docs: note forgejo runner perms and token

forgejo: allow runner to read deploy token
forgejo: add deploy token secret
2026-05-30 08:37:01 +02:00 · 2026-01-24 17:57:41 +01:00 · 2026-01-24 17:43:08 +01:00 · 2026-01-24 17:41:00 +01:00 · 2026-01-24 17:39:38 +01:00 · 2026-01-24 17:26:20 +01:00
6 changed files with 89 additions and 1 deletions
--- a/AGENTS.md
+++ b/AGENTS.md
@ -155,6 +155,13 @@ lib: inputs: self: lib.mkSystem "<os>" ./configuration.nix
 2. Check file extension is `.nix`
 3. Ensure valid Nix syntax

+### Forgejo Actions Runner (NixOS)
+1. `DynamicUser` conflicts require `lib.mkForce` if overriding module defaults.
+2. Runner state dir should be `/var/lib/gitea-runner/<instance>`; set `StateDirectory = "gitea-runner"` and let the instance name append.
+3. If the register script fails with `permission denied`, ensure `/var/lib/gitea-runner` exists and is owned by `gitea-runner`.
+4. If workflows need to read a home symlink target, `/home/<user>` must be `0750` (group traverse) and the runner user must be in that group.
+5. A Forgejo deploy token for HTTPS pulls should be stored in agenix and owned by `gitea-runner`; use env-file format (`TOKEN=...`) and read it at runtime.
+
 ### Nushell Warnings
 1. Deprecated `get -i` warning from direnv integration is a short-term workaround in `modules/common/shell/direnv.nix` (custom Nushell hook with `get -o` and HM integration disabled) until upstream home-manager updates.

--- a/hosts/thegeneralist-central/forgejo/default.nix
+++ b/hosts/thegeneralist-central/forgejo/default.nix
@ -1,3 +1,5 @@
+{ config, lib, pkgs, ... }:
+
 let
  forgejo_root_dir = "/var/lib/forgejo";
  domain = "git.thegeneralist01.com";
@ -7,6 +9,12 @@ in
 {
  imports = [ ../../../modules/postgresql.nix ];

+  age.secrets.forgejoRunnerToken.file = ./forgejo-runner-token.age;
+  age.secrets.forgejoFamilySiteDeployToken.file = ./forgejo-family-site-deploy-token.age;
+  age.secrets.forgejoFamilySiteDeployToken.owner = "gitea-runner";
+  age.secrets.forgejoFamilySiteDeployToken.group = "gitea-runner";
+  age.secrets.forgejoFamilySiteDeployToken.mode = "0400";
+
  services.forgejo = {
    enable = true;
    stateDir = forgejo_folder "state";
@ -26,6 +34,9 @@ in
        };

        attachment.ALLOWED_TYPES = "*/*";
+        actions = {
+          ENABLED = true;
+        };
        cache.ENABLED = true;

        "cron.archive_cleanup" =
@ -90,5 +101,61 @@ in
      };
  };

+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.central = {
+      enable = true;
+      name = "thegeneralist-central";
+      url = "https://${domain}";
+      tokenFile = config.age.secrets.forgejoRunnerToken.path;
+      labels = [
+        "native:host"
+        # "node-22:docker://node:22-bookworm"
+        # "nixos-latest:docker://nixos/nix"
+      ];
+
+      # Host-executed jobs need nix + ssh in PATH.
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        gawk
+        gitMinimal
+        gnused
+        nodejs
+        nix
+        openssh
+        wget
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "br-+" ];
+
+  programs.ssh.knownHosts.central = {
+    hostNames = [ "central" ];
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOkFvw9+AispgqwaYg3ksAZTHJgkCDwFTbWzUh/pVcAS";
+  };
+
+  # Avoid /var/lib/private so the runner can write its state.
+  systemd.services.gitea-runner-central.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    StateDirectory = lib.mkForce "gitea-runner";
+    StateDirectoryMode = "0755";
+  };
+
+  users.groups.gitea-runner = { };
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+    home = "/var/lib/gitea-runner/central";
+    createHome = true;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /var/lib/gitea-runner 0755 gitea-runner gitea-runner -"
+    "d /var/lib/gitea-runner/central 0755 gitea-runner gitea-runner -"
+  ];
+
  networking.firewall.allowedTCPPorts = [ 2222 ];
 }
--- a/hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age
+++ b/hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ GJGHfvh/Uxw7ft0YGwY8Opel/kBdmN4SlblkTyEcKjU
+r/WBadLWHFf0U/G/777GeOO37a6wER6sje3xk2pv9Do
+--- 9y4nJZEmjdmJ1ZNOu/8nYadBPDdvXN0sEnNjkx3a9sU
+(h<QG?EEqáÚþ%<25>1ÝäôiËŠ
+\!Æ€ÛSÅ76`'—ŸX{fäæ“®Jpû0ëA¥æï88J Œ·ÏÞ7òô]s2·
--- a/hosts/thegeneralist-central/forgejo/forgejo-runner-token.age
+++ b/hosts/thegeneralist-central/forgejo/forgejo-runner-token.age
@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 pp9qdQ 3zI5p1EPKcJdRWK0ZikK7MEwLON9oX2qRy0Ll8+7rXE
+66HhKgUa3AsYO4gHQmlypR7CgkdaQI7goZCPTHGxEE
+--- R+2xHNQawIBenqYp5t4s7XGDeDLt9cFZXprJSNHe8dE
+74›îA<0X”oexõúVüåÂn²#AÁeàDSã}þb¡§I ¤´Ðh“ÔÇD!`¥QB¿œˆ[û:ˆÛÙúf§$æñÁ™¦—ÏC?2Û“›Möþ
Ô‰ƒNC÷ŸU2¡ÉNuèý
+¸é@&Ç s‚©«÷Ø½‹Ìs…ñ<E280A6>DÉãsdÚÐÞÓ–D¸Xˆ1nØJ
--- a/hosts/thegeneralist-central/site.nix
+++ b/hosts/thegeneralist-central/site.nix
@ -55,7 +55,7 @@ in
    };

    virtualHosts."${family_domain}" = {
-      root = "/var/www/${family_domain}";
+      root = "/var/www/${family_domain}/dist";
      locations."/".tryFiles = "$uri $uri.html $uri/ $uri/index.html =404";

      extraConfig = ''
--- a/secrets.nix
+++ b/secrets.nix
@ -10,6 +10,8 @@ in {
  "hosts/thegeneralist-central/credentials_personal.age".publicKeys = [ thegeneralist ];
  "hosts/thegeneralist-central/cache/key.age".publicKeys = [ thegeneralist ];
  "hosts/thegeneralist-central/password.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/forgejo/forgejo-runner-token.age".publicKeys = [ thegeneralist ];
+  "hosts/thegeneralist-central/forgejo/forgejo-family-site-deploy-token.age".publicKeys = [ thegeneralist ];

  "modules/linux/tailscale-marshall.age".publicKeys = [ thegeneralist ];
 }
Author	SHA1	Message	Date
TheGeneralist	4826f1fe64	docs: note forgejo runner perms and token	2026-01-24 17:57:41 +01:00
TheGeneralist	0a948d53f5	forgejo: allow runner to read deploy token	2026-01-24 17:43:08 +01:00
TheGeneralist	9124a64c8c	forgejo: add deploy token secret	2026-01-24 17:41:00 +01:00
TheGeneralist	1f3f12b59d	forgejo: add deploy token secret	2026-01-24 17:39:38 +01:00
TheGeneralist	5feb3ac81e	docs: add forgejo runner state dir notes	2026-01-24 17:26:20 +01:00
TheGeneralist	921b343c2e	forgejo: fix runner state dir + tmpfiles	2026-01-24 17:24:38 +01:00
TheGeneralist	a9cc7b19d8	forgejo: use static runner user + non-private state dir	2026-01-24 17:18:59 +01:00
TheGeneralist	8ccf9a1e1d	forgejo: fix runner state dir + mkForce	2026-01-24 17:13:59 +01:00
TheGeneralist	b4d3ee8789	forgejo: use non-private runner state dir	2026-01-24 17:13:25 +01:00
TheGeneralist	711973945a	forgejo: run runner state outside /var/lib/private	2026-01-24 17:09:47 +01:00
TheGeneralist	4f50ad500f	forgejo: please work	2026-01-24 17:07:42 +01:00
TheGeneralist	0a8ea8a332	forgejo(ssh): fix central's key	2026-01-24 16:10:26 +01:00
TheGeneralist	51ecf21e68	forgejo: fix token	2026-01-24 16:03:38 +01:00
TheGeneralist	50d2f3e9de	Merge branch 'master' of github.com:thegeneralist01/config	2026-01-24 15:57:07 +01:00
TheGeneralist	55c402c120	forgejo: add known host for central	2026-01-24 15:55:59 +01:00
TheGeneralist	faf0bd9b51	nginx: fix domain root	2026-01-24 15:42:02 +01:00
TheGeneralist	54f5856164	forgejo: configure actions runner	2026-01-24 15:13:19 +01:00
TheGeneralist	a2767fa829	forgejo: add runner token	2026-01-24 14:49:09 +01:00
TheGeneralist	a59d691c8a	forgejo: enable runners	2026-01-24 14:36:44 +01:00