obs-portal: init obs-portal on nachtigall

This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.

.forgejo/workflows/check.yml

@@ -24,26 +24,48 @@ jobs:
           echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT
 
       - name: Restore and cache Nix store
-        uses: https://github.com/nix-community/cache-nix-action@v5
+        uses: https://github.com/nix-community/cache-nix-action@v4.0.3
         id: nix-store-cache
         with:
-          primary-key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
-          restore-prefixes-first-match: |
+          key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
+          restore-keys: |
             cache-${{ runner.os }}-nix-store-
 
           gc-linux: true
           gc-max-store-size-linux: 10000000000
 
-          purge: true
-          purge-prefixes: cache-${{ runner.os }}-nix-store-
-          purge-created: 42
+          purge-caches: true
+          purge-key: cache-${{ runner.os }}-nix-store-
+          purge-created: true
+          purge-created-max-age: 42
 
       - name: Prepare cachix
         uses: https://github.com/cachix/cachix-action@v14
         with:
           name: pub-solar
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          useDaemon: false
 
       - name: Run flake checks
         run: |
+          # Prevent cache garbage collection by creating GC roots
+          for target in $(nix flake show --json --all-systems | jq '
+            .["nixosConfigurations"] |
+            to_entries[] |
+            .key
+            ' | tr -d '"'
+          ); do
+            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
+              build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel"
+          done
+
           nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check
+
+          # Add GC roots for flake inputs, too
+          # https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407
+          mkdir --parents "$NIX_USER_PROFILE_DIR"
+          gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake-
+          echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..."
+          nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do
+            eval "$line"
+          done

hosts/flora-6/apps/forgejo-actions-runner.nix

@@ -13,16 +13,43 @@
   # Needed for the docker runner to communicate with the act_runner cache
   networking.firewall.trustedInterfaces = [ "br-+" ];
 
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/flora-6";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = {};
+
+  systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
+    DynamicUser = lib.mkForce false;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
+    "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
+  ];
+
   # forgejo actions runner
   # https://forgejo.org/docs/latest/admin/actions/
   # https://docs.gitea.com/usage/actions/quickstart
   services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
+    package = pkgs.forgejo-runner;
     instances."flora-6" = {
       enable = true;
       name = config.networking.hostName;
       url = "https://git.pub.solar";
       tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
+      settings = {
+        cache = {
+          enabled = true;
+          dir = "/data/gitea-actions-runner/actcache";
+          host = "";
+          port = 0;
+          external_server = "";
+        };
+      };
       labels = [
         # provide a debian 12 bookworm base with Node.js for actions
         "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"

overlays/default.nix

@@ -13,6 +13,7 @@
               };
             in
             {
+              forgejo-runner = unstable.forgejo-runner;
               element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
             })
         ];

secrets/secrets.nix

@@ -1,4 +1,5 @@
 let
+<<<<<<< HEAD
   admins = import ../logins/admins.nix;
 
   nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";