From a70aef9cf2e45088ba7f8008bcaf7dd1f5374599 Mon Sep 17 00:00:00 2001
From: Zuckerberg <zuckerberg@neet.dev>
Date: Thu, 19 Feb 2026 20:42:47 -0800
Subject: [PATCH] Improvements

---
 .gitea/workflows/check-flake.yaml      |   2 ++
 common/server/gitea-actions-runner.nix |  28 ++++++++-----------------
 secrets/gitea-actions-runner-token.age | Bin 589 -> 589 bytes
 3 files changed, 11 insertions(+), 19 deletions(-)

diff --git a/.gitea/workflows/check-flake.yaml b/.gitea/workflows/check-flake.yaml
index 7471814..9923f63 100644
--- a/.gitea/workflows/check-flake.yaml
+++ b/.gitea/workflows/check-flake.yaml
@@ -19,6 +19,8 @@ jobs:
         run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
 
       - name: Push to cache
+        env:
+          XDG_CONFIG_HOME: ${{ runner.temp }}/.config
         run: |
           attic login local "${{ secrets.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
           nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \
diff --git a/common/server/gitea-actions-runner.nix b/common/server/gitea-actions-runner.nix
index eb8cbd7..aa68cc1 100644
--- a/common/server/gitea-actions-runner.nix
+++ b/common/server/gitea-actions-runner.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 
 # Gitea Actions Runner inside a NixOS container.
 # The container shares the host's /nix/store (read-only) and nix-daemon socket,
@@ -9,6 +9,8 @@
 let
   thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
   containerName = "gitea-runner";
+  giteaRunnerUid = 991;
+  giteaRunnerGid = 989;
 in
 {
   config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
@@ -16,9 +18,6 @@ in
     containers.${containerName} = {
       autoStart = true;
       ephemeral = true;
-      privateNetwork = true;
-      hostAddress = "172.16.101.1";
-      localAddress = "172.16.101.2";
 
       bindMounts = {
         "/run/agenix/gitea-actions-runner-token" = {
@@ -33,7 +32,6 @@ in
 
       config = { config, lib, pkgs, ... }: {
         system.stateVersion = "25.11";
-        networking.hostName = lib.mkForce containerName;
 
         services.gitea-actions-runner.instances.inst = {
           enable = true;
@@ -46,12 +44,15 @@ in
         # Disable dynamic user so runner state persists via bind mount
         systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
         users.users.gitea-runner = {
+          uid = giteaRunnerUid;
           home = "/var/lib/gitea-runner";
           group = "gitea-runner";
           isSystemUser = true;
           createHome = true;
         };
-        users.groups.gitea-runner = { };
+        users.groups.gitea-runner.gid = giteaRunnerGid;
+
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
         environment.systemPackages = with pkgs; [
           git
@@ -59,30 +60,19 @@ in
           jq
           attic-client
         ];
-
-        networking.firewall.enable = false;
       };
     };
 
-    # NAT for container outbound access
-    networking.nat.enable = true;
-    networking.nat.internalInterfaces = [ "ve-${containerName}" ];
-
     # Matching user on host — the container's gitea-runner UID must be
     # recognized by the host's nix-daemon as trusted (shared UID namespace)
     users.users.gitea-runner = {
+      uid = giteaRunnerUid;
       home = "/var/lib/gitea-runner";
       group = "gitea-runner";
       isSystemUser = true;
       createHome = true;
     };
-    users.groups.gitea-runner = { };
-
-    nix.settings.trusted-users = [ "gitea-runner" ];
-
-    # Don't use remote builders for CI
-    # (set on host since container uses host's daemon)
-    nix.distributedBuilds = lib.mkForce false;
+    users.groups.gitea-runner.gid = giteaRunnerGid;
 
     age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
   };
diff --git a/secrets/gitea-actions-runner-token.age b/secrets/gitea-actions-runner-token.age
index 8bdbd5103d2fe4dbb0bdc69af5ed4a73b88f521e..5ff450e3e1ccd08861c267d8f12589dd476bd844 100644
GIT binary patch
delta 517
zcmX@ha+YO+PQAZTSb$MZS%9IJWnfBZkh7nAQBp=ovVKlgZe^yir$J&tSw^~NVu)E-
zI+u59ibt7tk!NUtp=+d{g|l}~V1R3}TWMalms_|+VUTfto~cVwL|J)$GMBEMLUD11
zZfc5=si~o*LX=CTv5BLCwxdT_u3t$}WPpEFS$Mi{rdv*?XPH|@Ku~~RidmFTWPWK%
za!!Vufr*nRSB|f5p=XY<wzq#}iIJI$QEHS~qIr5)P>8#GRIzDPR8mxARl0#?dQMvQ
z#E;_P76BF&E<QzN8QK9Al_mOl*;VBc+Qq3B#;)Fm=23Zpc|j&oo{5Gj0h#$+fn}cM
z7Or_gmU%%1`YFXBE<qN>9wnLP*-jS8;Q`*ho{nJ!-lo205pEWf;~B;43&S&03j>S2
z9h3Z`Od>0M0?dp<lYK05b0U+IQbLUiee<hQDpEpADqUT<e8Q@{!@V++{Hg+SDoiT9
zBlYtF%1evF%Zl^Dd@a%pO@j>e({hu{E6gLgbaizVywWp+tDMb?v#b0A-3u&&_0to>
zOH&iw-A%#@tFlvlit>vi@(caa6HSXlxyp|%RoKnq?vNt3^!LHW>5q=`h&a11Giedi
z@3;JaJ4-Ai()#z$?l-zix5jB6ir4efns`QcxnIv~y;r|Z`UEoUJfwTF!%V4fn)B2t
JyCb_#0stH?x8wi-

delta 517
zcmX@ha+YO+PQ7z*kda4GQ9x)~Vyb_-W1?|ciAiN?pnp+eWvM}7o|{u{NQjZYNl;2&
zGFM(?W@bQcp1w(7Zc(ynn7_BSer|3_mA8v!MM{~gn^|yfP-Z};exh4pF_*5LLUD11
zZfc5=si~o*LX=CTv5BKXa&As~c6z00U|D2jo>`tprCV;kL8-Zsaj=QGL19^_TZutv
zQh`}|x_6cZmxZIVb5WtYb9Pu#shh7~zPq<?ikW%7Z%I^mMxcjNW_qZ3NJ?RTVWow^
z#E;_P?%|asMTXub#SvkFC1%dvg@q|u9+pP>KFQ{ZPFaPCMt&9s`Gu+eDdnMD$(HVE
z&e`6ci50%-#oplsIT4<LS(#3z$!4Lh+M(G&DJB&;>4u)BUcru&;~B;4y-lLbT?zv-
zbG*YXvt85Nd|ax$%#)4W%>v4@f-)*HoI_ko%MC)xEiyv60*k|3j559blad3>Ju1VT
zBl0ZM1H#Kv%kzx9a`pWqeH;y4OU-<P0t~acbaizVT-;OjO+B<N%d!n!-Lv#_vqSUB
zs<KVOoK3yLTs+IeQWISw%q?6!f-*Bbxn2d#KP_;1)9+Q6u8Aw8lpZ))B-XZH$y?^Q
z(#jU!H4l%itoUrKux`__1;1u$dFe&QAATF6+E}tx<A3C-ty?VE^#c=E7R8>;z4-sq
Kv?aSHG6Mko+_??_