diff --git a/nixos/servers/forgejo-runner/forgejo-runner.nix b/nixos/servers/forgejo-runner/forgejo-runner.nix new file mode 100644 index 00000000..ba5d6f64 --- /dev/null +++ b/nixos/servers/forgejo-runner/forgejo-runner.nix @@ -0,0 +1,48 @@ +{ + pkgs, + config, + ... +}: { + sops.secrets.forgejo-runner-token = { + format = "yaml"; + sopsFile = ./forgejo-runner.yaml; + }; + virtualisation.podman.enable = true; + services.gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = config.networking.hostName; + url = "https://git.kittywit.ch"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.sops.secrets.forgejo-runner-token.path; + labels = let + arches = { + x86_64-linux = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "nixos-latest:docker://nixos/nix" + "ubuntu-latest-x86_64:docker://node:16-bullseye" + "ubuntu-22.04-x86_64:docker://node:16-bullseye" + "ubuntu-20.04_x86_64:docker://node:16-bullseye" + "ubuntu-18.04-x86_64:docker://node:16-buster" + "nixos-latest-x86_64:docker://nixos/nix" + ## optionally provide native execution on the host: + # "native:host" + ]; + aarch64-linux = [ + "ubuntu-latest-aarch64:docker://node:16-bullseye" + "ubuntu-22.04-aarch64:docker://node:16-bullseye" + "ubuntu-20.04_aarch64:docker://node:16-bullseye" + "ubuntu-18.04-aarch64:docker://node:16-buster" + "nixos-latest-aarch64:docker://nixos/nix" + ]; + }; + in + arches.${pkgs.system}; + }; + }; +} diff --git a/nixos/servers/forgejo-runner/forgejo-runner.yaml b/nixos/servers/forgejo-runner/forgejo-runner.yaml new file mode 100644 index 00000000..b35761cb --- /dev/null +++ b/nixos/servers/forgejo-runner/forgejo-runner.yaml @@ -0,0 +1,119 @@ +forgejo-runner-token: ENC[AES256_GCM,data:D576AbNHTK6TAt2RKu2m16FRCgSaGP65xVnlDcY6VRQdfM4hrbT0ugiIqyrEBNE=,iv:X3Rh6gEDU7mAqhp2NPKiicHuY/xklR5mx5SO4jkShtk=,tag:31QoIjGOTZm7FwuYd9gQig==,type:str] +sops: + shamir_threshold: 1 + age: + - recipient: age1n4kdchmkk3rfkaknxhveqr2ftprdpgwckutt23y6u8639lazzuks77tgav + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwc1pwakt4RVJQS0d6VFdr + dE1YM2xjOGRMSDViazB6WmJGdThBL25UUVNJCkxDK0xza3dHQm1pb1VEUGlPcW1S + aHdMd3VFWjhNQ1UwaXcwbDVSWUxST3MKLS0tIDUwRTcwWlF5cTNOOFQ5OURYNUF5 + ZzRxSXlUeFhiY0psQkRMcXNwU2JMSUkKVuUjZXLbj2woEX7QiSnTkE2w0c47HYcA + IKgUVCeqy+Kx+ewTWuNKKgLSAmU35whd7djNaKf7tL6TKx/AqqXOwg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1cnu37d5fqyahh9vvc4hj6z6k8ur9ksuefln7sr6g3emmn927eutqxdawuh + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQQTRpUnE1YlIrRlE5a0sx + eWhnUlREVFU1OW1zWjI2ZEN4VXBaVTFHWFhZCmRWMk9kdFQvQ0k5bmdrZzh1UlFH + R1pybkFyT1lzU25GTDZmZTRhNHhoS1UKLS0tIFF1Q3JQd2JQbGVWcFp4MFEybFlw + N1BHb203dUZTU0tYRUhNYzdmNGpHbk0K1shdgPHmTy1NHUqkAo5V2WZFREsfbgtj + ESxYQ2p1NlF5B82kAmIYkAM5Yb0YgMf1Qr9YATgMj2vqPSPZWku4MA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1a0m73qr8hhuz8xemv4vymf4wmpghm2hst8wgrn3pn65ext5mf4ksk0vsdm + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHNVA0WFFveVE5eU0yM3Bh + SS9QM01EYmljeEZ3S002NWJaRzIwTUlkbTNrCjFoVlh2dlZDWW55bDNtZjBxREZZ + RjlhRnBOYnRyY2dDckxqbnk4U0tVT1kKLS0tIGRja0VBbFdoanQ2MFoxY0NERDJo + eFUwclloei8xYm0yMGQ0dWI3RXE4dFEKHi+JqONyFBA0Vf8x9qsluNzSzyTNQo/O + zns+YLvssgSVnu/wJ0KiDXCE5a7KSvDLejGjQw9kkP+jOGAqetYHnw== + -----END AGE ENCRYPTED FILE----- + - recipient: age18hpxz0ghvswv9k30cle73prvnzrsuczqh87jjdk9fl50j3ddndmq9xae0n + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJR2NPUk9TUTdVNm9YSENt + aXRqcUJHTXNvc3hEZ0dqc2llWUlGUDd5cEJRCkZGb1B5MUVJQTRzeHJPc3c0ZkMv + QytlOE53a0cyN09kM2ZOOG5GNUYvMmcKLS0tIDZFVEowOU0wSnk2eksyS3VmZ0U0 + ZUR2dm9zaWRPUXAzSTJ2MXo5UlRDcEEK3rXlMF/ZViQRVf5AxkwLUcya/k6ZYohB + 0/gC3uzWR9/sit9lL7eMkFT0EG0Jnf8Zo+LTduD8fdDtWf3I7C1f8g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1xgy03g3vjydsxcl0qpdgm8rahjcjq95ucxfwlgr22zwjx3p7jf2s9jk6u5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJdjRKRXh3SVBFUkFyTElo + SDZCRVlFNStZMzNyOXdzc3Blc1RzNnUzTUQ0CmtTMkU2b0V2aG43TS9WaVBUOWU4 + MkNaMDMwZnVuNWdVanFmV2U2SkZGaFUKLS0tIGxpbzNIVmQ2b3dBU0c4bFk1WmFr + QkZtbXVrcVlxOEpGYTBQd25tT2dBM2MKWN40GVw4YRMC0096drlJthzVocgoY3X0 + TJE8aX4gqyRyiT5ylpRrcwZ0Fng1KcV1Ukr+wIltJtr9pcc0nXFjpA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1fv5dafs4n3r5n83qm2hfz7xmnflsz0xf9r3saralrptpgf8mvuxq4t8k3u + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0UkJrMEJkd3BBZFBhZXMz + SXJ6ZWliRWN3ejN1aW9SSXZ0RmZmQ2VUb0RJCnROelNMOVFEcVZ3Vkh6c3g4MUh5 + M2Y4ZGNheURzU1FMdWdFWjFaanh0YmcKLS0tIGdXdURudTd5ZzdYbzlRby9oakZ0 + eUs2dGtSUUpnWk1HZVkydlJSZGZwSm8KEf44RFpmibgQDjAHG5c2D1SJD6Zp3xBZ + WoArJlcUMSKRuqDWc/3CP4ptpDFX4oE3IfMnGi/DTUVA6bOdw0c3TA== + -----END AGE ENCRYPTED FILE----- + - recipient: age120530yclr75k6nrzp6k5jjftj8j4q9v3533guupzk4ct86mjxszqg9e5t5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyMTR1MHJObHNvTnZLZ2VZ + OTFDeCt0dmJHeGNnUFd4TXFmWUh6YWxHYkIwCkJBQU5MYVBuY09iSmI2dkZLb2hH + Z3Z4ckU1RmFlNVd2OUFVU2NQQnVqWE0KLS0tIGJLSnhnY0JFL3RoZUIramVmcXp2 + bzRmWXVCcEVXOHFBVmRhUzVUd20ra0EKlRbK5LRto/P/RysvMHup3un7xVOXbcHc + brFy2rTqcJ8sP7+beWl5GbMEcJrP5tgs8tpGNy7vHiYC1/qzCdK+hA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1c4atxfp05u7zm875s6q8p82ve96rqqpq9smktxlur8pk2yc3qvgql46dp9 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBETlAxQW5ZbWF6NE1iaGR1 + RGJNQzhvdG9TYjBoQ1gwZlRBekE4RnB5RkJZCmR2TUdjbUp5eklLV3UyK3lVUlpv + WStFR2RpalNrb2pzZWs4eHRBSEE4MTQKLS0tIDY5dk55cG43dlRJRW91bUZmZWhj + MFZKU090czRhWTNpTjdFV2dIcmQ1TjgKmoirIU0QyAINRA3kqP9Ak4BG9PpFGVaW + 6+xHf6H16TCNwvZPaaa4tBtPdhB3APHOkYJiyFiCQWJmBvNRnws1KQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1rjldv3fn3q686647exmcukthr32gmp6s3axs0lhyenvru9ajp9rs24ukvz + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaNGxrNHkvVTgvMDZTa2dW + U0lkWTdEOVlXdksrZXlTMUZ2eDkvQTBTQjNVCkZIa2c5OVorblFWVFpwbnpWcGJD + d1duOU1ydmFFL2N2K083VFFNSEhCNlUKLS0tIGpoWGJpbXdxd3RmL1R6eDVERG9H + Y3podGMzR0ViTjVmTFpXQ1Y5dXIvdU0KcXieuPDyBz7SgdvlWfgFF0VAavZ7CcB/ + M2tx00rblCJMNCT4WSCRL+350S+4OmeXb81T4BlSxzn8p3jNpEfUbQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1p9v6xaujkdat2tsc2mc4gxpg9hjr4suvwryuat95z2c53xhsyfxq0gf594 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNN1NZN3B0bjBNV0VVbTlY + YW1tMmZFV29yZXUrSUJ5MXNhRG5CSGhQcUU0ClJ4K3J0SDBlQW1nSWs2NFNlQjhs + MnlHWGRkcS91ZmM2bEpjQ3NSUWFvU2MKLS0tIEh0bGJrb2ZDSWVLVG45ZlhkQ0hz + RDdsVDNUci8xWmxGaXpwMlgyTGtSM1EKeMoFN8+WUpo6VZwQjVeUx4xTQEaEMxh+ + zXGQOrMh2ZUpU0WbTHrivMxPd0nzFqJt15eUcuO41vggknR7GN0vJQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-10-13T14:27:51Z" + mac: ENC[AES256_GCM,data:cBGozOli5n7p0/jGKXcSda6T2h70aUnkJ19L9ZJjs+ah1GYE9gShUpsnLW+sFRPHxySy+HULGL2436iV0/m1lR+PszXMczUM+plm9s5n1uFsyjnFn2iLZjMTdjuQqi3UjzuKh+oUaYMuPWx9cvbYFu6e+T6QQG87RD/WwMcOpDU=,iv:woZFeBwzrPOoJaS/CvoZlXIYbip/Co+cqvSBn0dnkeg=,tag:WZPlqCiNVJXiopeLKXcNmA==,type:str] + pgp: + - created_at: "2025-10-13T14:17:40Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA82M54yws73UAQ//Sw3cmk2oENcX7ppU5OpzqSZl9hzsCarbH5bNuJAIftuM + KmdMl0vNDlupgtxAIiE7t92NoGBG8EA4NkK+ht2WP2/e0RwKDU+qBBnKKd2imycX + Z7SjgdJRCNpSUnFqEw0267rXx5HPZkM2GbU0YVTUPerJWyOBcYCEuD3H6Af6lDpZ + oFE+f2Qf+6zoCPLSCmDeyiIMnX2AFxqVhodose9a9Cdxb4vvbW8JPtt7GK7oKm+g + nxEXb7Cz/yrrNnGmuovNxgVVvi4UZwuPX2FsAkJFSiW7iUYXWaLqfi91u0feENDt + Mxispm+MdrZ6ru4TGdmPbGOCDzVyug1OzhlXNPtW4CJOf/ynP42JyeLohxb3a6Xw + BYb7MoH5tBUXUgLineGAwRxFfDJimO2hUMXNp20x2HjTvvycQaQ11rT4f3z0dpG9 + Y+ucBO+GCK/xJ7IjToUJrWBSHIje5zBnfz51Sl0Wv7esbEXMr8d72WYdd9PD1dod + mAdvncJm4WhAxIwFj1AV1HXHyaX89gSSrkA4W608dt2nvIPIErmsHM3tiDIRxfi8 + GbeCMg0zUs1TqJ9XYjfrxpQQTCo8tAJjcfMXqw1TS831sfqnhOWAEmPcY/qY8XU1 + SpMWYi5nfnhSNgsFPS0YVtq8Heeuti6ot9C4D5zm4Q1Mj6otlpFrbleN6q0S+dTS + XgEo69S8RH+MaLyAbFU/SX4z9Iwz0ywN1RZ0MxOODBHrWrwgCBNQ0J/Q+yLydHGa + O+uvbFTpDMtFT6FCf0xpifUmyLCnYfomK4mfn5W0ttAqmQ8oakZZj4ppyMHC/Qg= + =PZgO + -----END PGP MESSAGE----- + fp: CD8CE78CB0B3BDD4 + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/nixos/servers/forgejo.nix b/nixos/servers/forgejo.nix deleted file mode 100644 index 8fae7be4..00000000 --- a/nixos/servers/forgejo.nix +++ /dev/null @@ -1,8 +0,0 @@ -_: { - services.forgejo = { - enable = true; - settings = { - DOMAIN = "git.kittywit.ch"; - }; - }; -} diff --git a/nixos/servers/forgejo/forgejo.nix b/nixos/servers/forgejo/forgejo.nix new file mode 100644 index 00000000..95c2146a --- /dev/null +++ b/nixos/servers/forgejo/forgejo.nix @@ -0,0 +1,34 @@ +{config, ...}: let + domain = "git.kittywit.ch"; + cfg = config.services.forgejo; +in { + services.forgejo = { + enable = true; + settings = { + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}"; + }; + service = { + DISABLE_REGISTRATION = true; + }; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + }; + }; + services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations = { + "/" = { + proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/systems/daiyousei.nix b/systems/daiyousei.nix index 73d4545d..d1fe0849 100644 --- a/systems/daiyousei.nix +++ b/systems/daiyousei.nix @@ -21,6 +21,8 @@ _: let ++ (with tree.nixos.servers; [ weechat #matrix + forgejo + forgejo-runner postgres web ]); diff --git a/systems/goliath.nix b/systems/goliath.nix index 379b45b1..859a1c73 100644 --- a/systems/goliath.nix +++ b/systems/goliath.nix @@ -56,6 +56,9 @@ _: let #hyprland niri ]) + ++ (with tree.nixos.servers; [ + forgejo-runner + ]) ++ (with inputs.nixos-hardware.outputs.nixosModules; [ common-pc common-pc-ssd diff --git a/systems/mai.nix b/systems/mai.nix index 7af95708..939bd7f5 100644 --- a/systems/mai.nix +++ b/systems/mai.nix @@ -15,7 +15,8 @@ _: let oracle_micro ]) ++ (with tree.nixos.servers; [ - ]); + forgejo-runner + ]); system.stateVersion = "23.11"; }; diff --git a/systems/mei.nix b/systems/mei.nix index 15d3bb74..939bd7f5 100644 --- a/systems/mei.nix +++ b/systems/mei.nix @@ -13,6 +13,9 @@ _: let ]) ++ (with tree.nixos.hardware; [ oracle_micro + ]) + ++ (with tree.nixos.servers; [ + forgejo-runner ]); system.stateVersion = "23.11";