diff --git a/hosts/thegeneralist-central/forgejo/default.nix b/hosts/thegeneralist-central/forgejo/default.nix index 70c2589..182a54a 100644 --- a/hosts/thegeneralist-central/forgejo/default.nix +++ b/hosts/thegeneralist-central/forgejo/default.nix @@ -7,6 +7,8 @@ in { imports = [ ../../../modules/postgresql.nix ]; + age.secrets.forgejoRunnerToken.file = ./forgejo-runner-token.age; + services.forgejo = { enable = true; stateDir = forgejo_folder "state"; @@ -93,5 +95,30 @@ in }; }; + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.central = { + enable = true; + name = "thegeneralist-central"; + url = "https://${domain}"; + tokenFile = config.age.secrets.forgejoRunnerToken.path; + labels = [ "central:host" ]; + + # Host-executed jobs need nix + ssh in PATH. + hostPackages = with pkgs; [ + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + nix + openssh + wget + ]; + }; + }; + networking.firewall.allowedTCPPorts = [ 2222 ]; } diff --git a/hosts/thegeneralist-central/forgejo/forgejo-runner-token.age b/hosts/thegeneralist-central/forgejo/forgejo-runner-token.age new file mode 100644 index 0000000..876544f --- /dev/null +++ b/hosts/thegeneralist-central/forgejo/forgejo-runner-token.age @@ -0,0 +1,5 @@ +age-encryption.org/v1 +-> ssh-ed25519 pp9qdQ xQTY8i7SQWpBxxcrYAzkTuK6p5toOknfXef6JOreZHA +0WAy/WC6eGjW8yb+mVPwIn6BmTxYfgLlYmV0BKVn+8E +--- sfCrXmbA46pPodKC6m3SMmemx8eYMDvp7zqrL0iOfs8 +cj0MԤry~$8h/\~)[}AZ|,ҝ]1 \ No newline at end of file diff --git a/secrets.nix b/secrets.nix index 8ea2f3f..a54671f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -10,6 +10,7 @@ in { "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ]; "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ]; + "hosts/thegeneralist-central/forgejo/forgejo-runner-token.age".publicKeys = [ thegeneralist ]; "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ]; }