ops: forgejo-runner-cacher

ops/nixos/lib/forgejo-runner-cacher.nix

@@ -0,0 +1,54 @@
+# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
+#
+# SPDX-License-Identifier: Apache-2.0
+
+{ depot, lib, pkgs, utils, config, ... }:
+
+let
+  cfg = config.my.forgejo-runner;
+in {
+  options.my.forgejo-runner = {
+    enable = lib.mkEnableOption "forgejo runner";
+
+    enablePodman = lib.mkEnableOption "forgejo runner with Podman labels";
+
+    selfHostedLabels = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [];
+    };
+  };
+
+  config = lib.mkMerge [
+    (lib.mkIf cfg.enable {
+      my.vault.secrets.forgejo-runner-environment = {
+        restartUnits = ["gitea-runner-${utils.escapeSystemdPath config.services.gitea-actions-runner.instances.depot.name}.service"];
+        group = "root";
+        template = ''
+          {{ with secret "kv/apps/forgejo-runner" }}
+          TOKEN={{ .Data.data.TOKEN }}
+          {{ end }}
+        '';
+      };
+      services.gitea-actions-runner = {
+        package = pkgs.forgejo-runner;
+        instances.depot = {
+          enable = true;
+          name = config.networking.hostName;
+          url = "https://git.lukegb.com";
+          tokenFile = config.my.vault.secrets.forgejo-runner-environment.path;
+          labels = map (label: "${label}:host://-self-hosted") cfg.selfHostedLabels;
+        };
+      };
+
+      nix.gc.automatic = false;
+    }) (lib.mkIf (cfg.enable && cfg.enablePodman) {
+      services.gitea-actions-runner.instances.depot.labels = lib.mkAfter [
+        "debian-latest:docker://node:22-bookworm"
+        "lix:docker://git.lix.systems/lix-project/lix:${pkgs.lix.version}"
+      ];
+      virtualisation.podman = {
+        enable = true;
+        dockerSocket.enable = true;
+      };
+    })];
+}

ops/nixos/lib/gitlab-runner-cacher.nix

@@ -1,42 +0,0 @@
-# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
-#
-# SPDX-License-Identifier: Apache-2.0
-
-{ depot, lib, pkgs, config, ... }:
-{
-  my.vault.secrets.gitlab-runner-environment = {
-    restartUnits = ["gitlab-runner.service"];
-    group = "root";
-    template = ''
-      {{ with secret "kv/apps/gitlab-runner" }}
-      {{ .Data.data.environment }}
-      {{ end }}
-    '';
-  };
-  services.gitlab-runner = {
-    enable = true;
-    settings.concurrent = 1;
-    services = {
-      deployer = {
-        registrationConfigFile = config.my.vault.secrets.gitlab-runner-environment.path;
-        executor = "shell";
-        tagList = [ "cacher" ];
-      };
-    };
-    gracefulTermination = true;
-    gracefulTimeout = "4min";
-    package = depot.nix.pkgs.heptapod-runner;
-    extraPackages = with pkgs; [
-      git
-      depot.nix.pkgs.heptapod-runner-mercurial
-    ];
-  };
-  users.users.gitlab-runner = {
-    isNormalUser = true;
-    group = "nogroup";
-    createHome = true;
-    home = "/srv/gitlab-runner";
-  };
-
-  nix.gc.automatic = false;
-}

ops/nixos/rexxar/default.nix

@@ -8,7 +8,7 @@
     ../lib/zfs.nix
     ./bgp.nix
     ../lib/bgp.nix
-    ../lib/gitlab-runner-cacher.nix
+    ../lib/forgejo-runner-cacher.nix
     #../lib/nixbuild-distributed.nix  # error: build of '/nix/store/3r7456yr8r9g4fl7w6xbgqlbsdjwfvr4-stdlib-pkgs.json.drv' on 'ssh://eu.nixbuild.net' failed: unexpected: Built outputs are invalid
     ../lib/hackyplayer.nix
     ../lib/emfminiserv.nix
@@ -299,6 +299,12 @@
   };
   my.ip.tailscale = "100.97.110.48";
   my.ip.tailscale6 = "fd7a:115c:a1e0::3a01:6e30";
+
+  my.forgejo-runner = {
+    enable = true;
+    enablePodman = false;  # NAT is hard.
+    selfHostedLabels = [ "cacher" ];
+  };
   #my.coredns.bind = [ "bond0" "tailscale0" "127.0.0.1" "::1" ];
 
   services.openssh.hostKeys = [

ops/vault/cfg/config.nix

@@ -66,7 +66,7 @@
     }
   '';
   my.apps.authentik = {};
-  my.apps.gitlab-runner = {};
+  my.apps.forgejo-runner = {};
   my.apps.plex-pass = {};
   my.apps.ads-b = {};
   my.apps.nixbuild = {};
@@ -78,19 +78,18 @@
   my.apps.bsky-pds = {};
 
   my.servers.etheroute-lon01.apps = [ "pomerium" ];
-  my.servers.bvm-forgejo.apps = [ "pomerium" ];
+  my.servers.bvm-forgejo.apps = [ "pomerium" "forgejo-runner" ];
   my.servers.howl.apps = [ "nixbuild" ];
   my.servers.porcorosso.apps = [ "quotesdb" "nixbuild" ];
   my.servers.nausicaa.apps = [ "quotesdb" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" ];
   my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" "ads-b" "nixbuild" "tumblrandom" ];
   my.servers.clouvider-fra01.apps = [ "deluge" ];
-  my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" "nixbuild" ];
+  my.servers.clouvider-lon01.apps = [ "quotesdb" "nixbuild" ];
-  my.servers.cofractal-ams01.apps = [ "deluge" "gitlab-runner" "nixbuild" ];
+  my.servers.cofractal-ams01.apps = [ "deluge" "nixbuild" ];
   my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
   my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
   my.servers.bvm-prosody.apps = [ "turn" ];
-  my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
   my.servers.bvm-nixosmgmt.apps = [ "plex-pass" ];
   my.servers.bvm-netbox.apps = [ "netbox" ];
-  my.servers.rexxar.apps = [ "deluge" "gitlab-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
+  my.servers.rexxar.apps = [ "deluge" "forgejo-runner" "nixbuild" "hacky-vouchproxy" "hackyplayer" "emfminiserv" "fup" "bsky-pds" ];
 }