From 265b9c549e2c30df2257bea1bdcc339d3ee37c33 Mon Sep 17 00:00:00 2001
From: Tigor Hutasuhut <tigor.hutasuhut@gmail.com>
Date: Thu, 13 Jun 2024 20:12:46 +0700
Subject: [PATCH] forgejo: added runner

---
 profiles/homeserver.nix     |  6 ------
 secrets/forgejo.yaml        | 21 +++++++++++++++++++++
 system/services/forgejo.nix | 29 ++++++++++++++++++++++++++++-
 3 files changed, 49 insertions(+), 7 deletions(-)
 create mode 100644 secrets/forgejo.yaml

diff --git a/profiles/homeserver.nix b/profiles/homeserver.nix
index 565513c..b5c184e 100644
--- a/profiles/homeserver.nix
+++ b/profiles/homeserver.nix
@@ -21,12 +21,6 @@
     go.enable = true;
     networking.firewall.enable = true;
     networking.firewall.allowedTCPPorts = [ 80 443 ];
-    cockpit.enable = true;
-    docker = {
-      enable = false;
-      caddy.enable = false;
-      kavita.enable = false;
-    };
     podman = {
       enable = true;
       caddy.enable = false;
diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml
new file mode 100644
index 0000000..1979b84
--- /dev/null
+++ b/secrets/forgejo.yaml
@@ -0,0 +1,21 @@
+runner_token: ENC[AES256_GCM,data:OA1qGIY46bNcjHDms3XZhpa40J9WRexNXsnK0Lm1WWIUbvKOCp6GG2v2599ysQ==,iv:ftNbVJYJR+2UozxMLcYZh5HH+O1KRMvUAKQc9/UAunI=,tag:F++kseVO3yD3jt6+vVTJ5Q==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1kruum2varzua7w5n6n52vhwyek2arc685rhcwt0u7k2jf5mecsjslkl9ll
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKWHBRWTdZT0d4a0FIZlMx
+            R080ZWdzNzM3YWdaVTdvUGcxUlhBVllKSUdJCmdFRjMvYnphVE9PQjQ5V1Zlc0h6
+            TmF0YTN6QjZtay9Hbjc3QVUwcHRQdGcKLS0tIG9kTEZqTkpDQ2Z2Ni9taU03ekVs
+            NGg4aFJsSHNPdTcwQ2ZMdmJscm5iNzgKRLrTAenr9q3r1dGPEyuxNhsQp8+20rCk
+            IKbsjenq/QTMQc+pMz/0oypVFUYNljmOfTWvvnjdJNsYHektNMkmNA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-13T12:44:00Z"
+    mac: ENC[AES256_GCM,data:x8MHb/bcXqQHOUfLIOjnk1ivCs+ubLKm6L0gzrI3ZbLaQRieKvY2THSDjmyF2OAe5x9stjCY5ZOb7t3Y7EXG5sgiwvSwqcZKUY3k4SEkJtO6MJmLE39UGphHPZXQD4Jez+PWfrbZXf4lk9hsnW20wHZgePq+w6mW003uN88ZPzw=,iv:gOZJIXcT2GGTcxonKPtjxZewjFDHU0FW0xT8Sfzz10o=,tag:keHB371hNXD90rqgZjfeaw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
diff --git a/system/services/forgejo.nix b/system/services/forgejo.nix
index 335e666..e9eb540 100644
--- a/system/services/forgejo.nix
+++ b/system/services/forgejo.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, pkgs, ... }:
 let
   cfg = config.profile.services.forgejo;
   inherit (lib) mkIf;
@@ -25,5 +25,32 @@ in
         session.COOKIE_SECURE = true;
       };
     };
+
+    sops.secrets."runner_token" = {
+      sopsFile = ../../secrets/forgejo.yaml;
+    };
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-runner;
+      instances = {
+        ${config.networking.hostName} = {
+          enable = true;
+          name = config.networking.hostName;
+          url = config.services.forgejo.settings.server.ROOT_URL;
+          tokenFile = config.sops.secrets."runner_token".path;
+          settings = {
+            container = {
+              privileged = true;
+              # docker_host = "unix:///var/run/docker.sock";
+              valid_volumes = [ "**" ];
+            };
+          };
+          labels = [
+            "docker:docker://ghcr.io/catthehacker/ubuntu:act-22.04"
+            "native:host"
+          ];
+        };
+      };
+    };
   };
 }