2026-01-11 20:54:54 +00:00
9 changed files with 114 additions and 32 deletions
--- a/hosts/cl-00-00/secrets/default.yaml
+++ b/hosts/cl-00-00/secrets/default.yaml
@ -9,6 +9,8 @@ forgejo:
            password: ENC[AES256_GCM,data:FBmMqD+zROFZ4A==,iv:uh1t3+fMylalXqIQGwzRQoZwoT6kP0xRmkrs3ygVqeA=,tag:tXMNEFcWbPW/kaADN1urow==,type:str]
    mailer:
        password: ENC[AES256_GCM,data:HoxA9HNIMf0rnltDJrOynvoKzQ==,iv:/9YlRJI2WMjtuyLJJFJInxDpngdiQ1g+L9cel+tISy0=,tag:R3nRPmu23G0zOPEZQkUSug==,type:str]
+    runners:
+        "00": ENC[AES256_GCM,data:E1OSfoo+KL+/QZdfiN4IPTk0BzHVoNbvjMu5isABZb5fYKLa80/lgGmM6NRYxw==,iv:xOtpHsGtwRoxMQCVgq+pWhHC1r4bgRLXbg5c+/uL2AM=,tag:wYlhjb/zac9KK8bzXEkECw==,type:str]
 sops:
    age:
        - recipient: age1pj86dmk8j5tne0r7zu09v3x40xjdae6mhvrzyw5squ9px96z9p0suj89f8
@ -29,7 +31,7 @@ sops:
            MTJWN0R6VUR6c21iVE1tK0VPL2NoYzAKrGwbTolQpUWcFRyJ6M1KVQ3odS4leYvW
            KZZUx9n9O6j9LH2tHH6ut1maiDXfLkBTnEeXrogp+oK075QVKXfUBA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-10T19:58:26Z"
-    mac: ENC[AES256_GCM,data:N/eVKWgRdTCHxcTkeKpBUxiVF7OKRdUtpBj+dM2c5uclKxwSHB5jw/GuZjcrq8BQvTjgwZxnH6Q7D05c+tFOl+P1m/LrnZLtIxH/iynqMavFwXsBXFF+1ngY+CwLflsagtiNhKp/JxvIKRSaSlNTxGL7NqX6feeTNQirA0CFs0M=,iv:z0MpIYnONpEIfu90takM398GapmkuuGZGC0y3kFjZP0=,tag:/gz+ngidM0fJPCI7b7ABDw==,type:str]
+    lastmodified: "2026-01-11T20:35:41Z"
+    mac: ENC[AES256_GCM,data:R1m9zzLTpAjyQjO3Jw4tFr4lOpjHvCaKkZnnuIzppyMYAheS8JjEubNL4FzsVNHxbUgPIR1ZIYcyXuv9tZ5camx9r4008xan9Q9qAtkvxlpaZvuXhRMSMYnJAMiRBudUKg4XKSKtUK4SHCWQ0+a/rEuXSMTWxDgSpGlz9cb/RBo=,iv:CR1HDmZbLHtscUcjf1NsmMBAHUG1Dxr7FaZBS2osGGI=,tag:Ld66EFrVzrCB6BZ5cvxgeg==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
--- a/hosts/cl-00-00/system/configuration/container.nix
+++ b/hosts/cl-00-00/system/configuration/container.nix
@ -0,0 +1,14 @@
+{ ...
+}:
+
+{
+  virtualisation.podman = {
+    enable = true;
+
+    # Create a `docker` alias for podman
+    dockerCompat = true;
+    
+    # Required for containers to talk to each other
+    defaultNetwork.settings.dns_enabled = true;
+  };
+}
--- a/hosts/cl-00-00/system/configuration/default.nix
+++ b/hosts/cl-00-00/system/configuration/default.nix
@ -9,10 +9,12 @@ in
  imports = [
    modules.shells

-    ./sops.nix
-    ./forgejo.nix
+    ./forgejo
+
+    ./container.nix
    ./gc.nix
    ./postgres.nix
+    ./sops.nix
    ./ssh.nix
    ./traefik.nix
    ./users.nix
--- a/hosts/cl-00-00/system/configuration/forgejo/default.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo/default.nix
@ -0,0 +1,11 @@
+{ ...
+}:
+
+{
+  imports = [
+    ./network.nix
+    ./runner.nix
+    ./secrets.nix
+    ./server.nix
+  ];
+}
--- a/hosts/cl-00-00/system/configuration/forgejo/network.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo/network.nix
@ -0,0 +1,22 @@
+{ ...
+}:
+
+{
+  networking.firewall.allowedTCPPorts = [ 22 ];
+  
+  services.traefik.dynamicConfigOptions.http = {
+    routers.forgejo = {
+      rule = "Host(`git.dokkae.com`)";
+      service = "forgejo";
+      entryPoints = [ "websecure" ];
+      tls = { certResolver = "letsencrypt"; };
+    };
+
+    services.forgejo = {
+      loadBalancer.servers = [
+        { url = "http://localhost:3000"; }
+      ];
+    };
+  };
+
+}
--- a/hosts/cl-00-00/system/configuration/forgejo/runner.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo/runner.nix
@ -0,0 +1,34 @@
+{ pkgs
+, config
+, ...
+}:
+
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.default = {
+      enable = true;
+      name = "cl-00-00_forgejo-runner-00";
+      url = "https://git.dokkae.com";
+      tokenFile = config.sops.secrets."forgejo/runners/00".path;
+      labels = [
+        "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+        "debian-latest:docker://debian:bookworm"
+        "alpine-latest:docker://alpine:latest"
+      ];
+      settings = {
+        container = {
+          network = "bridge";
+        };
+        runner = {
+          capacity = 2;
+          timeout = "1h";
+        };
+        cache = {
+          enabled = true;
+        };
+      };
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/forgejo/secrets.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo/secrets.nix
@ -0,0 +1,25 @@
+{ config
+, ...
+}:
+
+{
+  config.sops.secrets = {
+    "forgejo/admin/dokkae.cat/password" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+
+    "forgejo/mailer/password" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+
+    "forgejo/runners/00" = {
+      owner = "forgejo";
+      group = "forgejo";
+      mode = "400";
+    };
+  };
+}
--- a/hosts/cl-00-00/system/configuration/forgejo/server.nix
+++ b/hosts/cl-00-00/system/configuration/forgejo/server.nix
@ -5,23 +5,6 @@
 }:

 {
-  networking.firewall.allowedTCPPorts = [ 22 ];
-  
-  services.traefik.dynamicConfigOptions.http = {
-    routers.forgejo = {
-      rule = "Host(`git.dokkae.com`)";
-      service = "forgejo";
-      entryPoints = [ "websecure" ];
-      tls = { certResolver = "letsencrypt"; };
-    };
-
-    services.forgejo = {
-      loadBalancer.servers = [
-        { url = "http://localhost:3000"; }
-      ];
-    };
-  };
-
  services.forgejo = {
    enable = true;
    user = "forgejo";
--- a/hosts/cl-00-00/system/configuration/sops.nix
+++ b/hosts/cl-00-00/system/configuration/sops.nix
@ -25,17 +25,6 @@
        owner = "kurisu";
        neededForUsers =  true;
      };
-
-      "forgejo/admin/dokkae.cat/password" = {
-        owner = "forgejo";
-        group = "forgejo";
-        mode = "400";
-      };
-      "forgejo/mailer/password" = {
-        owner = "forgejo";
-        group = "forgejo";
-        mode = "400";
-      };
    };
  };
 }