add forgejo runner

2025-08-06 20:12:52 +02:00 · 2025-08-06 20:12:52 +02:00 · b49363f299
commit b49363f299
parent 5db6606ef8
7 changed files with 139 additions and 5 deletions
--- a/flake.lock
+++ b/flake.lock
@ -1,6 +1,86 @@
 {
  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
+      "locked": {
+        "lastModified": 1754028485,
+        "narHash": "sha256-IiiXB3BDTi6UqzAZcf2S797hWEPCRZOwyNThJIYhUfk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "59e69648d345d6e8fef86158c555730fa12af9de",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-25.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
      "locked": {
        "lastModified": 1753345091,
        "narHash": "sha256-CdX2Rtvp5I8HGu9swBmYuq+ILwRxpXdJwlpg8jvN4tU=",
@ -18,7 +98,23 @@
    },
    "root": {
      "inputs": {
-        "nixpkgs": "nixpkgs"
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs_2"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -3,9 +3,11 @@

  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+
+    agenix.url = "github:ryantm/agenix";
  };

-  outputs = { self, nixpkgs }@inputs:
+  outputs = { self, nixpkgs, agenix }@inputs:
    let
      system = "x86_64-linux";
    in
@ -18,6 +20,7 @@
          modules = [
            ./hosts/physique/hyponix
            ./modules
+            agenix.nixosModules.default
          ];
        };
      };
@ -25,7 +28,6 @@

      devShells.x86_64-linux.default =
        let pkgs = import nixpkgs { inherit system; };
-        in pkgs.callPackage ./tools/devshell.nix { };
-
+        in pkgs.callPackage ./tools/devshell.nix { agenix = agenix; };
    };
 }
--- a/hosts/physique/hyponix/services/default.nix
+++ b/hosts/physique/hyponix/services/default.nix
@ -3,6 +3,7 @@
  imports = [
    ./fail2ban.nix
    ./forgejo.nix
+    ./forgejo-runner.nix
  ];

  services.caddy = {
--- a/hosts/physique/hyponix/services/forgejo-runner.nix
+++ b/hosts/physique/hyponix/services/forgejo-runner.nix
@ -0,0 +1,18 @@
+{pkgs, config,...}:
+{
+
+  age.secrets.forgejo-runner-token-1 = {
+    file = ../../../../secrets/services/forgejo/forgejo-runner-token-1.age;
+  };
+  
+  services.gitea = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = "runner-1";
+      url = "https://git.v2.${config.networking.domain}";
+
+      tokenFile = config.age.secrets.forgejo-runner-token-1.path;      
+    };
+  };
+}
--- a/secrets.nix
+++ b/secrets.nix
@ -0,0 +1,16 @@
+let
+  # user
+  lzebulon = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCR6uatrqbCViftPwQ17JNVN8KBC02sPAOu+uRKGhLR lzebulon@archframe";
+
+  # server
+  hyponix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOEjC/mgb1mf/F1RPaUECNbW0cK4kPQaJ47eKVybZhqf root@hyponix";
+in
+let
+  admins = [ lzebulon ];
+  physiques = [ hyponix ];
+  servers = hyponix;
+in
+{
+  "secrets/services/forgejo/forgejo-runner-token-1.age".publicKeys = admins ++ [ hyponix ];
+}
+  
--- a/secrets/services/forgejo/forgejo-runner-token-1.age
+++ b/secrets/services/forgejo/forgejo-runner-token-1.age
--- a/tools/devshell.nix
+++ b/tools/devshell.nix
@ -1,5 +1,5 @@
 { pkgs
-,
+, agenix
 }:

 pkgs.mkShell {
@ -8,6 +8,7 @@ pkgs.mkShell {
  packages = with pkgs; [
    nil
    nixpkgs-fmt
+    agenix.packages.${system}.default
  ];

  shellHook = ''