diff --git a/hosts/ude/default.nix b/hosts/ude/default.nix index 03be8af..cf0db3d 100644 --- a/hosts/ude/default.nix +++ b/hosts/ude/default.nix @@ -8,6 +8,7 @@ imports = [ "${modulesPath}/profiles/qemu-guest.nix" ./disks.nix + ./github-runner.nix ]; nixpkgs.hostPlatform = "aarch64-linux"; diff --git a/hosts/ude/github-runner.nix b/hosts/ude/github-runner.nix new file mode 100644 index 0000000..dbd204d --- /dev/null +++ b/hosts/ude/github-runner.nix @@ -0,0 +1,27 @@ +{config, ...}: let + github-runner-user = "github-runner"; +in { + age.secrets.github-token = { + file = ../../secrets/github-token.age; + owner = github-runner-user; + }; + + services.github-runners.settei = { + enable = true; + tokenFile = config.age.secrets.github-token.path; + url = "https://github.com/nrabulinski/settei"; + ephemeral = true; + user = github-runner-user; + serviceOverrides = { + DynamicUser = false; + }; + }; + + users = { + users.${github-runner-user} = { + isSystemUser = true; + group = github-runner-user; + }; + groups.${github-runner-user} = {}; + }; +} diff --git a/secrets/github-token.age b/secrets/github-token.age new file mode 100644 index 0000000..5eb65a0 --- /dev/null +++ b/secrets/github-token.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 IFuY+w UcPjVl8nIr6sgfsxOrYmgi46rAsfdCRy9iTGkQAOaSE +vKislIP2yoQahKTpAE0d8P3ZdyyCHThy4u6vshtOQAI +-> ssh-ed25519 GKhvwg 2ZS+VXjZFBj3n9RoJD8Ynn6Rur6Abs5loOtebFIang0 +/47vHgkd8KPnM1sPWjqFDSdTk3LiUQNmO9X0HodHjS8 +--- MBuCzebM317ShOJsMaGMdUR83avwx/Ig84l1q2Fv6Ng +0ˀC;d-Ҕ1 "%?WbQ%kWU3}-yM,@_\ QUoPmJ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a9c84d3..2a5dd38 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -55,4 +55,8 @@ in { keys.system.kazuki keys.other.bootstrap ]; + "github-token.age".publicKeys = [ + keys.system.ude + keys.other.bootstrap + ]; }