Aner Zakobar
73 lines
2.7 KiB
Nix
73 lines
2.7 KiB
Nix
{ config, lib, pkgs, homeyConfig, ... }:
|
|
|
|
# Gitea Actions Runner — executes CI/CD jobs triggered by Gitea Actions.
|
|
#
|
|
# Uses the NixOS native services.gitea-actions-runner module (act runner).
|
|
# Jobs run directly on the host ("host" executor) — no container isolation.
|
|
# This is appropriate for a trusted home server and avoids the overhead of
|
|
# nested containers on a Pi 4.
|
|
#
|
|
# The service uses DynamicUser=true so there is no persistent system user.
|
|
# Job step PATH is controlled by hostPackages (not the service PATH).
|
|
# nix is not in the NixOS module's default hostPackages and must be added.
|
|
#
|
|
# Setup (one-time):
|
|
# 1. In Gitea: Site Administration → Actions → Runners → Create Runner Token
|
|
# 2. Store the token in sops with KEY=VALUE format:
|
|
# gitea/runner_token: "TOKEN=<your-token-here>"
|
|
# 3. Enable homey.giteaRunner in the host config and deploy.
|
|
#
|
|
# After first start the runner registers itself and stores credentials in
|
|
# /var/lib/gitea-runner/<name>/.runner — the token file is only needed for
|
|
# (re-)registration.
|
|
#
|
|
# Secrets consumed from sops:
|
|
# gitea/runner_token (must contain: TOKEN=<value>)
|
|
|
|
let
|
|
cfg = config.homey.giteaRunner;
|
|
domain = homeyConfig.domain;
|
|
in
|
|
{
|
|
options.homey.giteaRunner = {
|
|
enable = lib.mkEnableOption "Gitea Actions runner" // { default = true; };
|
|
|
|
name = lib.mkOption {
|
|
type = lib.types.str;
|
|
default = config.networking.hostName;
|
|
description = "Runner name as shown in Gitea's runner list.";
|
|
};
|
|
|
|
labels = lib.mkOption {
|
|
type = lib.types.listOf lib.types.str;
|
|
default = [ "native:host" "ubuntu-latest:host" "debian-latest:host" "nix:host" ];
|
|
description = ''
|
|
Labels advertised to Gitea. The "host" executor runs jobs directly on
|
|
this machine. Workflow files targeting any of these labels will be
|
|
picked up by this runner.
|
|
'';
|
|
};
|
|
};
|
|
|
|
config = lib.mkIf cfg.enable {
|
|
# The NixOS module reads tokenFile as a systemd EnvironmentFile (root reads
|
|
# it before DynamicUser privilege drop), so owner=root / mode=0400 is correct.
|
|
# The file must contain: TOKEN=<registration-token>
|
|
sops.secrets."gitea/runner_token" = { owner = "root"; mode = "0400"; };
|
|
|
|
services.gitea-actions-runner.instances.${cfg.name} = {
|
|
enable = true;
|
|
url = "https://git.${domain}";
|
|
tokenFile = config.sops.secrets."gitea/runner_token".path;
|
|
name = cfg.name;
|
|
labels = cfg.labels;
|
|
# hostPackages controls the PATH available to job steps (host executor).
|
|
# nix is not in the default list so must be added explicitly.
|
|
hostPackages = with pkgs; [
|
|
bash coreutils curl gawk gitMinimal gnused nodejs wget
|
|
nix
|
|
];
|
|
};
|
|
};
|
|
}
|