sigma: gitea actions runner

flake.lock

@@ -120,11 +120,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1711460390,
+        "lastModified": 1711668574,
-        "narHash": "sha256-akSgjDZL6pVHEfSE6sz1DNSXuYX6hq+P/1Z5IoYWs7E=",
+        "narHash": "sha256-u1dfs0ASQIEr1icTVrsKwg2xToIpn7ZXxW3RHfHxshg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "44733514b72e732bd49f5511bd0203dea9b9a434",
+        "rev": "219951b495fc2eac67b1456824cc1ec1fd2ee659",
         "type": "github"
       },
       "original": {
@@ -165,11 +165,11 @@
     },
     "secrets": {
       "locked": {
-        "lastModified": 1711743434,
+        "lastModified": 1711747594,
-        "narHash": "sha256-fqeuUwSNBeWL4pSDsqIehH6Mgl3J8ZmEGPhmdD1gufo=",
+        "narHash": "sha256-k8Ew/EDpcLJKs285SqEldFbiKSf9rsHz/g0btv8zFM8=",
         "ref": "refs/heads/master",
-        "rev": "c79b0434590226446576f6b19d474cb9e41dc6b2",
+        "rev": "110dae44d26b6d973922b804213446d1c0165486",
-        "revCount": 6,
+        "revCount": 7,
         "type": "git",
         "url": "ssh://git@git.caspervk.net/caspervk/nixos-secrets.git"
       },

hosts/sigma/default.nix

@@ -5,6 +5,7 @@
     ../../modules/server
     ./hardware.nix
     #./borg.nix
+    ./gitea.nix
     ./network.nix
   ];
 

hosts/sigma/gitea.nix

@@ -0,0 +1,40 @@
+{
+  config,
+  pkgs,
+  secrets,
+  ...
+}: {
+  # https://forgejo.org/docs/latest/admin/actions/
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances."default" = {
+      enable = true;
+      name = "default";
+      url = "https://git.caspervk.net";
+      # From https://git.caspervk.net/admin/actions/runners/
+      tokenFile = config.age.secrets.gitea-actions-runner-token-file.path;
+      # The Forgejo runner relies on application containers (Docker, Podman,
+      # etc) to execute a workflow in an isolated environment. Labels are used
+      # to map jobs' `runs-on` to their runtime environment. Many common
+      # actions require bash, git and nodejs, as well as a filesystem that
+      # follows the filesystem hierarchy standard.
+      labels = [
+        "debian-latest:docker://node:20-bullseye"
+      ];
+      # https://forgejo.org/docs/latest/admin/actions/#configuration
+      settings = {
+        runner = {
+          # Default fetch interval is 2s -- no need to spam the server
+          fetch_interval = "5m";
+        };
+      };
+    };
+  };
+
+  age.secrets.gitea-actions-runner-token-file = {
+    file = "${secrets}/secrets/gitea-actions-runner-token-file.age";
+    mode = "400";
+    owner = "root";
+    group = "root";
+  };
+}

overlays/default.nix

@@ -1,3 +1,3 @@
 {...}: {
-  imports = [];
+  imports = [./forgejo-actions-runner.nix];
 }

overlays/forgejo-actions-runner.nix

@@ -0,0 +1,24 @@
+{...}: {
+  # Running containers without /bin/sleep (such as nixos) requires newer
+  # forgejo act runner. See https://codeberg.org/forgejo/forgejo/issues/2611.
+  nixpkgs.overlays = [
+    (final: prev: {
+      forgejo-actions-runner = prev.callPackage "${prev.path}/pkgs/development/tools/continuous-integration/forgejo-actions-runner" {
+        buildGoModule = args:
+          prev.buildGoModule (args
+            // rec {
+              version = "3.4.1";
+
+              src = prev.fetchFromGitea {
+                domain = "codeberg.org";
+                owner = "forgejo";
+                repo = "runner";
+                rev = "v${version}";
+                hash = "sha256-c8heIHt+EJ6LnZT4/6TTWd7v85VRHjH72bdje12un4M=";
+              };
+              vendorHash = "sha256-FCCQZdAYRtJR3DGQIEvUzv+1kqvxVTGkwJwZSohq28s=";
+            });
+      };
+    })
+  ];
+}