diff --git a/hosts/sydpc/configuration.nix b/hosts/sydpc/configuration.nix index 92c1f25..fe824c5 100755 --- a/hosts/sydpc/configuration.nix +++ b/hosts/sydpc/configuration.nix @@ -26,6 +26,12 @@ sydpkgs.overlay.enable = true; dank-material-shell.enable = true; kdeconnect.enable = true; + gitea-actions-runner.enable = true; + + sops = { + enable = true; + keyFile = "/persist/private-keys/age/deertopia"; + }; steam = { enable = true; diff --git a/modules/nixos/gitea-actions-runner.nix b/modules/nixos/gitea-actions-runner.nix new file mode 100644 index 0000000..1b3f834 --- /dev/null +++ b/modules/nixos/gitea-actions-runner.nix @@ -0,0 +1,92 @@ +# Stolen from https://git.neet.dev/zuckerberg/nix-config/src/branch/master/common/server/gitea-actions-runner.nix +{ config, lib, pkgs, ... }: + +let + cfg = config.sydnix.gitea-actions-runner; + container-name = "gitea-actions-runner"; + gitea-actions-runner-uid = 991; + gitea-actions-runner-gid = 989; + token-file = config.sops.secrets.gitea-actions-runner-token.path; +in { + options.sydnix.gitea-actions-runner = { + enable = lib.mkEnableOption "Gitea actions runner"; + }; + + config = lib.mkIf cfg.enable { + sydnix.sops.secrets.gitea-actions-runner-token = {}; + + sydnix.impermanence.directories = [ "/var/lib/gitea-actions-runner" ]; + + containers.${container-name} = { + autoStart = true; + ephemeral = true; + + bindMounts = { + ${token-file} = { + hostPath = token-file; + isReadOnly = true; + }; + "/var/lib/gitea-actions-runner" = { + hostPath = "/var/lib/gitea-actions-runner"; + isReadOnly = false; + }; + }; + + config = { config, lib, pkgs, ... }: { + system.stateVersion = "25.11"; + + services.gitea-actions-runner.instances.sydpc = { + enable = true; + name = "sydpc"; + url = "https://git.deertopia.net/"; + tokenFile = token-file; + labels = [ "nixos:host" ]; + }; + + # Disable dynamic user so runner state persists via bind mount + assertions = [{ + assertion = config.systemd.services.gitea-actions-runner-sydpc.enable; + message = '' + Expected systemd service 'gitea-actions-runner-sydpc' is not + enabled — the gitea-actions-runner module may have changed + its naming scheme. + ''; + }]; + systemd.services.gitea-actions-runner-sydpc.serviceConfig.DynamicUser + = lib.mkForce false; + users.users.gitea-actions-runner = { + uid = gitea-actions-runner-uid; + home = "/var/lib/gitea-actions-runner"; + group = "gitea-actions-runner"; + isSystemUser = true; + createHome = true; + }; + users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + environment.systemPackages = with pkgs; [ + git + nodejs + jq + attic-client + ]; + }; + }; + + # Needs to be outside of the container because container uses's + # the host's nix-daemon + nix.settings.trusted-users = [ "gitea-actions-runner" ]; + + # Matching user on host — the container's gitea-actions-runner UID must be + # recognized by the host's nix-daemon as trusted (shared UID namespace) + users.users.gitea-actions-runner = { + uid = gitea-actions-runner-uid; + home = "/var/lib/gitea-actions-runner"; + group = "gitea-actions-runner"; + isSystemUser = true; + createHome = true; + }; + users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid; + }; +} diff --git a/secrets.yaml b/secrets.yaml index bdc7135..d34b43e 100644 --- a/secrets.yaml +++ b/secrets.yaml @@ -29,6 +29,7 @@ webdav-htpasswd: ENC[AES256_GCM,data:vHm47SS3ksHeoU5U1pSQxffb3pGpVxIc9ZtMUNw0igg anki-username: ENC[AES256_GCM,data:584uxjwyodM=,iv:/6HLSLzHgc77U1iN5JDLR9F+o8Nfe+cYGE+F8sQCW7g=,tag:yHVdfhRN6OpHDwpk4Ju6zA==,type:str] anki-password: ENC[AES256_GCM,data:plSKMTeeilKt6weAnzw/jMo65A==,iv:lzuPUt1+2Iwi9sHbaFj0OuBLd1p+Do2N5aCYXd45MFQ=,tag:WIABFp1T6NuIGpqqQFHmrg==,type:str] anki-sync-key: ENC[AES256_GCM,data:Ka4sPghPwmWQvdXw40ZRLogoMVTBjLnaSyHT9lTfn2XWHHqFAkANAg==,iv:bFkb/k7UUL8t26LjmQwiDYJpvq93NWuqUU/jNYkr7GQ=,tag:Mx5JdqjI3MDk7hsvOlPYIw==,type:str] +gitea-actions-runner-token: ENC[AES256_GCM,data:JglbJ2hgXl1wV2bCkcged+D3UrpWMMBuX+ri6YeIqwLIlscvK/wVCdsxQZtDGw==,iv:BYhgfoIa/wHQkd4c7kU8AWAJQfpTfUvSamFXDBqQXTE=,tag:sIK1XxVPIU+uBGaJY3AmTQ==,type:str] sops: age: - recipient: age10fqh0td67alzpyjyhdex5ncj9thvaty506r0t63vs2nz4ldafgaqadl8mg @@ -49,7 +50,7 @@ sops: TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-23T15:12:17Z" - mac: ENC[AES256_GCM,data:vlp56uZgxZwiA6Qri55egCNfCwsRJDlo3Vu2PfgLy5VHrI2rA5lZOiW59qKqceoGmRPZQ1XZdIuYk8DjW29G22R4x1KTgPZuJ26jK6UP2SLE1cw7Bf18pd064kE5PsjKhxKOUEuA37Ep+NsMuOtT3hmkwIIz0u4KiiQkuvmxW4U=,iv:w41pRF10xrEpt7fGyyZ9bEvA4OXL/rAaOH9rk24jm7Q=,tag:tK2VurAAwNnNXE/mgbLNyA==,type:str] + lastmodified: "2026-03-01T08:57:03Z" + mac: ENC[AES256_GCM,data:uNqk+x+nLgDUdHI5flUuXF/vGnkMpUUhdFfkOULm+bebkPL6PI5kJHV78GPs+aA9BPCmTvomgGe51zvyJFRcH3gBJ2bF5YfdC0ROrRbZS4KYIuZwrELf77zq73MbIFt//BTpDYK4cUC8CPRoAEwtoTG6lyHbxcAk4+B5w2NFfN8=,iv:rFaEaav1LHrhtKtiRfIqHTj5+cOBv3lC1UyqEvOoUsg=,tag:x/4n+rcQxd+neQGLcXa66g==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0