feat(forgejo): add actions runner

machines/thinkcentre/configuration.nix

@@ -117,6 +117,7 @@
   my.services.forgejo = {
     enable = true;
     port = 3000;
+    actions.enable = true;
   };
 
   swapDevices = [

modules/services/forgejo/default.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 with lib; let
@@ -12,6 +13,11 @@ in {
   options.my.services.forgejo = {
     enable = mkEnableOption "Forgejo";
     proxy = mkEnableOption "Forgejo reverse proxy entry";
+    actions = mkOption {
+      type = types.submodule (_: {
+        options.enable = mkEnableOption "Forgejo Actions";
+      });
+    };
     subdomain = mkOption {
       type = types.str;
       default = "git";
@@ -30,6 +36,7 @@ in {
     (mkIf cfg.enable {
       services.forgejo = {
         enable = true;
+        package = pkgs.unstable.forgejo;
         settings.server = {
           DOMAIN = forgejoDomain;
           ROOT_URL = forgejoUrl;
@@ -52,6 +59,33 @@ in {
       };
 
       networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+
+      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
+      services.gitea-actions-runner = mkIf cfg.actions.enable {
+        package = pkgs.unstable.forgejo-runner;
+        instances.venus = {
+          enable = true;
+          name = "venus";
+          url = forgejoUrl;
+          settings = {
+            # log = {
+            #   level = "debug";
+            # };
+            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            runner = {
+              capacity = 5;
+              timeout = "45m";
+            };
+            container = {
+              privileged = true;
+              valid_volumes = ["*"];
+              force_pull = false;
+            };
+          };
+          labels = [];
+          tokenFile = config.age.secrets.forgejoActions.path;
+        };
+      };
     })
     (mkIf cfg.proxy {
       services.caddy.virtualHosts."${forgejoDomain}".extraConfig = ''

secrets/forgejo-actions.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ THVbnor+AP7CyleSBNaSbxQEkmHlrQ2u+auPOgFXexM
+ntnmIaGTpQEFo438GAU/UJZ7217I27TkkbLaqYq+uKM
+--- uYDKB1BuWSUCUsdNm4xA2ugOLq27Vz811FbjlK+qYes
+³dô
¬ªÍM±ÞhÑ*$j®Øj²*½jÃÅÉ>Ý›Å!œ®>v<>Ù@hj7q¾§¡>í+…ÄÄy<15>ã¢Cþ¨5¯W†ŸƒØ1NÙDâ—^и

secrets/secrets.nix

@@ -6,6 +6,7 @@ in {
   # Venus
   "wireguard-thinkcentre.age".publicKeys = [venus];
   "keycloak-db.age".publicKeys = [venus];
+  "forgejo-actions.age".publicKeys = [venus];
 
   # Oracle
   "wireguard-oracle.age".publicKeys = [oracle];