infra/hosts/flora-6/apps/forgejo-actions-runner.nix
teutat3s fa9ce9d435
gitea-actions-runner: don't run as systemd DynamicUser
to enable usage of cache outside of /var/lib/private
2024-04-23 15:42:33 +02:00

66 lines
1.9 KiB
Nix

{ config
, lib
, pkgs
, flake
, ...
}: {
age.secrets.forgejo-actions-runner-token = {
file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
mode = "644";
};
# Trust docker bridge interface traffic
# Needed for the docker runner to communicate with the act_runner cache
networking.firewall.trustedInterfaces = [ "br-+" ];
users.users.gitea-runner = {
home = "/var/lib/gitea-runner/flora-6";
useDefaultShell = true;
group = "gitea-runner";
isSystemUser = true;
};
users.groups.gitea-runner = {};
systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
DynamicUser = lib.mkForce false;
};
systemd.tmpfiles.rules = [
"d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
"d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
];
# forgejo actions runner
# https://forgejo.org/docs/latest/admin/actions/
# https://docs.gitea.com/usage/actions/quickstart
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances."flora-6" = {
enable = true;
name = config.networking.hostName;
url = "https://git.pub.solar";
tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
settings = {
cache = {
enabled = true;
dir = "/data/gitea-actions-runner/actcache";
host = "";
port = 0;
external_server = "";
};
};
labels = [
# provide a debian 12 bookworm base with Node.js for actions
"debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# fake the ubuntu name, commonly used in actions examples
"ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
# alpine with Node.js
"alpine-latest:docker://node:20-alpine"
# nix flakes enabled image with Node.js
"nix-flakes:docker://git.pub.solar/pub-solar/nix-flakes-node:latest"
];
};
};
}