Commit e4526f1
Changed files (5)
hosts
chaser-pardofelis
secrets
hosts
pardofelis
hosts/chaser-pardofelis/podman/default.nix
@@ -0,0 +1,8 @@
+{...}: {
+ virtualisation.podman = {
+ enable = true;
+ dockerCompat = true;
+ dockerSocket.enable = true;
+ autoPrune.enable = true;
+ };
+}
hosts/chaser-pardofelis/forgejo-runner.nix
@@ -0,0 +1,59 @@
+{
+ pkgs,
+ lib,
+ config,
+ ...
+}: {
+ services.gitea-actions-runner = {
+ package = pkgs.forgejo-runner;
+ instances.default = {
+ enable = true;
+ name = "runner-pardofelis";
+ url = "https://repo.hpcesia.com/";
+ tokenFile = config.sops.templates."forgejo-runner-token-file".path;
+ labels = [
+ "ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
+ "nixos-latest:host"
+ ];
+ settings = {
+ container.network = "bridge";
+ };
+ hostPackages = with pkgs; [
+ bash
+ coreutils
+ curl
+ gawk
+ gitMinimal
+ gnused
+ nodejs
+ wget
+ nix
+ ];
+ };
+ };
+
+ users.users.gitea-runner = {
+ isSystemUser = true;
+ useDefaultShell = true;
+ group = "gitea-runner";
+ };
+ users.groups.gitea-runner = {};
+
+ sops.templates.forgejo-runner-token-file = {
+ content = "TOKEN=${config.sops.placeholder.forgejo-runner-token}";
+ owner = "root";
+ group = "gitea-runner";
+ mode = "0440";
+ };
+
+ systemd.services.gitea-runner-default.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = "gitea-runner";
+ Group = "gitea-runner";
+ };
+
+ # If you would like to use docker runners in combination with cache actions,
+ # be sure to add docker bridge interfaces “br-*” to the firewalls’ trusted interfaces.
+ # See https://forgejo.org/docs/next/admin/actions/runner-installation/#nixos
+ networking.firewall.trustedInterfaces = ["br-+"];
+}
hosts/chaser-pardofelis/forgejo.nix
@@ -33,6 +33,9 @@
ENABLE_SSH_LOG = true; # Enable ssh log for fail2ban.
"logger.router.MODE" = "Error";
};
+ actions = {
+ ENABLED = true;
+ };
};
};
secrets/hosts/pardofelis/default.nix
@@ -65,6 +65,10 @@ in
name = "restic-backup-password";
value = {key = "services/restic/password";} // secretFileConf;
}
+ {
+ name = "forgejo-runner-token";
+ value = {key = "services/forgejo-runner/token";} // secretFileConf;
+ }
# === GoToSocial === #
{
name = "gotosocial-s3-endpoint";
secrets/hosts/pardofelis/secrets.yaml
@@ -7,6 +7,8 @@ services:
defaultUserPassword: ENC[AES256_GCM,data:go37FcBdkPaI3o9ufWWSe4csncSBXl7Sna1lOU9xCxc=,iv:uslyMRqDLmJp9al4kz+F/f8tcyAzpBtnRHRNaz5E+1U=,tag:cs/laSyPWy0GHN3bMO8FRQ==,type:str]
grafana:
adminPassword: ENC[AES256_GCM,data:GSD4lXMBxnzbmWluPp0J4Y7EDOnutCZq,iv:MqyKSHZk2RkPEo07SQxYYYZir+DPwWSjwwWVfeP8kqQ=,tag:VVJFT5HQquF6fOp7aOINSA==,type:str]
+ forgejo-runner:
+ token: ENC[AES256_GCM,data:gm23RUL8LVnq6prQFjX+mk2NlcURJuRdlOOzDjM6brjPOi4Rxy4dZw==,iv:OsRpBP5SEdHSHiCAVS7FJhAlnuBODc66Ap+Fty9fhZo=,tag:7Ez+qNe/w18DGJT+neZSHA==,type:str]
gotosocial:
s3Endpoint: ENC[AES256_GCM,data:zUe0nDSW1T9i3YOq2Cao87nM4I05yquKMLsD7gMKYJ/M8bj9usBiFr3aAOW5mEiATzSy4VtupTDT,iv:UluVNVCcF1LUWYJWlCVS4y197TSuD34MNuUC7Mr+Tjg=,tag:AyLcTDPZoleKSMDX39ApBg==,type:str]
s3AccessKey: ENC[AES256_GCM,data:2hOwCwYROPZ/ZBs+QHjuaHZR8DZdBoz96Dh0g6ohFpg=,iv:6FGLKG+Y9/8tFqLsC+h7oBbT2HkMBDF1zobv61/a6j0=,tag:0OZ5KpK3P47ZqyEWdUEGRQ==,type:str]
@@ -56,8 +58,8 @@ sops:
SENxSmtOQUlWaFg4Tys2MU91UklURW8K8VUSmBV87SBHVtTfJJrEbX3KtxtPT+nd
a0lbIgNit5pZu5uQVwiuENuPA3K+/3Uo0AIVRxkHJC8ZVqrjXeHhvw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-08-10T14:20:06Z"
- mac: ENC[AES256_GCM,data:m6sAok3FG2t53PoFCBWwiwiRbYwMAT0efRsEq/vtrfqdMRwvXgTpzmmfWE18x/06O3jbp54ZXT1nojh+moNvaDGGU4nvx65x/rsOiZd34pvnkKDvbLfttoPAh8AUBXDVN4FFO1cpOpPvDg47iYmqUtyoOALxOYz82pqcoBK2n0E=,iv:L+LjA2gEg7ojRQhkpV9hkUVcdtDGxzXjgUVaDu4Z0vU=,tag:uw8it18V+4B6J3r8weJmew==,type:str]
+ lastmodified: "2025-08-12T15:14:50Z"
+ mac: ENC[AES256_GCM,data:AoLnacVVUAhndQEOfb28d2MnlHA+l9RC0vDHBEJ4qU9y3AT4zx910nqR/dtECxZ2V4PIPdN4hCOnx35Nda8pxd18IoGPoSOH5SxnIl0TmJ/9T08in6F5vUM3ZZU3JjBURxrZNFmEenEOg6l7oWgCjLW4dwxQeXmxOejlNE37i0g=,iv:Tk/2dvCQXCi6MkY1RcVrBqc2fe/dOb7c5TVo3q+ibEI=,tag:qkWAciu1L2E9eb16Z9vIGA==,type:str]
pgp:
- created_at: "2025-08-06T11:08:38Z"
enc: |-