hosts/ude: add github-runner module

hosts/ude/default.nix

@@ -8,6 +8,7 @@
     imports = [
       "${modulesPath}/profiles/qemu-guest.nix"
       ./disks.nix
+      ./github-runner.nix
     ];
 
     nixpkgs.hostPlatform = "aarch64-linux";

hosts/ude/github-runner.nix

@@ -0,0 +1,27 @@
+{config, ...}: let
+  github-runner-user = "github-runner";
+in {
+  age.secrets.github-token = {
+    file = ../../secrets/github-token.age;
+    owner = github-runner-user;
+  };
+
+  services.github-runners.settei = {
+    enable = true;
+    tokenFile = config.age.secrets.github-token.path;
+    url = "https://github.com/nrabulinski/settei";
+    ephemeral = true;
+    user = github-runner-user;
+    serviceOverrides = {
+      DynamicUser = false;
+    };
+  };
+
+  users = {
+    users.${github-runner-user} = {
+      isSystemUser = true;
+      group = github-runner-user;
+    };
+    groups.${github-runner-user} = {};
+  };
+}

secrets/github-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 IFuY+w UcPjVl8nIr6sgfsxOrYmgi46rAsfdCRy9iTGkQAOaSE
+vKislIP2yoQahKTpAE0d8P3ZdyyCHThy4u6vshtOQAI
+-> ssh-ed25519 GKhvwg 2ZS+VXjZFBj3n9RoJD8Ynn6Rur6Abs5loOtebFIang0
+/47vHgkd8KPnM1sPWjqFDSdTk3LiUQNmO9X0HodHjS8
+--- MBuCzebM317ShOJsMaGMdUR83avwx/Ig84l1q2Fv6Ng
+Îå0“ÅË€©C¥;¨d-Žû
Ò”1
À"%?<02>WèÝÞb®Q%Ž¤k
àœWU3}º‚-µyM,ƒ@ô‡_¡â\‘ QU§oPmJ

secrets/secrets.nix

@@ -55,4 +55,8 @@ in {
     keys.system.kazuki
     keys.other.bootstrap
   ];
+  "github-token.age".publicKeys = [
+    keys.system.ude
+    keys.other.bootstrap
+  ];
 }