feat(gitea-actions-runner): init

hosts/sydpc/configuration.nix

@@ -26,6 +26,12 @@
     sydpkgs.overlay.enable = true;
     dank-material-shell.enable = true;
     kdeconnect.enable = true;
+    gitea-actions-runner.enable = true;
+
+    sops = {
+      enable = true;
+      keyFile = "/persist/private-keys/age/deertopia";
+    };
 
     steam = {
       enable = true;

modules/nixos/gitea-actions-runner.nix

@@ -0,0 +1,92 @@
+# Stolen from https://git.neet.dev/zuckerberg/nix-config/src/branch/master/common/server/gitea-actions-runner.nix
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sydnix.gitea-actions-runner;
+  container-name = "gitea-actions-runner";
+  gitea-actions-runner-uid = 991;
+  gitea-actions-runner-gid = 989;
+  token-file = config.sops.secrets.gitea-actions-runner-token.path;
+in {
+  options.sydnix.gitea-actions-runner = {
+    enable = lib.mkEnableOption "Gitea actions runner";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sydnix.sops.secrets.gitea-actions-runner-token = {};
+
+    sydnix.impermanence.directories = [ "/var/lib/gitea-actions-runner" ];
+
+    containers.${container-name} = {
+      autoStart = true;
+      ephemeral = true;
+
+      bindMounts = {
+        ${token-file} = {
+          hostPath = token-file;
+          isReadOnly = true;
+        };
+        "/var/lib/gitea-actions-runner" = {
+          hostPath = "/var/lib/gitea-actions-runner";
+          isReadOnly = false;
+        };
+      };
+
+      config = { config, lib, pkgs, ... }: {
+        system.stateVersion = "25.11";
+
+        services.gitea-actions-runner.instances.sydpc = {
+          enable = true;
+          name = "sydpc";
+          url = "https://git.deertopia.net/";
+          tokenFile = token-file;
+          labels = [ "nixos:host" ];
+        };
+
+        # Disable dynamic user so runner state persists via bind mount
+        assertions = [{
+          assertion = config.systemd.services.gitea-actions-runner-sydpc.enable;
+          message = ''
+	    Expected systemd service 'gitea-actions-runner-sydpc' is not
+	    enabled — the gitea-actions-runner module may have changed
+	    its naming scheme.
+	  '';
+        }];
+        systemd.services.gitea-actions-runner-sydpc.serviceConfig.DynamicUser
+	  = lib.mkForce false;
+        users.users.gitea-actions-runner = {
+          uid = gitea-actions-runner-uid;
+          home = "/var/lib/gitea-actions-runner";
+          group = "gitea-actions-runner";
+          isSystemUser = true;
+          createHome = true;
+        };
+        users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+        environment.systemPackages = with pkgs; [
+          git
+          nodejs
+          jq
+          attic-client
+        ];
+      };
+    };
+
+    # Needs to be outside of the container because container uses's
+    # the host's nix-daemon
+    nix.settings.trusted-users = [ "gitea-actions-runner" ];
+
+    # Matching user on host — the container's gitea-actions-runner UID must be
+    # recognized by the host's nix-daemon as trusted (shared UID namespace)
+    users.users.gitea-actions-runner = {
+      uid = gitea-actions-runner-uid;
+      home = "/var/lib/gitea-actions-runner";
+      group = "gitea-actions-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+  };
+}

secrets.yaml

@@ -29,6 +29,7 @@ webdav-htpasswd: ENC[AES256_GCM,data:vHm47SS3ksHeoU5U1pSQxffb3pGpVxIc9ZtMUNw0igg
 anki-username: ENC[AES256_GCM,data:584uxjwyodM=,iv:/6HLSLzHgc77U1iN5JDLR9F+o8Nfe+cYGE+F8sQCW7g=,tag:yHVdfhRN6OpHDwpk4Ju6zA==,type:str]
 anki-password: ENC[AES256_GCM,data:plSKMTeeilKt6weAnzw/jMo65A==,iv:lzuPUt1+2Iwi9sHbaFj0OuBLd1p+Do2N5aCYXd45MFQ=,tag:WIABFp1T6NuIGpqqQFHmrg==,type:str]
 anki-sync-key: ENC[AES256_GCM,data:Ka4sPghPwmWQvdXw40ZRLogoMVTBjLnaSyHT9lTfn2XWHHqFAkANAg==,iv:bFkb/k7UUL8t26LjmQwiDYJpvq93NWuqUU/jNYkr7GQ=,tag:Mx5JdqjI3MDk7hsvOlPYIw==,type:str]
+gitea-actions-runner-token: ENC[AES256_GCM,data:JglbJ2hgXl1wV2bCkcged+D3UrpWMMBuX+ri6YeIqwLIlscvK/wVCdsxQZtDGw==,iv:BYhgfoIa/wHQkd4c7kU8AWAJQfpTfUvSamFXDBqQXTE=,tag:sIK1XxVPIU+uBGaJY3AmTQ==,type:str]
 sops:
     age:
         - recipient: age10fqh0td67alzpyjyhdex5ncj9thvaty506r0t63vs2nz4ldafgaqadl8mg
@@ -49,7 +50,7 @@ sops:
             TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp
             ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-23T15:12:17Z"
-    mac: ENC[AES256_GCM,data:vlp56uZgxZwiA6Qri55egCNfCwsRJDlo3Vu2PfgLy5VHrI2rA5lZOiW59qKqceoGmRPZQ1XZdIuYk8DjW29G22R4x1KTgPZuJ26jK6UP2SLE1cw7Bf18pd064kE5PsjKhxKOUEuA37Ep+NsMuOtT3hmkwIIz0u4KiiQkuvmxW4U=,iv:w41pRF10xrEpt7fGyyZ9bEvA4OXL/rAaOH9rk24jm7Q=,tag:tK2VurAAwNnNXE/mgbLNyA==,type:str]
+    lastmodified: "2026-03-01T08:57:03Z"
+    mac: ENC[AES256_GCM,data:uNqk+x+nLgDUdHI5flUuXF/vGnkMpUUhdFfkOULm+bebkPL6PI5kJHV78GPs+aA9BPCmTvomgGe51zvyJFRcH3gBJ2bF5YfdC0ROrRbZS4KYIuZwrELf77zq73MbIFt//BTpDYK4cUC8CPRoAEwtoTG6lyHbxcAk4+B5w2NFfN8=,iv:rFaEaav1LHrhtKtiRfIqHTj5+cOBv3lC1UyqEvOoUsg=,tag:x/4n+rcQxd+neQGLcXa66g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0