diff --git a/hosts/trinkgenossin/default.nix b/hosts/trinkgenossin/default.nix
index a1699f1..0ef346c 100644
--- a/hosts/trinkgenossin/default.nix
+++ b/hosts/trinkgenossin/default.nix
@@ -7,6 +7,7 @@
./networking.nix
./wireguard.nix
+ ./forgejo-actions-runner.nix
#./backups.nix
];
}
diff --git a/hosts/trinkgenossin/forgejo-actions-runner.nix b/hosts/trinkgenossin/forgejo-actions-runner.nix
new file mode 100644
index 0000000..efac672
--- /dev/null
+++ b/hosts/trinkgenossin/forgejo-actions-runner.nix
@@ -0,0 +1,58 @@
+{
+ config,
+ pkgs,
+ lib,
+ flake,
+ ...
+}:
+let
+ hostname = config.networking.hostName;
+in
+{
+ age.secrets."forgejo-actions-runner-token.age" = {
+ file = "${flake.self}/secrets/trinkgenossin-forgejo-actions-runner-token.age";
+ mode = "440";
+ };
+
+ # Trust docker bridge interface traffic
+ # Needed for the docker runner to communicate with the act_runner cache
+ networking.firewall.trustedInterfaces = [ "br-+" ];
+
+ users.users.gitea-runner = {
+ home = "/var/lib/gitea-runner/${hostname}";
+ useDefaultShell = true;
+ group = "gitea-runner";
+ # Required to interact with nix daemon
+ extraGroups = [ "wheel" ];
+ isSystemUser = true;
+ };
+
+ users.groups.gitea-runner = { };
+
+ systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+ systemd.services."gitea-runner-${hostname}" = {
+ serviceConfig.DynamicUser = lib.mkForce false;
+ };
+
+ # forgejo actions runner
+ # https://forgejo.org/docs/latest/admin/actions/
+ # https://docs.gitea.com/usage/actions/quickstart
+ services.gitea-actions-runner = {
+ package = pkgs.forgejo-runner;
+ instances."${hostname}" = {
+ enable = true;
+ name = hostname;
+ url = "https://git.pub.solar";
+ tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
+ labels = [
+ # provide a debian 12 bookworm base with Node.js for actions
+ "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+ # fake the ubuntu name, commonly used in actions examples
+ "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+ # alpine with Node.js
+ "alpine-latest:docker://node:20-alpine"
+ ];
+ };
+ };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 9bf2f9d..99ee152 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -60,6 +60,7 @@ in
"keycloak-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"tankstelle-forgejo-actions-runner-token.age".publicKeys = tankstelleKeys ++ adminKeys;
+ "trinkgenossin-forgejo-actions-runner-token.age".publicKeys = trinkgenossinKeys ++ adminKeys;
"forgejo-database-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-mailer-password.age".publicKeys = nachtigallKeys ++ adminKeys;
"forgejo-ssh-private-key.age".publicKeys = nachtigallKeys ++ adminKeys;
diff --git a/secrets/trinkgenossin-forgejo-actions-runner-token.age b/secrets/trinkgenossin-forgejo-actions-runner-token.age
new file mode 100644
index 0000000..3ea5375
--- /dev/null
+++ b/secrets/trinkgenossin-forgejo-actions-runner-token.age
@@ -0,0 +1,43 @@
+age-encryption.org/v1
+-> ssh-ed25519 NID4eA G60TNVhWvI+QzXInAd8kg8j0+EE1cR+6atLIiw1VyDs
+KCBzEW/BYOof8NBZcr12iMddmd5Tig8YuGIG6jGG1pg
+-> ssh-ed25519 uYcDNw mqqw6npuWLyo++kS8jR/5Q6lfL6li9AM3obvA+nXSRg
+8WKsgwSxkgRDDZfGIMqbEhZHFVDQEcn7Sfe2rwIIvDY
+-> ssh-rsa f5THog
+Ili0z1+VgwarPNwCFymp0e6slngNzePjqxrIGpwKyN2o4nVnlxDfSFz0CShdBIRf
+IzOFJmxjjAfSFMvC79py9lb9mP1fcLx08TKMHQUHZY0yjSPtpN94dVTVPOtXVcB0
+PTeUUD/95Toij0JNhkS95TAcd95h6ha5SH0OtcojqAKqRKZSymR1zWNh64KG50tr
+OE2uHCySjHGPQ+mczguKfSO1803yuG+ACf9GJmykXIPhi9AY6AuQOfOvvBoe883z
+YKhPbbhfQ2gI9JmQdRb43vznGIjbG++EDuSpbNBWcLpKuOGbNvZTKzDHFFvu/wau
+nKAg+SsIGwS5jyYSPG6w0JA2i54u0GcbJJep1aqnvZHmgV2FZ/QXOCe7G4tnHguP
+QyHaTk4c0sWW+qS+3mDvctpUGpIr/By4xg5txNSiO7kG2cKkLfU34bmaL3kE91RU
+qvyUSu0qSoq40HKQfj+DUyJ4qKb4Nj3fabY2l9oQr+ztp1yZuQd9A+wvzOvcKw8G
+PWCHkRT7DLsa9DqsZvOGDWpV99OHH43xUszq8kezO+bygTQkdqrBB/0z74WfcUl/
+D6TPx6VMS3UWiMWHMknwSwmqffSK0TT3q0CxwFl45JhRKSp3tUM4dfRa11PEBkbU
+5fWizRSBqrTdHabwU4bhsUi45SGxfPT0oEc1xHpx7g8
+-> ssh-rsa kFDS0A
+L9sqpzeiodEU1RVAmkqdqGWyOU3sSTy6ncNWA8P0CRlOakDTqJNbZf/XzfbT0SSN
+AA2wZ37+bdWAR64aW0wugbUQOhnhzDoSpxqIxT77eucc3I+tP+cwyNo5hRXHRe68
+T8qjBxG8iGSdqgzQ+Tkskfy38A6bV6zhUDpBNTeXY3UdtyxgjicLq5WZ0Yx38e+1
+/wdqpTC/OOJpnTb60s1iR5zAgeqh0y/QR2iGqYyt3h1nt2LRru4iUPa/9rPqSrVu
+f35HeHQEEYTdWFyqc6PM0753f75mtg5EAj1mdv4o1TAoYf0ck2AGSbLSNEJCh+GU
+hu20PVEG8OwbB8IvwE3DH2Qt8MXSDS3+6hiLyXJbK5U58Tm+h51B7MISCSOw9S0S
+8ctDipFxYZwc7PAckEHndDl8OYe2yp9W5j0gwTyHV1so9hwEpXEHJ1abgUlBAQGI
+Lm2J2C4/hz5oyzAIkOiYzkJ7gBiVZi8wI97EXiq0BFGvmdkn1VLn3XtTYahXdNzi
+Gz4vp5J9NLhtJhrETkcX4r0EUYv+j4er3RNALvWzlTmZ3EEoA4ptugGF8SLweiZX
+zZrWcE/moeilnC8bmzf1hnCOwE6fQHWultbZbPKQNbim1BrZC6C8bvYiFY1AkR/W
+UDjSRA7Hydb2wqGkElDdjRk7Ezbth5sA3sZManG01XM
+-> piv-p256 vRzPNw AxYR6N9jLofIa1qwSR9Ft7N9ITC01Us0uPwjQHx6YqTG
+rRuEsVxmefZ1EZcH6lbUSvPEKsNGA0KnLCrHDng8gGM
+-> piv-p256 zqq/iw As0et/SUsQcWKnGWCaEHs8Al3o7hghcIhAlttuUEmJTw
+pXIrNBmaNq6DZ27F8vASQIOCqEQMA/AWkl4Jtcbasdo
+-> ssh-ed25519 YFSOsg xC7ALIoz9Shq+6AFye6OUenRhsHXKvKNCpz8RjEbxVE
+PVUuHJVa/BSASGS7JUE6lHYop8tAi+LOkJo/iDNatHQ
+-> ssh-ed25519 iHV63A zKjNyuhtPAMTyd+9jGYaD4wkx4NO8MlDGw+cHqg+8Fo
+8Zlli5FfeSM862nKQVe8hBpl3dEozghw6Tnw+/xCD38
+-> ssh-ed25519 BVsyTA 2LOd7Ef2fIDA1UC0bob18itdA6MaIng1onJPVYrRnV4
+Lkm42Jw4N+442LsFUSyIhnlvFySfeHbS42OhHv6wCPU
+-> ssh-ed25519 +3V2lQ 0xjkyKGk+tCmBgYOrDfnK3Pq+++ZcbUCTtdCJEmgXkU
+1BqLJpq7z85P0thWO1IY4ZfHCbHRSOMdKIyfUs3QI5c
+--- kht+vkycoDy8VjM63ohrTYHSfNz15+UzrNEVirhbMsk
+�l��Q���*qG�qJ�bW����PD2��y�a��]���!�^�%����!v_3��������p���r#�z���I�d
\ No newline at end of file