feat: forgejo runner

Added a forgejo runner and extracted monolith file into folder/sub-folder

hosts/cl-00-00/secrets/default.yaml

@@ -9,6 +9,8 @@ forgejo:
             password: ENC[AES256_GCM,data:FBmMqD+zROFZ4A==,iv:uh1t3+fMylalXqIQGwzRQoZwoT6kP0xRmkrs3ygVqeA=,tag:tXMNEFcWbPW/kaADN1urow==,type:str]
     mailer:
         password: ENC[AES256_GCM,data:HoxA9HNIMf0rnltDJrOynvoKzQ==,iv:/9YlRJI2WMjtuyLJJFJInxDpngdiQ1g+L9cel+tISy0=,tag:R3nRPmu23G0zOPEZQkUSug==,type:str]
+    runners:
+        "00": ENC[AES256_GCM,data:E1OSfoo+KL+/QZdfiN4IPTk0BzHVoNbvjMu5isABZb5fYKLa80/lgGmM6NRYxw==,iv:xOtpHsGtwRoxMQCVgq+pWhHC1r4bgRLXbg5c+/uL2AM=,tag:wYlhjb/zac9KK8bzXEkECw==,type:str]
 sops:
     age:
         - recipient: age1pj86dmk8j5tne0r7zu09v3x40xjdae6mhvrzyw5squ9px96z9p0suj89f8
@@ -29,7 +31,7 @@ sops:
             MTJWN0R6VUR6c21iVE1tK0VPL2NoYzAKrGwbTolQpUWcFRyJ6M1KVQ3odS4leYvW
             KZZUx9n9O6j9LH2tHH6ut1maiDXfLkBTnEeXrogp+oK075QVKXfUBA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-10T19:58:26Z"
-    mac: ENC[AES256_GCM,data:N/eVKWgRdTCHxcTkeKpBUxiVF7OKRdUtpBj+dM2c5uclKxwSHB5jw/GuZjcrq8BQvTjgwZxnH6Q7D05c+tFOl+P1m/LrnZLtIxH/iynqMavFwXsBXFF+1ngY+CwLflsagtiNhKp/JxvIKRSaSlNTxGL7NqX6feeTNQirA0CFs0M=,iv:z0MpIYnONpEIfu90takM398GapmkuuGZGC0y3kFjZP0=,tag:/gz+ngidM0fJPCI7b7ABDw==,type:str]
+    lastmodified: "2026-01-11T20:35:41Z"
+    mac: ENC[AES256_GCM,data:R1m9zzLTpAjyQjO3Jw4tFr4lOpjHvCaKkZnnuIzppyMYAheS8JjEubNL4FzsVNHxbUgPIR1ZIYcyXuv9tZ5camx9r4008xan9Q9qAtkvxlpaZvuXhRMSMYnJAMiRBudUKg4XKSKtUK4SHCWQ0+a/rEuXSMTWxDgSpGlz9cb/RBo=,iv:CR1HDmZbLHtscUcjf1NsmMBAHUG1Dxr7FaZBS2osGGI=,tag:Ld66EFrVzrCB6BZ5cvxgeg==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

hosts/cl-00-00/system/configuration/container.nix

@@ -0,0 +1,14 @@
+{ ...
+}:
+
+{
+  virtualisation.podman = {
+    enable = true;
+
+    # Create a `docker` alias for podman
+    dockerCompat = true;
+    
+    # Required for containers to talk to each other
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}

hosts/cl-00-00/system/configuration/default.nix

@@ -9,10 +9,12 @@ in
   imports = [
     modules.shells
 
-    ./sops.nix
-    ./forgejo.nix
+    ./forgejo
+
+    ./container.nix
     ./gc.nix
     ./postgres.nix
+    ./sops.nix
     ./ssh.nix
     ./traefik.nix
     ./users.nix

hosts/cl-00-00/system/configuration/forgejo/default.nix

@@ -0,0 +1,11 @@
+{ ...
+}:
+
+{
+  imports = [
+    ./network.nix
+    ./runner.nix
+    ./secrets.nix
+    ./server.nix
+  ];
+}

hosts/cl-00-00/system/configuration/forgejo/network.nix

@@ -0,0 +1,22 @@
+{ ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  
+  services.traefik.dynamicConfigOptions.http = {
+    routers.forgejo = {
+      rule = "Host(`git.dokkae.com`)";
+      service = "forgejo";
+      entryPoints = [ "websecure" ];
+      tls = { certResolver = "letsencrypt"; };
+    };
+
+    services.forgejo = {
+      loadBalancer.servers = [
+        { url = "http://localhost:3000"; }
+      ];
+    };
+  };
+
+}

hosts/cl-00-00/system/configuration/forgejo/runner.nix

@@ -0,0 +1,34 @@
+{ pkgs
+, config
+, ...
+}:
+
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.default = {
+      enable = true;
+      name = "cl-00-00_forgejo-runner-00";
+      url = "https://git.dokkae.com";
+      tokenFile = config.sops.secrets."forgejo/runners/00".path;
+      labels = [
+        "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+        "debian-latest:docker://debian:bookworm"
+        "alpine-latest:docker://alpine:latest"
+      ];
+      settings = {
+        container = {
+          network = "bridge";
+        };
+        runner = {
+          capacity = 2;
+          timeout = "1h";
+        };
+        cache = {
+          enabled = true;
+        };
+      };
+    };
+  };
+}

hosts/cl-00-00/system/configuration/forgejo/secrets.nix

@@ -0,0 +1,25 @@
+{ config
+, ...
+}:
+
+{
+  config.sops.secrets = {
+    "forgejo/admin/dokkae.cat/password" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+
+    "forgejo/mailer/password" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+
+    "forgejo/runners/00" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+  };
+}

hosts/cl-00-00/system/configuration/forgejo/server.nix

@@ -5,23 +5,6 @@
 }:
 
 {
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  
-  services.traefik.dynamicConfigOptions.http = {
-    routers.forgejo = {
-      rule = "Host(`git.dokkae.com`)";
-      service = "forgejo";
-      entryPoints = [ "websecure" ];
-      tls = { certResolver = "letsencrypt"; };
-    };
-
-    services.forgejo = {
-      loadBalancer.servers = [
-        { url = "http://localhost:3000"; }
-      ];
-    };
-  };
-
   services.forgejo = {
     enable = true;
     user = "forgejo";

hosts/cl-00-00/system/configuration/sops.nix

@@ -25,17 +25,6 @@
         owner = "kurisu";
         neededForUsers =  true;
       };
-
-      "forgejo/admin/dokkae.cat/password" = {
-        owner = "forgejo";
-        group = "forgejo";
-        mode = "400";
-      };
-      "forgejo/mailer/password" = {
-        owner = "forgejo";
-        group = "forgejo";
-        mode = "400";
-      };
     };
   };
 }