add gitea runner

2023-12-05 23:34:41 +01:00
parent fdd00af834
commit 528c030588
2 changed files with 58 additions and 2 deletions
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -14,6 +14,18 @@ let
  group = {
    gid = cids.gids.gitea;
  };
+
+
+  runner-user = {
+    isSystemUser = true;
+    uid = cids.uids.gitea-runner;
+    group = "gitea-runner";
+    home = "/var/lib/gitea";
+    createHome = true;
+  };
+  runner-group = {
+    gid = cids.gids.gitea-runner;
+  };
 in
 {
  nixpkgs.config.permittedInsecurePackages = [
@@ -104,4 +116,47 @@ in
      system.stateVersion = "23.05";
    };
  };
+
+  users.users.gitea-runner = runner-user;
+  users.groups.gitea-runner = runner-group;
+
+  sops.secrets.gitea-runner-token = {
+    owner = "git-runner";
+  };
+
+  containers.git-runner = {
+    autoStart = true;
+    ephemeral = true; # because of ssh key
+    macvlans = [ "vserver" ];
+    bindMounts = {
+      "/run/secrets/gitea-runner-token" = {
+        hostPath = config.sops.secrets.gitea-runner-token.path;
+        isReadOnly = true;
+      };
+    };
+    config = { lib, config, pkgs, ... }: {
+      networking = {
+        hostName = "git-runner";
+        nameservers = [ "10.42.97.10" ];
+        interfaces.mv-vserver = {
+          useDHCP = true;
+        };
+        firewall = {
+          enable = true;
+        };
+      };
+
+      services.gitea-actions-runner.instances.main = {
+        enable = true;
+        url = "https://git.cloonar.com";
+        name = "main";
+        tokenfile = "/run/secrets/gitea-runner-token";
+      };
+
+      users.users.gitea-runner = runner-user;
+      users.groups.gitea-runner = runner-group;
+
+      system.stateVersion = "23.05";
+    };
+  };
 }