ready for runners

nixos/hosts/forgejo-runner/host.nix

@@ -0,0 +1,9 @@
+{
+  imports = [
+    ../../templates/base.nix
+    ../../secrets/shared-sops.nix
+    ./runner.nix
+    ./networking.nix
+    ./sops.nix
+  ];
+}

nixos/hosts/forgejo-runner/networking.nix

@@ -0,0 +1,4 @@
+{ config, lib, pkgs, runnerId, ... }:
+{
+  networking.hostName = "forgejo-runner-${runnerId}";
+}

nixos/hosts/forgejo-runner/runner.nix

@@ -0,0 +1,35 @@
+{ config, pkgs,... }:
+
+{
+  # users.users.forgejo-runner = {
+  #   isSystemUser = true;
+  #   extraGroups = [ "docker" ];  # Optional: if using docker jobs
+  # };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = config.networking.hostName;
+      url = "https://git.procopius.dk";
+      # Obtaining the path to the runner token file may differ
+      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+      tokenFile = config.sops.secrets."forgejo-runner-registration-token".path;
+      labels = [
+        "ubuntu-latest:docker://node:16-bullseye"
+        # "ubuntu-22.04:docker://node:16-bullseye"
+        # "ubuntu-20.04:docker://node:16-bullseye"
+        # "ubuntu-18.04:docker://node:16-buster"
+        ## optionally provide native execution on the host:
+        # "native:host"
+      ];
+    };
+  };
+
+  # systemd.services."forgejo-actions-runner-default".serviceConfig = {
+  #   User = "forgejo-runner";
+  #   Group = "forgejo-runner";
+  # };
+
+  virtualisation.docker.enable = true;  # Optional: if using docker
+}

nixos/hosts/forgejo-runner/sops.nix

@@ -0,0 +1,7 @@
+{ config, lib, ... }:
+{
+  sops.secrets."forgejo-runner-registration-token" = {
+    sopsFile = ../../secrets/forgejo/runner-secrets.yml;
+    mode = "0440";
+  };
+}