services/forgejo-runner: init

2025-03-18 23:58:46 +01:00 · 2025-03-18 23:58:46 +01:00 · b97f24c12c
commit b97f24c12c
parent 21920907fe
4 changed files with 56 additions and 0 deletions
--- a/secrets/forgejo-token.age
+++ b/secrets/forgejo-token.age
@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 rA7dkQ tnp92QTb/uXAEizZuUrnaGcJCCkCSjIcE4RiQiYVdw8
+HXsRlqJSrDYaAeYslcR+g5KIQC1SUxFp+QdSHpKT61s
+-> ssh-ed25519 IFuY+w LI7kx/XwfF0JU8tSmW75nxpeLTUkEfY8NunAZljafCc
+f+WEjASZzP9ISv+7kPIMVNgEjdHUxVnLzUkqFHo4byY
+-> ssh-ed25519 GKhvwg EZDwzHfhaY0iHHeIDvm6BIY64kPPUgKjZnNuuwwqoAw
+FvZEeIqnsFA1fQka4R7sax1O13UZWoVbksSMLP3eEaA
+--- XBBcs7w5J7w01fKGoAXVTgOffS9ajheUMz3vDsxHgTo
+¼›g´ÕöØ¤ƒRn´lè¥gÃ’ÅÁA˜*%ÇYªr¯í
9}³=L~f7„¶ZgâxŠèœ
>¦ Rë}hQ›óõz`rÅZèØñ
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -92,4 +92,9 @@ in
    keys.system.youko
    keys.other.bootstrap
  ];
+  "forgejo-token.age".publicKeys = [
+    keys.system.youko
+    keys.system.ude
+    keys.other.bootstrap
+  ];
 }
--- a/services/default.nix
+++ b/services/default.nix
@ -1,5 +1,6 @@
 {
  imports = [
    ./attic.nix
+    ./forgejo-runner.nix
  ];
 }
--- a/services/forgejo-runner.nix
+++ b/services/forgejo-runner.nix
@ -0,0 +1,41 @@
+{
+  services.forgejo-runner = {
+    hosts = [
+      "ude"
+      "youko"
+    ];
+    config =
+      { config, pkgs, ... }:
+      {
+        age.secrets.forgejo-runner-token.file = ../secrets/forgejo-token.age;
+
+        services.gitea-actions-runner = {
+          package = pkgs.forgejo-actions-runner;
+          instances.default = {
+            enable = true;
+            name = config.networking.hostName;
+            url = "https://git.rab.lol";
+            tokenFile = config.age.secrets.forgejo-runner-token.path;
+            settings = {
+              container.network = "bridge";
+            };
+            labels = [
+              "ubuntu-latest:docker://node:16-bullseye"
+              "ubuntu-22.04:docker://node:16-bullseye"
+              "ubuntu-20.04:docker://node:16-bullseye"
+              "ubuntu-18.04:docker://node:16-buster"
+              "native:host"
+              "native-${pkgs.system}:host"
+            ];
+          };
+        };
+
+        virtualisation.podman = {
+          enable = true;
+          defaultNetwork.settings.dns_enabled = true;
+        };
+
+        networking.firewall.trustedInterfaces = [ "podman+" ];
+      };
+  };
+}