Added Gitea runner

2026-06-22 19:53:09 +02:00
parent a92ff8fe58
commit 15f6a5d7d3
6 changed files with 237 additions and 173 deletions
@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  check:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup age key
+        run: |
+          mkdir -p ~/.config/sops/age
+          echo "${{ secrets.AGE_KEY }}" > ~/.config/sops/age/keys.txt
+          chmod 600 ~/.config/sops/age/keys.txt
+
+      - name: Nix flake check
+        run: nix flake check --no-build
+
+      - name: Format check
+        run: nix fmt -- --check .
+
+      - name: Build NixOS configs (dry-run)
+        run: |
+          nix build .#nixosConfigurations.cyper-desktop.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-controller.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-proxy.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-node-1.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-node-2.config.system.build.toplevel --dry-run
+
+      - name: Eval darwin config (Linux-safe)
+        run: nix eval .#darwinConfigurations.cyper-mac.system
@@ -77,11 +77,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1781242433,
-        "narHash": "sha256-bchLZZ3sRn740zyvD2icZSnNoTaanN0nw7l6fjVXO+E=",
+        "lastModified": 1781761792,
+        "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
        "owner": "lnl7",
        "repo": "nix-darwin",
-        "rev": "aabb2037edfc0f210723b72cd5f528aab5dd3f0b",
+        "rev": "a1fa429e945becaf60468600daf649be4ba0350c",
        "type": "github"
      },
      "original": {
@@ -209,11 +209,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1781667738,
-        "narHash": "sha256-OxrwHpsWf+QGbos1LMDGAcv7sjBGshcw/43th6waeYI=",
+        "lastModified": 1781788787,
+        "narHash": "sha256-YqlTCRRhGvNjcJejPeMuHrYQ/TVhOO2MV/nEGMWb8nk=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "7664e05e2413d5e2b8c54a884eb8ea0f8a504fc2",
+        "rev": "d456f483f157d4b706416005da226234b9c116ff",
        "type": "github"
      },
      "original": {
@@ -320,11 +320,11 @@
        "xdph": "xdph"
      },
      "locked": {
-        "lastModified": 1781627558,
-        "narHash": "sha256-qqFd1ufiH/oBB2RCmt7dg5Kyca7grJguIJrNPsD91zk=",
+        "lastModified": 1781796010,
+        "narHash": "sha256-bIqjZgUfp3vba/C1UJLVqTo8zdpfqMDvuwWrHmqDWm4=",
        "owner": "hyprwm",
        "repo": "Hyprland",
-        "rev": "5b47c782c9f83539a6c642d83844cdc9130a2873",
+        "rev": "ae1690c2138313d988c81f5c25a9d0b6fadfd3b1",
        "type": "github"
      },
      "original": {
@@ -675,11 +675,11 @@
        "nixpkgs-nixcord": "nixpkgs-nixcord"
      },
      "locked": {
-        "lastModified": 1781659360,
-        "narHash": "sha256-bwTlMeMALwHREYkYBd9swITfW270tt6GzyY1j+QAqIU=",
+        "lastModified": 1781775854,
+        "narHash": "sha256-0eb1+zKSTwgD3qsBm7UiuRabahHQNkTP94Z/s3nMK60=",
        "owner": "kaylorben",
        "repo": "nixcord",
-        "rev": "9dd239d5f8d651ccd94efcf1e3bd384ad41084ca",
+        "rev": "b92ceb7923c87dfcfcf84415407b0ca63e17548b",
        "type": "github"
      },
      "original": {
@@ -796,11 +796,11 @@
        "systems": "systems_3"
      },
      "locked": {
-        "lastModified": 1781637822,
-        "narHash": "sha256-6Fwwt8BBGF5rqwGPhj/9ZMyyjXeJQzeHHJQfPuqJP3I=",
+        "lastModified": 1781713417,
+        "narHash": "sha256-Kaj44jTNmnaFhKrcADx8nXmUYPa7l2HYfb7m6lEPy7Q=",
        "owner": "nix-community",
        "repo": "nixvim",
-        "rev": "d43c763fd9fae0912bdb4103cd842f26fea5b0ed",
+        "rev": "caee4e5d4161778815f522d9ea1c9e3dc42462b7",
        "type": "github"
      },
      "original": {
@@ -817,11 +817,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1781694117,
-        "narHash": "sha256-TobjUrIR9hSn3PdjooxvNYjuQuCbZ+HIQzExWatX6Bo=",
+        "lastModified": 1781800183,
+        "narHash": "sha256-NcRZr/JQiAvqC2qCyMxcfx/98Hf1epwdtjcbwKHeMf8=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "fea207887cf1f76cb19452ffd6978b82311d9746",
+        "rev": "0559d992b12ee209570bb325d79e90007b13da52",
        "type": "github"
      },
      "original": {
@@ -227,5 +227,7 @@
          }
        ];
      };
+
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
    };
 }
@@ -33,10 +33,12 @@
    efi.canTouchEfiVariables = true;
  };

-  services.desktopManager.plasma6.enable = false;
-  services.displayManager.sddm = {
-    enable = false;
-    wayland.enable = true;
+  services = {
+    desktopManager.plasma6.enable = false;
+    displayManager.sddm = {
+      enable = false;
+      wayland.enable = true;
+    };
  };

  environment.pathsToLink = [
@@ -45,4 +47,7 @@
  ];

  system.stateVersion = "26.11";
+
+  virtualisation.docker.enable = true;
+  users.users.phil.extraGroups = [ "docker" ];
 }
@@ -36,6 +36,10 @@ in
      owner = "gitea";
      group = "gitea";
    };
+    "gitea/runnerToken" = {
+      owner = "gitea";
+      group = "gitea";
+    };
    "kanidm_gitea_secret" = {
      owner = "gitea";
      group = "gitea";
@@ -43,169 +47,186 @@ in
    };
  };

-  services.postgresql = {
-    enable = true;
-    package = pkgs.postgresql_14;
-    ensureDatabases = [ "gitea" ];
-    ensureUsers = [
-      {
-        name = "gitea";
-        ensureDBOwnership = true;
-      }
-    ];
-    authentication = lib.mkOverride 10 ''
-      local all all trust
-      host  all all 127.0.0.1/32 md5
-      host  all all ::1/128      md5
-    '';
-  };
-
-  systemd.services.gitea-db-password = {
-    description = "Set gitea postgres user password";
-    requires = [ "postgresql.service" ];
-    after = [ "postgresql.service" ];
-    before = [ "gitea.service" ];
-    wantedBy = [ "gitea.service" ];
-    serviceConfig = {
-      Type = "oneshot";
-      User = "postgres";
-      RemainAfterExit = true;
+  systemd.services = {
+    gitea-db-password = {
+      description = "Set gitea postgres user password";
+      requires = [ "postgresql.service" ];
+      after = [ "postgresql.service" ];
+      before = [ "gitea.service" ];
+      wantedBy = [ "gitea.service" ];
+      serviceConfig = {
+        Type = "oneshot";
+        User = "postgres";
+        RemainAfterExit = true;
+      };
+      script = ''
+        pass=$(cat ${config.sops.secrets."gitea/dbPassword".path})
+        ${pkgs.postgresql_14}/bin/psql -c \
+          "ALTER USER gitea WITH PASSWORD '$pass';"
+      '';
    };
-    script = ''
-      pass=$(cat ${config.sops.secrets."gitea/dbPassword".path})
-      ${pkgs.postgresql_14}/bin/psql -c \
-        "ALTER USER gitea WITH PASSWORD '$pass';"
+
+    gitea.preStart = lib.mkAfter ''
+      themeDir="${config.services.gitea.stateDir}/custom/public/assets/css"
+      mkdir -p "$themeDir"
+      for f in ${giteaTheme}/*.css; do
+        name=$(basename "$f")
+        ln -sf "$f" "$themeDir/$name"
+      done
    '';
  };

-  services.gitea = {
-    enable = true;
-    package = pkgs.gitea;
-    user = "gitea";
-    group = "gitea";
-
-    lfs = {
+  services = {
+    postgresql = {
      enable = true;
-      contentDir = "/storage/fast/lfs";
+      package = pkgs.postgresql_14;
+      ensureDatabases = [ "gitea" ];
+      ensureUsers = [
+        {
+          name = "gitea";
+          ensureDBOwnership = true;
+        }
+      ];
+      authentication = lib.mkOverride 10 ''
+        local all all trust
+        host  all all 127.0.0.1/32 md5
+        host  all all ::1/128      md5
+      '';
    };

-    database = {
-      type = "postgres";
-      host = "127.0.0.1";
-      port = 5432;
-      name = "gitea";
+    gitea = {
+      enable = true;
+      package = pkgs.gitea;
      user = "gitea";
-      passwordFile = config.sops.secrets."gitea/dbPassword".path;
+      group = "gitea";
+
+      lfs = {
+        enable = true;
+        contentDir = "/storage/fast/lfs";
+      };
+
+      database = {
+        type = "postgres";
+        host = "127.0.0.1";
+        port = 5432;
+        name = "gitea";
+        user = "gitea";
+        passwordFile = config.sops.secrets."gitea/dbPassword".path;
+      };
+
+      settings = {
+        server = {
+          DOMAIN = domain;
+          HTTP_ADDR = "0.0.0.0";
+          HTTP_PORT = httpPort;
+          SSH_PORT = sshPort;
+          SSH_LISTEN_PORT = sshPort;
+          ROOT_URL = "https://${domain}/";
+          DISABLE_SSH = false;
+          START_SSH_SERVER = true;
+          LFS_START_SERVER = true;
+        };
+
+        metrics = {
+          ENABLED = true;
+          ENABLED_ISSUE_BY_LABEL = true;
+          ENABLED_ISSUE_BY_REPOSITORY = true;
+        };
+
+        ui = {
+          DEFAULT_THEME = "catppuccin-mocha-green";
+          THEMES = lib.concatStringsSep "," [
+            # built-in
+            "gitea"
+            "arc-green"
+            # latte
+            "catppuccin-latte-blue"
+            "catppuccin-latte-flamingo"
+            "catppuccin-latte-green"
+            "catppuccin-latte-lavender"
+            "catppuccin-latte-maroon"
+            "catppuccin-latte-mauve"
+            "catppuccin-latte-peach"
+            "catppuccin-latte-pink"
+            "catppuccin-latte-red"
+            "catppuccin-latte-rosewater"
+            "catppuccin-latte-sapphire"
+            "catppuccin-latte-sky"
+            "catppuccin-latte-teal"
+            "catppuccin-latte-yellow"
+            # frappe
+            "catppuccin-frappe-blue"
+            "catppuccin-frappe-flamingo"
+            "catppuccin-frappe-green"
+            "catppuccin-frappe-lavender"
+            "catppuccin-frappe-maroon"
+            "catppuccin-frappe-mauve"
+            "catppuccin-frappe-peach"
+            "catppuccin-frappe-pink"
+            "catppuccin-frappe-red"
+            "catppuccin-frappe-rosewater"
+            "catppuccin-frappe-sapphire"
+            "catppuccin-frappe-sky"
+            "catppuccin-frappe-teal"
+            "catppuccin-frappe-yellow"
+            # macchiato
+            "catppuccin-macchiato-blue"
+            "catppuccin-macchiato-flamingo"
+            "catppuccin-macchiato-green"
+            "catppuccin-macchiato-lavender"
+            "catppuccin-macchiato-maroon"
+            "catppuccin-macchiato-mauve"
+            "catppuccin-macchiato-peach"
+            "catppuccin-macchiato-pink"
+            "catppuccin-macchiato-red"
+            "catppuccin-macchiato-rosewater"
+            "catppuccin-macchiato-sapphire"
+            "catppuccin-macchiato-sky"
+            "catppuccin-macchiato-teal"
+            "catppuccin-macchiato-yellow"
+            # mocha
+            "catppuccin-mocha-blue"
+            "catppuccin-mocha-flamingo"
+            "catppuccin-mocha-green"
+            "catppuccin-mocha-lavender"
+            "catppuccin-mocha-maroon"
+            "catppuccin-mocha-mauve"
+            "catppuccin-mocha-peach"
+            "catppuccin-mocha-pink"
+            "catppuccin-mocha-red"
+            "catppuccin-mocha-rosewater"
+            "catppuccin-mocha-sapphire"
+            "catppuccin-mocha-sky"
+            "catppuccin-mocha-teal"
+            "catppuccin-mocha-yellow"
+          ];
+        };
+      };
    };

-    settings = {
-      server = {
-        DOMAIN = domain;
-        HTTP_ADDR = "0.0.0.0";
-        HTTP_PORT = httpPort;
-        SSH_PORT = sshPort;
-        SSH_LISTEN_PORT = sshPort;
-        ROOT_URL = "https://${domain}/";
-        DISABLE_SSH = false;
-        START_SSH_SERVER = true;
-        LFS_START_SERVER = true;
-      };
-
-      metrics = {
-        ENABLED = true;
-        ENABLED_ISSUE_BY_LABEL = true;
-        ENABLED_ISSUE_BY_REPOSITORY = true;
-      };
-
-      ui = {
-        DEFAULT_THEME = "catppuccin-mocha-green";
-        THEMES = lib.concatStringsSep "," [
-          # built-in
-          "gitea"
-          "arc-green"
-          # latte
-          "catppuccin-latte-blue"
-          "catppuccin-latte-flamingo"
-          "catppuccin-latte-green"
-          "catppuccin-latte-lavender"
-          "catppuccin-latte-maroon"
-          "catppuccin-latte-mauve"
-          "catppuccin-latte-peach"
-          "catppuccin-latte-pink"
-          "catppuccin-latte-red"
-          "catppuccin-latte-rosewater"
-          "catppuccin-latte-sapphire"
-          "catppuccin-latte-sky"
-          "catppuccin-latte-teal"
-          "catppuccin-latte-yellow"
-          # frappe
-          "catppuccin-frappe-blue"
-          "catppuccin-frappe-flamingo"
-          "catppuccin-frappe-green"
-          "catppuccin-frappe-lavender"
-          "catppuccin-frappe-maroon"
-          "catppuccin-frappe-mauve"
-          "catppuccin-frappe-peach"
-          "catppuccin-frappe-pink"
-          "catppuccin-frappe-red"
-          "catppuccin-frappe-rosewater"
-          "catppuccin-frappe-sapphire"
-          "catppuccin-frappe-sky"
-          "catppuccin-frappe-teal"
-          "catppuccin-frappe-yellow"
-          # macchiato
-          "catppuccin-macchiato-blue"
-          "catppuccin-macchiato-flamingo"
-          "catppuccin-macchiato-green"
-          "catppuccin-macchiato-lavender"
-          "catppuccin-macchiato-maroon"
-          "catppuccin-macchiato-mauve"
-          "catppuccin-macchiato-peach"
-          "catppuccin-macchiato-pink"
-          "catppuccin-macchiato-red"
-          "catppuccin-macchiato-rosewater"
-          "catppuccin-macchiato-sapphire"
-          "catppuccin-macchiato-sky"
-          "catppuccin-macchiato-teal"
-          "catppuccin-macchiato-yellow"
-          # mocha
-          "catppuccin-mocha-blue"
-          "catppuccin-mocha-flamingo"
-          "catppuccin-mocha-green"
-          "catppuccin-mocha-lavender"
-          "catppuccin-mocha-maroon"
-          "catppuccin-mocha-mauve"
-          "catppuccin-mocha-peach"
-          "catppuccin-mocha-pink"
-          "catppuccin-mocha-red"
-          "catppuccin-mocha-rosewater"
-          "catppuccin-mocha-sapphire"
-          "catppuccin-mocha-sky"
-          "catppuccin-mocha-teal"
-          "catppuccin-mocha-yellow"
-        ];
-      };
+    gitea-actions-runner.instances."cyper-nix" = {
+      enable = true;
+      url = "https://git.cyperpunk.de";
+      tokenFile = config.sops.secrets."gitea/runnerToken".path;
+      name = "cyper-controller";
+      labels = [
+        "nix:host"
+      ];
    };
  };

-  # symlink catppuccin css files into gitea's custom dir on every service start
-  systemd.services.gitea.preStart = lib.mkAfter ''
-    themeDir="${config.services.gitea.stateDir}/custom/public/assets/css"
-    mkdir -p "$themeDir"
-    for f in ${giteaTheme}/*.css; do
-      name=$(basename "$f")
-      ln -sf "$f" "$themeDir/$name"
-    done
-  '';
-
-  users.users.gitea = {
-    isSystemUser = true;
-    group = "gitea";
-    home = "/var/lib/gitea";
-    createHome = true;
+  users = {
+    users = {
+      gitea = {
+        isSystemUser = true;
+        group = "gitea";
+        home = "/var/lib/gitea";
+        createHome = true;
+      };
+      postgres.extraGroups = [ "gitea" ];
+    };
+    groups.gitea = { };
  };
-  users.groups.gitea = { };
-  users.users.postgres.extraGroups = [ "gitea" ];

  networking.firewall.allowedTCPPorts = [
    httpPort
@@ -30,6 +30,7 @@ gitea:
    internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
    lfsJwtSecret: ENC[AES256_GCM,data:L20mFZ6zwsF3ZUoodarTJV+vhUdLlBrUbHz7FpEzJ2/C6AdFc1ZZcioN3g==,iv:E2C3gg1OYQ46Ae2bGnhF+3uw+q77l+yph3Kd2fxwW9M=,tag:VQkQ4R9S8Dr39rSLhL/X1w==,type:str]
    mailerPassword: ""
+    runnerToken: ENC[AES256_GCM,data:af4j9ZkTaiRCR6Tv87JAxGCDBWu1DoA1YN/AlasEyHeDTK4TZTXy6A==,iv:KiV8Ovc3z5q6Nb4muYTXkG6F9LgsfwC6KUxMmIJ5KGM=,tag:kQtMAWZeww8hOzVj+Ghl3Q==,type:str]
 ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
 ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
 sops:
@@ -43,7 +44,7 @@ sops:
            6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
            -----END AGE ENCRYPTED FILE-----
          recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t
-    lastmodified: "2026-05-27T20:55:18Z"
-    mac: ENC[AES256_GCM,data:qHJwYNk4rR37KAKFKGpMfkY/Q3VJ+15yM3cUUaF6/MrHn5BtE6aoV9jjxoXbftTjNTmRRw37M4rVJJjaw+5baWwLrHpBGD5vNJC3HLwH9Mx/UmL9m90dpUWxQN9U5ah3jcg5uZzIZWhC32YNNYiuBz+qK7FwtxgEoXPbxVuh8zM=,iv:QTKO8cF5wIad/yIIs4a4/WC0lxIrCgYNZ9vfMiI28Ic=,tag:cKdCiu9w4pvpxAuMmZxDTA==,type:str]
+    lastmodified: "2026-06-22T17:45:52Z"
+    mac: ENC[AES256_GCM,data:/5b3uUOiHP4UY0/9e+wBVvr1w0iF1+00444URUTgAOnzX8eZgtB3ZUmNJQ/dHuqB9cptR3EuoOdI/xmmlTlBZcMZr/sPuCmi3KQFvOJIoF7ws/NjavOPJPaqMoJAOJWb4LjYOVabvrkP0jSqWAELvest6bEuIXHzwSXr2eUQWbQ=,iv:t/actyMRvWMOZ4mEImMCKhRjALzKUo9fCk46FCauPac=,tag:r4zQ4inr77+b4zQQGVT5ig==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.13.1