diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml index 7471814..9923f63 100644 --- a/.gitea/workflows/check-flake.yaml +++ b/.gitea/workflows/check-flake.yaml @@ -19,6 +19,8 @@ jobs: run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace - name: Push to cache + env: + XDG_CONFIG_HOME: ${{ runner.temp }}/.config run: | attic login local "${{ secrets.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}" nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \ diff --git a/common/server/gitea-actions-runner.nix b/common/server/gitea-actions-runner.nix index eb8cbd7..aa68cc1 100644 --- a/common/server/gitea-actions-runner.nix +++ b/common/server/gitea-actions-runner.nix @@ -1,4 +1,4 @@ -{ config, pkgs, lib, ... }: +{ config, lib, ... }: # Gitea Actions Runner inside a NixOS container. # The container shares the host's /nix/store (read-only) and nix-daemon socket, @@ -9,6 +9,8 @@ let thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner"; containerName = "gitea-runner"; + giteaRunnerUid = 991; + giteaRunnerGid = 989; in { config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) { @@ -16,9 +18,6 @@ in containers.${containerName} = { autoStart = true; ephemeral = true; - privateNetwork = true; - hostAddress = "172.16.101.1"; - localAddress = "172.16.101.2"; bindMounts = { "/run/agenix/gitea-actions-runner-token" = { @@ -33,7 +32,6 @@ in config = { config, lib, pkgs, ... }: { system.stateVersion = "25.11"; - networking.hostName = lib.mkForce containerName; services.gitea-actions-runner.instances.inst = { enable = true; @@ -46,12 +44,15 @@ in # Disable dynamic user so runner state persists via bind mount systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false; users.users.gitea-runner = { + uid = giteaRunnerUid; home = "/var/lib/gitea-runner"; group = "gitea-runner"; isSystemUser = true; createHome = true; }; - users.groups.gitea-runner = { }; + users.groups.gitea-runner.gid = giteaRunnerGid; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; environment.systemPackages = with pkgs; [ git @@ -59,30 +60,19 @@ in jq attic-client ]; - - networking.firewall.enable = false; }; }; - # NAT for container outbound access - networking.nat.enable = true; - networking.nat.internalInterfaces = [ "ve-${containerName}" ]; - # Matching user on host — the container's gitea-runner UID must be # recognized by the host's nix-daemon as trusted (shared UID namespace) users.users.gitea-runner = { + uid = giteaRunnerUid; home = "/var/lib/gitea-runner"; group = "gitea-runner"; isSystemUser = true; createHome = true; }; - users.groups.gitea-runner = { }; - - nix.settings.trusted-users = [ "gitea-runner" ]; - - # Don't use remote builders for CI - # (set on host since container uses host's daemon) - nix.distributedBuilds = lib.mkForce false; + users.groups.gitea-runner.gid = giteaRunnerGid; age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; }; diff --git a/secrets/gitea-actions-runner-token.age b/secrets/gitea-actions-runner-token.age index 8bdbd51..5ff450e 100644 Binary files a/secrets/gitea-actions-runner-token.age and b/secrets/gitea-actions-runner-token.age differ