{ config, pkgs, lib, allModules, ... }: # Gitea Actions Runner. Starts 'host' runner that runs directly on the host inside of a nixos container # This is useful for providing a real Nix/OS builder to gitea. # Warning, NixOS containers are not secure. For example, the container shares the /nix/store # Therefore, this should not be used to run untrusted code. # To enable, assign a machine the 'gitea-actions-runner' system role let runnerRole = "gitea-actions-runner"; runners = config.machines.roles.${runnerRole}; thisMachineIsARunner = builtins.elem config.networking.hostName runners; in { config = lib.mkIf (thisMachineIsARunner && !config.boot.isContainer) { containers.gitea-runner = { ephemeral = true; autoStart = true; bindMounts = { "/run/agenix/gitea-actions-runner-token" = { hostPath = "/run/agenix/gitea-actions-runner-token"; isReadOnly = true; }; "/var/lib/private/gitea-runner" = { hostPath = "/var/lib/private/gitea-runner"; isReadOnly = false; }; }; extraFlags = [ # Allow podman "--system-call-filter=@keyring" ]; config = { imports = allModules; # speeds up evaluation nixpkgs.pkgs = pkgs; environment.systemPackages = with pkgs; [ git # Gitea Actions rely heavily on node. Include it because it would be installed anyway. nodejs ]; services.gitea-actions-runner.instances.inst = { enable = true; name = config.networking.hostName; url = "https://git.neet.dev/"; tokenFile = "/run/agenix/gitea-actions-runner-token"; labels = [ "ubuntu-latest:docker://node:18-bullseye" "nixos:host" ]; }; virtualisation.podman.enable = true; boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; }; }; age.secrets.gitea-actions-runner-token.file = ../../secrets/gitea-actions-runner-token.age; }; }