forgejo: add runner token

hosts/thegeneralist-central/forgejo/default.nix

@@ -7,6 +7,8 @@ in
 {
   imports = [ ../../../modules/postgresql.nix ];
 
+  age.secrets.forgejoRunnerToken.file = ./forgejo-runner-token.age;
+
   services.forgejo = {
     enable = true;
     stateDir = forgejo_folder "state";
@@ -93,5 +95,30 @@ in
       };
   };
 
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.central = {
+      enable = true;
+      name = "thegeneralist-central";
+      url = "https://${domain}";
+      tokenFile = config.age.secrets.forgejoRunnerToken.path;
+      labels = [ "central:host" ];
+
+    # Host-executed jobs need nix + ssh in PATH.
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        nix
+        openssh
+        wget
+      ];
+    };
+  };
+
   networking.firewall.allowedTCPPorts = [ 2222 ];
 }

hosts/thegeneralist-central/forgejo/forgejo-runner-token.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ xQTY8i7SQWpBxxcrYAzkTuK6p5toOknfXef6JOreZHA
+0WAy/WC6eGjW8yb+mVPwIn6BmTxYfgLlYmV0BKVn+8E
+--- sfCrXmbA46pPodKC6m3SMmemx8eYMDvp7zqrL0iOfs8
+cüj°0êÏMÔ¤á“ryêÜ~$8£’ºhÅ/\~©)¿«¸[}<7D>ëÅA÷ô»ZÇ|,­èÒÊíÒ<C3AD>ôú¦]1

secrets.nix

@@ -10,6 +10,7 @@ in {
   "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
   "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/forgejo/forgejo-runner-token.age".publicKeys = [ thegeneralist ];
 
   "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }