Add forgejo runner

2025-07-29 11:07:44 +00:00 · 2024-02-07 12:46:48 +03:00 · 2024-02-07 12:46:48 +03:00 · 8dfcd01ce5
commit 8dfcd01ce5
parent 7236216e85
5 changed files with 73 additions and 7 deletions
--- a/hosts/cube/forgejo.nix
+++ b/hosts/cube/forgejo.nix
@ -1,11 +1,12 @@
-{ config, ulib, ... }: with ulib;
+{ config, ulib, pkgs, ... }: with ulib;

 let
  inherit (config.networking) domain;

  fqdn = "git.${domain}";
 in serverSystemConfiguration {
-  age.secrets."cube/password.mail.forgejo".owner = "forgejo";
+  age.secrets."cube/password.mail.forgejo".owner   = "forgejo";
+  age.secrets."cube/password.runner.forgejo".owner = "forgejo";

  services.postgresql = {
    ensureDatabases = [ "forgejo" ];
@ -15,6 +16,46 @@ in serverSystemConfiguration {
    }];
  };

+  users.groups.gitea-runner = {};
+  users.users.gitea-runner  = systemUser {
+    extraGroups = [ "docker" ];
+    group       = "gitea-runner";
+    home        = "/var/lib/gitea-runner";
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+
+    instances.runner-01 = enabled {
+      name = "runner-01";
+      url  = fqdn;
+
+      labels = [
+        "debian-latest:docker://node:18-bullseye"
+        "ubuntu-latest:docker://node:18-bullseye"
+        "act:docker://ghcr.io/catthehacker/ubuntu:act-latest"
+      ];
+
+      tokenFile = config.age.secrets."cube/password.runner.forgejo".path;
+
+      settings = {
+        cache.enabled     = true;
+        capacity          = 4;
+        container.network = "host";
+      };
+
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gitMinimal
+        sudo
+        wget
+      ];
+    };
+  };
+
+
  services.forgejo = enabled {
    lfs = enabled {};

@ -30,10 +71,10 @@ in serverSystemConfiguration {
    in {
      default.APP_NAME = description;

-      # actions = {
-      #   ENABLED = true;
-      #   DEFAULT_ACTIONS_URL = "https://${fqdn}";
-      # };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://${fqdn}";
+      };

      attachment.ALLOWED_TYPES = "*/*";

--- a/hosts/cube/podman.nix
+++ b/hosts/cube/podman.nix
@ -0,0 +1,15 @@
+{ ulib, ... }: with ulib;
+
+serverSystemConfiguration {
+  virtualisation.podman = enabled {
+    dockerCompat = true;
+    dockerSocket = enabled {};
+
+    defaultNetwork.settings.dns_enabled = true;
+
+    autoPrune = enabled {
+      dates = "daily";
+      flags = [ "--all" ];
+    };
+  };
+}
--- a/lib/values.nix
+++ b/lib/values.nix
@ -7,6 +7,10 @@
    isNormalUser = true;
  };

+  systemUser = attributes: attributes // {
+    isSystemUser = true;
+  };
+
  graphicalUser = attributes: attributes // {
    isNormalUser = true;
    extraGroups  = [ "graphical" ] ++ attributes.extraGroups or []; 
--- a/secrets/cube/password.runner.forgejo.age
+++ b/secrets/cube/password.runner.forgejo.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 +rZ0Tw rraoMjYwD6IIkmgyiDKlij2+bLqY5PNyMU5IPQ4mvjI
+/yttaAf7neHJ69LYh6p33gRBXIZA4oxWS5DDMnfOhhM
+--- o+/I/vPxFdL9orC3PsBTazOrwG6Le8uLMUYiHE4XMj8
+¬¨<EFBFBD>
±]}ÍWž{[a'mdú€AÈU‰Ô¬ì7z*ÌY9"èÍ|±1dvùQxcŸ¶Ç“<C387>à"®0ñÆÔpÖò¿Œr½:ÇÅÑ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -15,7 +15,8 @@ in with keys; {

  "cube/password.acme.age".publicKeys = key cube;

-  "cube/password.mail.forgejo.age".publicKeys = key cube;
+  "cube/password.mail.forgejo.age".publicKeys   = key cube;
+  "cube/password.runner.forgejo.age".publicKeys = key cube;

  "cube/password.grafana.age".publicKeys      = key cube;
  "cube/password.mail.grafana.age".publicKeys = key cube;