ci: run actions runner as normal user

.forgejo/workflows/check.yml

@@ -8,13 +8,6 @@ jobs:
       - name: Check out repository code
         uses: https://code.forgejo.org/actions/checkout@v4
 
-      - name: Prepare cachix
-        uses: https://github.com/cachix/cachix-action@v14
-        with:
-          name: pub-solar
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-          useDaemon: false
-
       - name: Check formatting
         run: |
           nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change

hosts/tankstelle/forgejo-actions-runner.nix

@@ -15,7 +15,24 @@
   # Needed for the docker runner to communicate with the act_runner cache
   networking.firewall.trustedInterfaces = [ "br-+" ];
 
-  systemd.services."gitea-runner-tankstelle".path = with pkgs; [
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/tankstelle";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [
+     "wheel"
+    ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-tankstelle" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+    path = with pkgs; [
       coreutils
       bash
       coreutils
@@ -25,7 +42,10 @@
       gnused
       nodejs
       wget
+      cachix
+      jq
     ];
+  };
 
   # forgejo actions runner
   # https://forgejo.org/docs/latest/admin/actions/