Improvements

.gitea/workflows/check-flake.yaml

@@ -19,6 +19,8 @@ jobs:
         run: nix flake check --all-systems --print-build-logs --log-format raw --show-trace
 
       - name: Push to cache
+        env:
+          XDG_CONFIG_HOME: ${{ runner.temp }}/.config
         run: |
           attic login local "${{ secrets.ATTIC_ENDPOINT }}" "${{ secrets.ATTIC_TOKEN }}"
           nix eval .#nixosConfigurations --apply 'cs: map (n: "${cs.${n}.config.system.build.toplevel}") (builtins.attrNames cs)' --json \

common/server/gitea-actions-runner.nix

@@ -1,4 +1,4 @@
-{ config, pkgs, lib, ... }:
+{ config, lib, ... }:
 
 # Gitea Actions Runner inside a NixOS container.
 # The container shares the host's /nix/store (read-only) and nix-daemon socket,
@@ -9,6 +9,8 @@
 let
   thisMachineIsARunner = config.thisMachine.hasRole."gitea-actions-runner";
   containerName = "gitea-runner";
+  giteaRunnerUid = 991;
+  giteaRunnerGid = 989;
 in
 {
   config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) {
@@ -16,9 +18,6 @@ in
     containers.${containerName} = {
       autoStart = true;
       ephemeral = true;
-      privateNetwork = true;
-      hostAddress = "172.16.101.1";
-      localAddress = "172.16.101.2";
 
       bindMounts = {
         "/run/agenix/gitea-actions-runner-token" = {
@@ -33,7 +32,6 @@ in
 
       config = { config, lib, pkgs, ... }: {
         system.stateVersion = "25.11";
-        networking.hostName = lib.mkForce containerName;
 
         services.gitea-actions-runner.instances.inst = {
           enable = true;
@@ -46,12 +44,15 @@ in
         # Disable dynamic user so runner state persists via bind mount
         systemd.services.gitea-runner-inst.serviceConfig.DynamicUser = lib.mkForce false;
         users.users.gitea-runner = {
+          uid = giteaRunnerUid;
           home = "/var/lib/gitea-runner";
           group = "gitea-runner";
           isSystemUser = true;
           createHome = true;
         };
-        users.groups.gitea-runner = { };
+        users.groups.gitea-runner.gid = giteaRunnerGid;
+
+        nix.settings.experimental-features = [ "nix-command" "flakes" ];
 
         environment.systemPackages = with pkgs; [
           git
@@ -59,30 +60,19 @@ in
           jq
           attic-client
         ];
-
-        networking.firewall.enable = false;
       };
     };
 
-    # NAT for container outbound access
-    networking.nat.enable = true;
-    networking.nat.internalInterfaces = [ "ve-${containerName}" ];
-
     # Matching user on host — the container's gitea-runner UID must be
     # recognized by the host's nix-daemon as trusted (shared UID namespace)
     users.users.gitea-runner = {
+      uid = giteaRunnerUid;
       home = "/var/lib/gitea-runner";
       group = "gitea-runner";
       isSystemUser = true;
       createHome = true;
     };
-    users.groups.gitea-runner = { };
+    users.groups.gitea-runner.gid = giteaRunnerGid;
-
-    nix.settings.trusted-users = [ "gitea-runner" ];
-
-    # Don't use remote builders for CI
-    # (set on host since container uses host's daemon)
-    nix.distributedBuilds = lib.mkForce false;
 
     age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age;
   };