From b49363f299dbca68d76d97589b3b5459f03ce360 Mon Sep 17 00:00:00 2001 From: Lzebulon Date: Wed, 6 Aug 2025 20:12:52 +0200 Subject: [PATCH] add forgejo runner --- flake.lock | 98 +++++++++++++++++- flake.nix | 8 +- hosts/physique/hyponix/services/default.nix | 1 + .../hyponix/services/forgejo-runner.nix | 18 ++++ secrets.nix | 16 +++ .../forgejo/forgejo-runner-token-1.age | Bin 0 -> 363 bytes tools/devshell.nix | 3 +- 7 files changed, 139 insertions(+), 5 deletions(-) create mode 100644 hosts/physique/hyponix/services/forgejo-runner.nix create mode 100644 secrets.nix create mode 100644 secrets/services/forgejo/forgejo-runner-token-1.age diff --git a/flake.lock b/flake.lock index 06c0920..5b34848 100644 --- a/flake.lock +++ b/flake.lock @@ -1,6 +1,86 @@ { "nodes": { + "agenix": { + "inputs": { + "darwin": "darwin", + "home-manager": "home-manager", + "nixpkgs": "nixpkgs", + "systems": "systems" + }, + "locked": { + "lastModified": 1754433428, + "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=", + "owner": "ryantm", + "repo": "agenix", + "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d", + "type": "github" + }, + "original": { + "owner": "ryantm", + "repo": "agenix", + "type": "github" + } + }, + "darwin": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1744478979, + "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=", + "owner": "lnl7", + "repo": "nix-darwin", + "rev": "43975d782b418ebf4969e9ccba82466728c2851b", + "type": "github" + }, + "original": { + "owner": "lnl7", + "ref": "master", + "repo": "nix-darwin", + "type": "github" + } + }, + "home-manager": { + "inputs": { + "nixpkgs": [ + "agenix", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1745494811, + "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=", + "owner": "nix-community", + "repo": "home-manager", + "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "home-manager", + "type": "github" + } + }, "nixpkgs": { + "locked": { + "lastModified": 1754028485, + "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "59e69648d345d6e8fef86158c555730fa12af9de", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-25.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_2": { "locked": { "lastModified": 1753345091, "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=", @@ -18,7 +98,23 @@ }, "root": { "inputs": { - "nixpkgs": "nixpkgs" + "agenix": "agenix", + "nixpkgs": "nixpkgs_2" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" } } }, diff --git a/flake.nix b/flake.nix index c969e8e..a1afa81 100644 --- a/flake.nix +++ b/flake.nix @@ -3,9 +3,11 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + + agenix.url = "github:ryantm/agenix"; }; - outputs = { self, nixpkgs }@inputs: + outputs = { self, nixpkgs, agenix }@inputs: let system = "x86_64-linux"; in @@ -18,6 +20,7 @@ modules = [ ./hosts/physique/hyponix ./modules + agenix.nixosModules.default ]; }; }; @@ -25,7 +28,6 @@ devShells.x86_64-linux.default = let pkgs = import nixpkgs { inherit system; }; - in pkgs.callPackage ./tools/devshell.nix { }; - + in pkgs.callPackage ./tools/devshell.nix { agenix = agenix; }; }; } diff --git a/hosts/physique/hyponix/services/default.nix b/hosts/physique/hyponix/services/default.nix index 9cc87df..1fb2413 100644 --- a/hosts/physique/hyponix/services/default.nix +++ b/hosts/physique/hyponix/services/default.nix @@ -3,6 +3,7 @@ imports = [ ./fail2ban.nix ./forgejo.nix + ./forgejo-runner.nix ]; services.caddy = { diff --git a/hosts/physique/hyponix/services/forgejo-runner.nix b/hosts/physique/hyponix/services/forgejo-runner.nix new file mode 100644 index 0000000..663a6a7 --- /dev/null +++ b/hosts/physique/hyponix/services/forgejo-runner.nix @@ -0,0 +1,18 @@ +{pkgs, config,...}: +{ + + age.secrets.forgejo-runner-token-1 = { + file = ../../../../secrets/services/forgejo/forgejo-runner-token-1.age; + }; + + services.gitea = { + package = pkgs.forgejo-runner; + instances.default = { + enable = true; + name = "runner-1"; + url = "https://git.v2.${config.networking.domain}"; + + tokenFile = config.age.secrets.forgejo-runner-token-1.path; + }; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..5c7de35 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,16 @@ +let + # user + lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCR6uatrqbCViftPwQ17JNVN8KBC02sPAOu+uRKGhLR lzebulon@archframe"; + + # server + hyponix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEjC/mgb1mf/F1RPaUECNbW0cK4kPQaJ47eKVybZhqf root@hyponix"; +in +let + admins = [ lzebulon ]; + physiques = [ hyponix ]; + servers = hyponix; +in +{ + "secrets/services/forgejo/forgejo-runner-token-1.age".publicKeys = admins ++ [ hyponix ]; +} + diff --git a/secrets/services/forgejo/forgejo-runner-token-1.age b/secrets/services/forgejo/forgejo-runner-token-1.age new file mode 100644 index 0000000000000000000000000000000000000000..6de9c65c2d52750f64f400c1e0ce4e6058fabac6 GIT binary patch literal 363 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTSaI%Ona#YB0GBk@U z3rLSNip+D@t}Mzbb_@=V%+$_K3NHx{@G^BXO{>f;_HfC}PUg}M&^L+-H}dn<4o(Uy zj!G=@)Xw$w4K*!J@yl~{DatG=(GK8QEBQe;gtkBud!#5+X(vvGWu*#>x-90lus=P?Q&@&*cIMpjF zyvW?gH#e}tvoOLpu-wzFB+50yFq=zPS69K`$D%01vM{MI+uJNRJUOtk*u5Y>u+Y`G zA|lPzA~QM1+dQ%~!@@Py-GZzAcXCAz!$QwrXIH&5TWN6fMUIlTbk9X^rU_jEdlMG3 w-7b2NQ=2(w=5(pK>zDIPJICku_F}7E@BiJdTb?r%KA*jUr=;