refactor(gitea-actions-runner): config

2026-03-05 10:15:54 -07:00
parent 70068bf0d9
commit f15efb661e
1 changed files with 67 additions and 21 deletions
--- a/modules/nixos/gitea-actions-runner.nix
+++ b/modules/nixos/gitea-actions-runner.nix
@@ -3,13 +3,51 @@

 let
  cfg = config.sydnix.gitea-actions-runner;
-  container-name = "gitea-actions-runner";
-  gitea-actions-runner-uid = 991;
-  gitea-actions-runner-gid = 989;
  token-file = config.sops.secrets.gitea-actions-runner-token.path;
 in {
  options.sydnix.gitea-actions-runner = {
    enable = lib.mkEnableOption "Gitea actions runner";
+    instance-name = lib.mkOption {
+      type = lib.types.str;
+      default = config.networking.hostName;
+      description = ''
+	The name of the runner instance name.
+      '';
+    };
+    user.name = lib.mkOption {
+      type = lib.types.str;
+      default = "gitea-actions-runner";
+      description = ''
+	The name of the user gitea-actions-runner should run under.
+      '';
+    };
+    user.uid = lib.mkOption {
+      type = lib.types.int;
+      default = 991;
+      description = ''
+	The UID of the user gitea-actions-runner should run under.
+	This must be known at evaluation time so that the same UID can
+	be used both on the host and in the container, allowing the
+	container to access the host's nix-daemon.
+      '';
+    };
+    group.name = lib.mkOption {
+      type = lib.types.str;
+      default = "gitea-actions-runner";
+      description = ''
+	The name of the group gitea-actions-runner should run under.
+      '';
+    };
+    group.gid = lib.mkOption {
+      type = lib.types.int;
+      default = 989;
+      description = ''
+	The GID of the group gitea-actions-runner should run under.
+	This must be known at evaluation time so that the same GID can
+	be used both on the host and in the container, allowing the
+	container to access the host's nix-daemon.
+      '';
+    };
  };

  config = lib.mkIf cfg.enable {
@@ -17,7 +55,7 @@ in {

    sydnix.impermanence.directories = [ "/var/lib/gitea-actions-runner" ];

-    containers.${container-name} = {
+    containers."gitea-actions-runner" = {
      autoStart = true;
      ephemeral = true;

@@ -35,9 +73,9 @@ in {
      config = { config, lib, pkgs, ... }: {
        system.stateVersion = "25.11";

-        services.gitea-actions-runner.instances.sydpc = {
+        services.gitea-actions-runner.instances.${cfg.instance-name} = {
          enable = true;
-          name = "sydpc";
+          name = cfg.instance-name;
          url = "https://git.deertopia.net/";
          tokenFile = token-file;
          labels = [ "nixos:host" ];
@@ -56,23 +94,27 @@ in {

        # Disable dynamic user so runner state persists via bind mount
 	assertions = [{
-	  assertion = config.systemd.services.gitea-actions-runner-sydpc.enable;
+	  assertion =
+	    config.systemd.services.gitea-actions-runner-sydpc.enable;
 	  message = ''
-	    Expected systemd service 'gitea-actions-runner-sydpc' is not
-	    enabled — the gitea-actions-runner module may have changed
-	    its naming scheme.
+	    Expected systemd service 'gitea-actions-runner-sydpc' is
+	    not enabled — the gitea-actions-runner NixOS module may
+	    have changed its naming scheme.
 	  '';
 	}];
+
        systemd.services.gitea-actions-runner-sydpc.serviceConfig.DynamicUser
 	  = lib.mkForce false;
-        users.users.gitea-actions-runner = {
-          uid = gitea-actions-runner-uid;
+
+        users.users.${cfg.user.name} = {
+          uid = cfg.user.uid;
          home = "/var/lib/gitea-actions-runner";
-          group = "gitea-actions-runner";
+          group = cfg.group.name;
          isSystemUser = true;
          createHome = true;
        };
-        users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+
+        users.groups.gitea-actions-runner.gid = cfg.group.gid;

        nix.settings.experimental-features = [ "nix-command" "flakes" ];

@@ -81,23 +123,27 @@ in {
          nodejs
          jq
          attic-client
+	  omnix
        ];
      };
    };

    # Needs to be outside of the container because container uses's
    # the host's nix-daemon
-    nix.settings.trusted-users = [ "gitea-actions-runner" ];
+    nix.settings.trusted-users = [
+      cfg.user.name
+    ];

-    # Matching user on host — the container's gitea-actions-runner UID must be
-    # recognized by the host's nix-daemon as trusted (shared UID namespace)
-    users.users.gitea-actions-runner = {
-      uid = gitea-actions-runner-uid;
+    # Matching user on host — the container's gitea-actions-runner UID
+    # must be recognized by the host's nix-daemon as trusted (shared
+    # UID namespace)
+    users.users.${cfg.user.name} = {
+      uid = cfg.user.uid;
      home = "/var/lib/gitea-actions-runner";
-      group = "gitea-actions-runner";
+      group = cfg.group.name;
      isSystemUser = true;
      createHome = true;
    };
-    users.groups.gitea-actions-runner.gid = gitea-actions-runner-gid;
+    users.groups.${cfg.group.name}.gid = cfg.group.gid;
  };
 }