivX4kPkuUGr6HVn6bVJEi5FRC8ahO/nqc7mGA
-y�
-����I+`r���K�>�I����raa:y.������	~8{/)u#V��?�#��ьL ���.���O�C
\ No newline at end of file