feat(forgejo): add actions runner

2024-05-20 19:32:35 -04:00 · 2024-05-20 19:32:35 -04:00 · 28cc9c48b2
commit 28cc9c48b2
parent ac6c8ef84d
4 changed files with 41 additions and 0 deletions
--- a/machines/thinkcentre/configuration.nix
+++ b/machines/thinkcentre/configuration.nix
@ -117,6 +117,7 @@
  my.services.forgejo = {
    enable = true;
    port = 3000;
+    actions.enable = true;
  };

  swapDevices = [
--- a/modules/services/forgejo/default.nix
+++ b/modules/services/forgejo/default.nix
@ -1,6 +1,7 @@
 {
  config,
  lib,
+  pkgs,
  ...
 }:
 with lib; let
@ -12,6 +13,11 @@ in {
  options.my.services.forgejo = {
    enable = mkEnableOption "Forgejo";
    proxy = mkEnableOption "Forgejo reverse proxy entry";
+    actions = mkOption {
+      type = types.submodule (_: {
+        options.enable = mkEnableOption "Forgejo Actions";
+      });
+    };
    subdomain = mkOption {
      type = types.str;
      default = "git";
@ -30,6 +36,7 @@ in {
    (mkIf cfg.enable {
      services.forgejo = {
        enable = true;
+        package = pkgs.unstable.forgejo;
        settings.server = {
          DOMAIN = forgejoDomain;
          ROOT_URL = forgejoUrl;
@ -52,6 +59,33 @@ in {
      };

      networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+
+      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
+      services.gitea-actions-runner = mkIf cfg.actions.enable {
+        package = pkgs.unstable.forgejo-runner;
+        instances.venus = {
+          enable = true;
+          name = "venus";
+          url = forgejoUrl;
+          settings = {
+            # log = {
+            #   level = "debug";
+            # };
+            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            runner = {
+              capacity = 5;
+              timeout = "45m";
+            };
+            container = {
+              privileged = true;
+              valid_volumes = ["*"];
+              force_pull = false;
+            };
+          };
+          labels = [];
+          tokenFile = config.age.secrets.forgejoActions.path;
+        };
+      };
    })
    (mkIf cfg.proxy {
      services.caddy.virtualHosts."${forgejoDomain}".extraConfig = ''
--- a/secrets/forgejo-actions.age
+++ b/secrets/forgejo-actions.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ THVbnor+AP7CyleSBNaSbxQEkmHlrQ2u+auPOgFXexM
+ntnmIaGTpQEFo438GAU/UJZ7217I27TkkbLaqYq+uKM
+--- uYDKB1BuWSUCUsdNm4xA2ugOLq27Vz811FbjlK+qYes
+³dô
¬ªÍM±ÞhÑ*$j®Øj²*½jÃÅÉ>Ý›Å!œ®>v<>Ù@hj7q¾§¡>í+…ÄÄy<15>ã¢Cþ¨5¯W†ŸƒØ1NÙDâ—^Ð¸
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -6,6 +6,7 @@ in {
  # Venus
  "wireguard-thinkcentre.age".publicKeys = [venus];
  "keycloak-db.age".publicKeys = [venus];
+  "forgejo-actions.age".publicKeys = [venus];

  # Oracle
  "wireguard-oracle.age".publicKeys = [oracle];