Commit e4526f1

HPCesia <me@hpcesia.com>
2025-08-12 15:26:06
feat(service): add forgejo-runner
1 parent cff829b
Changed files (5)
hosts
secrets
hosts/chaser-pardofelis/podman/default.nix
@@ -0,0 +1,8 @@
+{...}: {
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+    dockerSocket.enable = true;
+    autoPrune.enable = true;
+  };
+}
hosts/chaser-pardofelis/forgejo-runner.nix
@@ -0,0 +1,59 @@
+{
+  pkgs,
+  lib,
+  config,
+  ...
+}: {
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = "runner-pardofelis";
+      url = "https://repo.hpcesia.com/";
+      tokenFile = config.sops.templates."forgejo-runner-token-file".path;
+      labels = [
+        "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
+        "nixos-latest:host"
+      ];
+      settings = {
+        container.network = "bridge";
+      };
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        wget
+        nix
+      ];
+    };
+  };
+
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "gitea-runner";
+  };
+  users.groups.gitea-runner = {};
+
+  sops.templates.forgejo-runner-token-file = {
+    content = "TOKEN=${config.sops.placeholder.forgejo-runner-token}";
+    owner = "root";
+    group = "gitea-runner";
+    mode = "0440";
+  };
+
+  systemd.services.gitea-runner-default.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "gitea-runner";
+    Group = "gitea-runner";
+  };
+
+  # If you would like to use docker runners in combination with cache actions,
+  # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
+  # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
+  networking.firewall.trustedInterfaces = ["br-+"];
+}
hosts/chaser-pardofelis/forgejo.nix
@@ -33,6 +33,9 @@
         ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
         "logger.router.MODE" = "Error";
       };
+      actions = {
+        ENABLED = true;
+      };
     };
   };
 
secrets/hosts/pardofelis/default.nix
@@ -65,6 +65,10 @@ in
           name = "restic-backup-password";
           value = {key = "services/restic/password";} // secretFileConf;
         }
+        {
+          name = "forgejo-runner-token";
+          value = {key = "services/forgejo-runner/token";} // secretFileConf;
+        }
         # === GoToSocial === #
         {
           name = "gotosocial-s3-endpoint";
secrets/hosts/pardofelis/secrets.yaml
@@ -7,6 +7,8 @@ services:
         defaultUserPassword: ENC[AES256_GCM,data:go37FcBdkPaI3o9ufWWSe4csncSBXl7Sna1lOU9xCxc=,iv:uslyMRqDLmJp9al4kz+F/f8tcyAzpBtnRHRNaz5E+1U=,tag:cs/laSyPWy0GHN3bMO8FRQ==,type:str]
     grafana:
         adminPassword: ENC[AES256_GCM,data:GSD4lXMBxnzbmWluPp0J4Y7EDOnutCZq,iv:MqyKSHZk2RkPEo07SQxYYYZir+DPwWSjwwWVfeP8kqQ=,tag:VVJFT5HQquF6fOp7aOINSA==,type:str]
+    forgejo-runner:
+        token: ENC[AES256_GCM,data:gm23RUL8LVnq6prQFjX+mk2NlcURJuRdlOOzDjM6brjPOi4Rxy4dZw==,iv:OsRpBP5SEdHSHiCAVS7FJhAlnuBODc66Ap+Fty9fhZo=,tag:7Ez+qNe/w18DGJT+neZSHA==,type:str]
     gotosocial:
         s3Endpoint: ENC[AES256_GCM,data:zUe0nDSW1T9i3YOq2Cao87nM4I05yquKMLsD7gMKYJ/M8bj9usBiFr3aAOW5mEiATzSy4VtupTDT,iv:UluVNVCcF1LUWYJWlCVS4y197TSuD34MNuUC7Mr+Tjg=,tag:AyLcTDPZoleKSMDX39ApBg==,type:str]
         s3AccessKey: ENC[AES256_GCM,data:2hOwCwYROPZ/ZBs+QHjuaHZR8DZdBoz96Dh0g6ohFpg=,iv:6FGLKG+Y9/8tFqLsC+h7oBbT2HkMBDF1zobv61/a6j0=,tag:0OZ5KpK3P47ZqyEWdUEGRQ==,type:str]
@@ -56,8 +58,8 @@ sops:
             SENxSmtOQUlWaFg4Tys2MU91UklURW8K8VUSmBV87SBHVtTfJJrEbX3KtxtPT+nd
             a0lbIgNit5pZu5uQVwiuENuPA3K+/3Uo0AIVRxkHJC8ZVqrjXeHhvw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-10T14:20:06Z"
-    mac: ENC[AES256_GCM,data:m6sAok3FG2t53PoFCBWwiwiRbYwMAT0efRsEq/vtrfqdMRwvXgTpzmmfWE18x/06O3jbp54ZXT1nojh+moNvaDGGU4nvx65x/rsOiZd34pvnkKDvbLfttoPAh8AUBXDVN4FFO1cpOpPvDg47iYmqUtyoOALxOYz82pqcoBK2n0E=,iv:L+LjA2gEg7ojRQhkpV9hkUVcdtDGxzXjgUVaDu4Z0vU=,tag:uw8it18V+4B6J3r8weJmew==,type:str]
+    lastmodified: "2025-08-12T15:14:50Z"
+    mac: ENC[AES256_GCM,data:AoLnacVVUAhndQEOfb28d2MnlHA+l9RC0vDHBEJ4qU9y3AT4zx910nqR/dtECxZ2V4PIPdN4hCOnx35Nda8pxd18IoGPoSOH5SxnIl0TmJ/9T08in6F5vUM3ZZU3JjBURxrZNFmEenEOg6l7oWgCjLW4dwxQeXmxOejlNE37i0g=,iv:Tk/2dvCQXCi6MkY1RcVrBqc2fe/dOb7c5TVo3q+ibEI=,tag:qkWAciu1L2E9eb16Z9vIGA==,type:str]
     pgp:
         - created_at: "2025-08-06T11:08:38Z"
           enc: |-