feat(gitea-actions-runner): init

2026-03-01 02:11:32 -07:00
parent 93e801c332
commit e0506fc3e0
3 changed files with 101 additions and 2 deletions
--- a/modules/nixos/gitea-actions-runner.nix
+++ b/modules/nixos/gitea-actions-runner.nix
@@ -0,0 +1,92 @@
+# Stolen from https://git.neet.dev/zuckerberg/nix-config/src/branch/master/common/server/gitea-actions-runner.nix
+{ config, lib, pkgs, ... }:
+
+let
+  cfg = config.sydnix.gitea-actions-runner;
+  container-name = "gitea-actions-runner";
+  gitea-actions-runner-uid = 991;
+  gitea-actions-runner-gid = 989;
+  token-file = config.sops.secrets.gitea-actions-runner-token.path;
+in {
+  options.sydnix.gitea-actions-runner = {
+    enable = lib.mkEnableOption "Gitea actions runner";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sydnix.sops.secrets.gitea-actions-runner-token = {};
+
+    sydnix.impermanence.directories = [ "/var/lib/gitea-actions-runner" ];
+
+    containers.${container-name} = {
+      autoStart = true;
+      ephemeral = true;
+
+      bindMounts = {
+        ${token-file} = {
+          hostPath = token-file;
+          isReadOnly = true;
+        };
+        "/var/lib/gitea-actions-runner" = {
+          hostPath = "/var/lib/gitea-actions-runner";
+          isReadOnly = false;
+        };
+      };
+
+      config = { config, lib, pkgs, ... }: {
+        system.stateVersion = "25.11";
+
+        services.gitea-actions-runner.instances.sydpc = {
+          enable = true;
+          name = "sydpc";
+          url = "https://git.deertopia.net/";
+          tokenFile = token-file;
+          labels = [ "nixos:host" ];
+        };
+
+        # Disable dynamic user so runner state persists via bind mount
+        assertions = [{
+          assertion = config.systemd.services.gitea-actions-runner-sydpc.enable;
+          message = ''
+	    Expected systemd service 'gitea-actions-runner-sydpc' is not
+	    enabled — the gitea-actions-runner module may have changed
+	    its naming scheme.
+	  '';
+        }];
+        systemd.services.gitea-actions-runner-sydpc.serviceConfig.DynamicUser
+	  = lib.mkForce false;
+        users.users.gitea-actions-runner = {
+          uid = gitea-actions-runner-uid;
+          home = "/var/lib/gitea-actions-runner";
+          group = "gitea-actions-runner";
+          isSystemUser = true;
+          createHome = true;
+        };
+        users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+        environment.systemPackages = with pkgs; [
+          git
+          nodejs
+          jq
+          attic-client
+        ];
+      };
+    };
+
+    # Needs to be outside of the container because container uses's
+    # the host's nix-daemon
+    nix.settings.trusted-users = [ "gitea-actions-runner" ];
+
+    # Matching user on host — the container's gitea-actions-runner UID must be
+    # recognized by the host's nix-daemon as trusted (shared UID namespace)
+    users.users.gitea-actions-runner = {
+      uid = gitea-actions-runner-uid;
+      home = "/var/lib/gitea-actions-runner";
+      group = "gitea-actions-runner";
+      isSystemUser = true;
+      createHome = true;
+    };
+    users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+  };
+}