Merge branch 'main' of https://git.thomasfmly.org/michael/nix-dots

machines/thinkcentre/configuration.nix

@@ -77,6 +77,7 @@
   age.secrets.keycloakDb.file = ../../secrets/keycloak-db.age;
   services.keycloak = {
     enable = true;
+    package = pkgs.unstable.keycloak;
     settings = {
       hostname-url = "https://auth.s.michaelt.xyz";
       hostname-admin-url = "https://auth.s.michaelt.xyz";
@@ -116,6 +117,7 @@
   my.services.forgejo = {
     enable = true;
     port = 3000;
+    actions.enable = true;
   };
 
   swapDevices = [

modules/services/forgejo/default.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  pkgs,
   ...
 }:
 with lib; let
@@ -12,6 +13,11 @@ in {
   options.my.services.forgejo = {
     enable = mkEnableOption "Forgejo";
     proxy = mkEnableOption "Forgejo reverse proxy entry";
+    actions = mkOption {
+      type = types.submodule (_: {
+        options.enable = mkEnableOption "Forgejo Actions";
+      });
+    };
     subdomain = mkOption {
       type = types.str;
       default = "git";
@@ -30,6 +36,7 @@ in {
     (mkIf cfg.enable {
       services.forgejo = {
         enable = true;
+        package = pkgs.unstable.forgejo;
         settings.server = {
           DOMAIN = forgejoDomain;
           ROOT_URL = forgejoUrl;
@@ -52,9 +59,43 @@ in {
       };
 
       networking.firewall.interfaces."${firewallInterface}".allowedTCPPorts = [cfg.port];
+
+      age.secrets.forgejoActions.file = ../../../secrets/forgejo-actions.age;
+      services.gitea-actions-runner = mkIf cfg.actions.enable {
+        package = pkgs.unstable.forgejo-runner;
+        instances.venus = {
+          enable = true;
+          name = "venus";
+          url = forgejoUrl;
+          settings = {
+            # log = {
+            #   level = "debug";
+            # };
+            options = "-v /var/run/podman/podman.sock:/var/run/podman/podman.sock";
+            runner = {
+              capacity = 5;
+              timeout = "45m";
+            };
+            container = {
+              privileged = true;
+              valid_volumes = ["*"];
+              force_pull = false;
+            };
+          };
+          labels = [];
+          tokenFile = config.age.secrets.forgejoActions.path;
+        };
+      };
     })
     (mkIf cfg.proxy {
       services.caddy.virtualHosts."${forgejoDomain}".extraConfig = ''
+        handle_errors {
+          status 502
+          respond "This server is currently unavailable."
+        }
+
+        redir /user/login /user/oauth2/Keycloak?{query}
+
         reverse_proxy http://${proxyIP}:${toString cfg.port}
       '';
 

pkgs/keywind/default.nix

@@ -7,10 +7,10 @@ stdenv.mkDerivation {
   version = "0.0.1-dev";
 
   src = fetchFromGitHub {
-    owner = "lukin";
+    owner = "michaelhthomas";
     repo = "keywind";
-    rev = "bdf966fdae0071ccd46dab4efdc38458a643b409";
-    hash = "sha256-8N+OQ6Yg9RKxqGd8kgsbvrYuVgol49bo/iJeIJXr3Sg=";
+    rev = "f3f016ab34ac9731ef8dadd6e79406a3c2433a34";
+    hash = "sha256-wronX44qyUIuoTSdKj01UlLrwH9U5qNkUuSouV+xSUU=";
   };
 
   installPhase = ''

secrets/forgejo-actions.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 jBnYqQ THVbnor+AP7CyleSBNaSbxQEkmHlrQ2u+auPOgFXexM
+ntnmIaGTpQEFo438GAU/UJZ7217I27TkkbLaqYq+uKM
+--- uYDKB1BuWSUCUsdNm4xA2ugOLq27Vz811FbjlK+qYes
+³dô
¬ªÍM±ÞhÑ*$j®Øj²*½jÃÅÉ>Ý›Å!œ®>v<>Ù@hj7q¾§¡>í+…ÄÄy<15>ã¢Cþ¨5¯W†ŸƒØ1NÙDâ—^и

secrets/secrets.nix

@@ -6,6 +6,7 @@ in {
   # Venus
   "wireguard-thinkcentre.age".publicKeys = [venus];
   "keycloak-db.age".publicKeys = [venus];
+  "forgejo-actions.age".publicKeys = [venus];
 
   # Oracle
   "wireguard-oracle.age".publicKeys = [oracle];