forgejo-actions-runner: init module, add to ryzensun

2024-11-07 10:22:35 +01:00 · 2024-11-07 10:22:35 +01:00 · 2aabad4062
parent c0b1e6088d
commit 2aabad4062
4 changed files with 60 additions and 0 deletions
--- a/modules/default.nix
+++ b/modules/default.nix
@ -10,6 +10,7 @@
      desktop-extended = import ./desktop-extended;
      docker = import ./docker;
      #email = import ./email;
+      forgejo-actions-runner = import ./forgejo-actions-runner;
      #gaming = import ./gaming;
      graphical = import ./graphical;
      invoiceplane = import ./invoiceplane;
--- a/modules/forgejo-actions-runner/default.nix
+++ b/modules/forgejo-actions-runner/default.nix
@ -0,0 +1,58 @@
+{
+  config,
+  pkgs,
+  lib,
+  flake,
+  ...
+}:
+let
+  hostname = config.networking.hostName;
+in
+{
+  age.secrets."forgejo-actions-runner-token.age" = {
+    file = "${flake.self}/secrets/forgejo-actions-runner-token.age";
+    mode = "440";
+  };
+
+  # Trust docker bridge interface traffic
+  # Needed for the docker runner to communicate with the act_runner cache
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/${hostname}";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [ "wheel" ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-${hostname}" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+  };
+
+  # forgejo actions runner
+  # https://forgejo.org/docs/latest/admin/actions/
+  # https://docs.gitea.com/usage/actions/quickstart
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances."${hostname}" = {
+      enable = true;
+      name = hostname;
+      url = "https://git.pub.solar";
+      tokenFile = config.age.secrets."forgejo-actions-runner-token.age".path;
+      labels = [
+        # provide a debian 12 bookworm base with Node.js for actions
+        "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # fake the ubuntu name, commonly used in actions examples
+        "ubuntu-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"
+        # alpine with Node.js
+        "alpine-latest:docker://node:20-alpine"
+      ];
+    };
+  };
+}
--- a/secrets/forgejo-actions-runner-token.age
+++ b/secrets/forgejo-actions-runner-token.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -26,6 +26,7 @@ in
  "mnx-bonanza-pf1.p12.age".publicKeys = allKeys;
  "docker-ci-runner-secrets.age".publicKeys = allKeys;
  "test-secret.age".publicKeys = [ users.teutat3s-5-nfc ];
+  "forgejo-actions-runner-token.age".publicKeys = allKeys;
  "hosting-de-acme-secrets.age".publicKeys = [
    machines.fae
    users.teutat3s