From 28cc9c48b2a2d064f83d97db84bce9f358d872d2 Mon Sep 17 00:00:00 2001
From: Michael Thomas <michaelhthomas@outlook.com>
Date: Mon, 20 May 2024 19:32:35 -0400
Subject: [PATCH] feat(forgejo): add actions runner

---
 machines/thinkcentre/configuration.nix |  1 +
 modules/services/forgejo/default.nix   | 34 ++++++++++++++++++++++++++
 secrets/forgejo-actions.age            |  5 ++++
 secrets/secrets.nix                    |  1 +
 4 files changed, 41 insertions(+)
 create mode 100644 secrets/forgejo-actions.age

diff --git a/machines/thinkcentre/configuration.nix b/machines/thinkcentre/configuration.nix
index 78ad4be..9e4602e 100644
--- a/machines/thinkcentre/configuration.nix
+++ b/machines/thinkcentre/configuration.nix
@@ -117,6 +117,7 @@
   my.services.forgejo = {
     enable = true;
     port = 3000;
+    actions.enable = true;
   };
 
   swapDevices = [
diff --git a/modules/services/forgejo/default.nix b/modules/services/forgejo/default.nix
index 70483be..910f34c 100644
--- a/modules/services/forgejo/default.nix
+++ b/modules/services/forgejo/default.nix
@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 with lib; let
@@ -12,6 +13,11 @@ in {
   options.my.services.forgejo = {
     enable = mkEnableOption "Forgejo";
     proxy = mkEnableOption "Forgejo reverse proxy entry";
+    actions = mkOption {
+      type = types.submodule (_: {
+        options.enable = mkEnableOption "Forgejo Actions";
+      });
+    };
     subdomain = mkOption {
       type = types.str;
       default = "git";
@@ -30,6 +36,7 @@ in {
     (mkIf cfg.enable {
       services.forgejo = {
         enable = true;
+        package = pkgs.unstable.forgejo;
         settings.server = {
           DOMAIN = forgejoDomain;
           ROOT_URL = forgejoUrl;
@@ -52,6 +59,33 @@ in {
       };
 
       networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+
+      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
+      services.gitea-actions-runner = mkIf cfg.actions.enable {
+        package = pkgs.unstable.forgejo-runner;
+        instances.venus = {
+          enable = true;
+          name = "venus";
+          url = forgejoUrl;
+          settings = {
+            # log = {
+            #   level = "debug";
+            # };
+            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            runner = {
+              capacity = 5;
+              timeout = "45m";
+            };
+            container = {
+              privileged = true;
+              valid_volumes = ["*"];
+              force_pull = false;
+            };
+          };
+          labels = [];
+          tokenFile = config.age.secrets.forgejoActions.path;
+        };
+      };
     })
     (mkIf cfg.proxy {
       services.caddy.virtualHosts."${forgejoDomain}".extraConfig = ''
diff --git a/secrets/forgejo-actions.age b/secrets/forgejo-actions.age
new file mode 100644
index 0000000..40723ec
--- /dev/null
+++ b/secrets/forgejo-actions.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ THVbnor+AP7CyleSBNaSbxQEkmHlrQ2u+auPOgFXexM
+ntnmIaGTpQEFo438GAU/UJZ7217I27TkkbLaqYq+uKM
+--- uYDKB1BuWSUCUsdNm4xA2ugOLq27Vz811FbjlK+qYes
+�d�
���M��h�*$j��j�*�j���>ݛ�!��>v��@hj7q���>�+���y��C��5�W����1N�D�^и
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 90b4180..2f1fe02 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -6,6 +6,7 @@ in {
   # Venus
   "wireguard-thinkcentre.age".publicKeys = [venus];
   "keycloak-db.age".publicKeys = [venus];
+  "forgejo-actions.age".publicKeys = [venus];
 
   # Oracle
   "wireguard-oracle.age".publicKeys = [oracle];