fix(forgejo-runner): maybe?

2026-02-09 12:29:19 -08:00 · 2025-10-13 09:09:58 -07:00 · 2025-10-13 09:09:58 -07:00 · 6fe1921360
commit 6fe1921360
parent 69d80bde5b
6 changed files with 82 additions and 43 deletions
--- a/nixos/servers/forgejo-runner/forgejo-runner.nix
+++ b/nixos/servers/forgejo-runner/forgejo-runner.nix
@ -1,48 +1,73 @@
 {
  pkgs,
  config,
+  options,
+  lib,
  ...
 }: {
-  sops.secrets.forgejo-runner-token = {
-    format = "yaml";
-    sopsFile = ./forgejo-runner.yaml;
-  };
-  virtualisation.podman.enable = true;
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
-    instances.default = {
-      enable = true;
-      name = config.networking.hostName;
-      url = "https://git.kittywit.ch";
-      # Obtaining the path to the runner token file may differ
-      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
-      tokenFile = config.sops.secrets.forgejo-runner-token.path;
-      labels = let
-        arches = {
-          x86_64-linux = [
-            "ubuntu-latest:docker://node:16-bullseye"
-            "ubuntu-22.04:docker://node:16-bullseye"
-            "ubuntu-20.04:docker://node:16-bullseye"
-            "ubuntu-18.04:docker://node:16-buster"
-            "nixos-latest:docker://nixos/nix"
-            "ubuntu-latest-x86_64:docker://node:16-bullseye"
-            "ubuntu-22.04-x86_64:docker://node:16-bullseye"
-            "ubuntu-20.04_x86_64:docker://node:16-bullseye"
-            "ubuntu-18.04-x86_64:docker://node:16-buster"
-            "nixos-latest-x86_64:docker://nixos/nix"
-            ## optionally provide native execution on the host:
-            # "native:host"
-          ];
-          aarch64-linux = [
-            "ubuntu-latest-aarch64:docker://node:16-bullseye"
-            "ubuntu-22.04-aarch64:docker://node:16-bullseye"
-            "ubuntu-20.04_aarch64:docker://node:16-bullseye"
-            "ubuntu-18.04-aarch64:docker://node:16-buster"
-            "nixos-latest-aarch64:docker://nixos/nix"
-          ];
-        };
-      in
-        arches.${pkgs.system};
+  config = let
+    inherit (lib.attrsets) optionalAttrs;
+    colmenaTag = {
+      deployment.tags = ["forgejo-runner"];
+    };
+  in
+    (optionalAttrs (options ? deployment) colmenaTag)
+    // {
+      sops.secrets = {
+        forgejo-runner-token = {
+          format = "yaml";
+          sopsFile = ./forgejo-runner.yaml;
+        };
+      };
+      virtualisation.podman = {
+        enable = true;
+        defaultNetwork.settings = {
+          dns_enabled = true;
+          ipv6_enabled = true;
+        };
+      };
+      users.groups.gitea-runner = {};
+      users.users.gitea-runner = {
+        isSystemUser = true;
+        group = "gitea-runner";
+      };
+      networking.firewall.interfaces."podman*".allowedUDPPorts = [53];
+      services.gitea-actions-runner = {
+        package = pkgs.forgejo-actions-runner;
+        instances.default = {
+          enable = true;
+          name = config.networking.hostName;
+          url = "https://git.kittywit.ch";
+          # Obtaining the path to the runner token file may differ
+          # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+          tokenFile = config.sops.secrets.forgejo-runner-token.path;
+          labels = let
+            arches = {
+              x86_64-linux = [
+                "ubuntu-latest:docker://node:16-bullseye"
+                "ubuntu-22.04:docker://node:16-bullseye"
+                "ubuntu-20.04:docker://node:16-bullseye"
+                "ubuntu-18.04:docker://node:16-buster"
+                "nixos-latest:docker://nixos/nix"
+                "ubuntu-latest-x86_64:docker://node:16-bullseye"
+                "ubuntu-22.04-x86_64:docker://node:16-bullseye"
+                "ubuntu-20.04_x86_64:docker://node:16-bullseye"
+                "ubuntu-18.04-x86_64:docker://node:16-buster"
+                "nixos-latest-x86_64:docker://nixos/nix"
+                ## optionally provide native execution on the host:
+                # "native:host"
+              ];
+              aarch64-linux = [
+                "ubuntu-latest-aarch64:docker://node:16-bullseye"
+                "ubuntu-22.04-aarch64:docker://node:16-bullseye"
+                "ubuntu-20.04_aarch64:docker://node:16-bullseye"
+                "ubuntu-18.04-aarch64:docker://node:16-buster"
+                "nixos-latest-aarch64:docker://nixos/nix"
+              ];
+            };
+          in
+            arches.${pkgs.system};
+        };
+      };
    };
-  };
 }
--- a/nixos/servers/forgejo-runner/forgejo-runner.yaml
+++ b/nixos/servers/forgejo-runner/forgejo-runner.yaml
@ -92,8 +92,8 @@ sops:
            RDdsVDNUci8xWmxGaXpwMlgyTGtSM1EKeMoFN8+WUpo6VZwQjVeUx4xTQEaEMxh+
            zXGQOrMh2ZUpU0WbTHrivMxPd0nzFqJt15eUcuO41vggknR7GN0vJQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-10-13T14:27:51Z"
-    mac: ENC[AES256_GCM,data:cBGozOli5n7p0/jGKXcSda6T2h70aUnkJ19L9ZJjs+ah1GYE9gShUpsnLW+sFRPHxySy+HULGL2436iV0/m1lR+PszXMczUM+plm9s5n1uFsyjnFn2iLZjMTdjuQqi3UjzuKh+oUaYMuPWx9cvbYFu6e+T6QQG87RD/WwMcOpDU=,iv:woZFeBwzrPOoJaS/CvoZlXIYbip/Co+cqvSBn0dnkeg=,tag:WZPlqCiNVJXiopeLKXcNmA==,type:str]
+    lastmodified: "2025-10-13T16:08:32Z"
+    mac: ENC[AES256_GCM,data:9jtHZulwS2UtIQcploYwshLcdCUitTeeh2ct3SbdF1I+yVwvAQ/h4XTccVIVSEwgTo23FKp3LV8lfUiyymG5VA3HAuX5RBIEVvvh5vWJpLWkYGFQZKmfJZmAySgxmCtfVv6Uv8tJm6reOts3J2WIcxnhkA48AFykhKDO3zZpk0k=,iv:WndNMmz1AU8Zmq9MRggLa88MJh3Ux6CGEvTtFSge6CA=,tag:w8QWFPZRK3Ho3rxSkoj+Iw==,type:str]
    pgp:
        - created_at: "2025-10-13T14:17:40Z"
          enc: |-