Added Gitea runner

.gitea/workflows/ci.yml

@@ -0,0 +1,35 @@
+name: CI
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+
+jobs:
+  check:
+    runs-on: nix
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup age key
+        run: |
+          mkdir -p ~/.config/sops/age
+          echo "${{ secrets.AGE_KEY }}" > ~/.config/sops/age/keys.txt
+          chmod 600 ~/.config/sops/age/keys.txt
+
+      - name: Nix flake check
+        run: nix flake check --no-build
+
+      - name: Format check
+        run: nix fmt -- --check .
+
+      - name: Build NixOS configs (dry-run)
+        run: |
+          nix build .#nixosConfigurations.cyper-desktop.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-controller.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-proxy.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-node-1.config.system.build.toplevel --dry-run
+          nix build .#nixosConfigurations.cyper-node-2.config.system.build.toplevel --dry-run
+
+      - name: Eval darwin config (Linux-safe)
+        run: nix eval .#darwinConfigurations.cyper-mac.system

flake.lock

@@ -77,11 +77,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1781242433,
+        "lastModified": 1781761792,
-        "narHash": "sha256-bchLZZ3sRn740zyvD2icZSnNoTaanN0nw7l6fjVXO+E=",
+        "narHash": "sha256-rCPytmKNjctLloB6UgK5CRrHSwV4b0ygxtJLPPp8R14=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "aabb2037edfc0f210723b72cd5f528aab5dd3f0b",
+        "rev": "a1fa429e945becaf60468600daf649be4ba0350c",
         "type": "github"
       },
       "original": {
@@ -209,11 +209,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1781667738,
+        "lastModified": 1781788787,
-        "narHash": "sha256-OxrwHpsWf+QGbos1LMDGAcv7sjBGshcw/43th6waeYI=",
+        "narHash": "sha256-YqlTCRRhGvNjcJejPeMuHrYQ/TVhOO2MV/nEGMWb8nk=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "7664e05e2413d5e2b8c54a884eb8ea0f8a504fc2",
+        "rev": "d456f483f157d4b706416005da226234b9c116ff",
         "type": "github"
       },
       "original": {
@@ -320,11 +320,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1781627558,
+        "lastModified": 1781796010,
-        "narHash": "sha256-qqFd1ufiH/oBB2RCmt7dg5Kyca7grJguIJrNPsD91zk=",
+        "narHash": "sha256-bIqjZgUfp3vba/C1UJLVqTo8zdpfqMDvuwWrHmqDWm4=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "5b47c782c9f83539a6c642d83844cdc9130a2873",
+        "rev": "ae1690c2138313d988c81f5c25a9d0b6fadfd3b1",
         "type": "github"
       },
       "original": {
@@ -675,11 +675,11 @@
         "nixpkgs-nixcord": "nixpkgs-nixcord"
       },
       "locked": {
-        "lastModified": 1781659360,
+        "lastModified": 1781775854,
-        "narHash": "sha256-bwTlMeMALwHREYkYBd9swITfW270tt6GzyY1j+QAqIU=",
+        "narHash": "sha256-0eb1+zKSTwgD3qsBm7UiuRabahHQNkTP94Z/s3nMK60=",
         "owner": "kaylorben",
         "repo": "nixcord",
-        "rev": "9dd239d5f8d651ccd94efcf1e3bd384ad41084ca",
+        "rev": "b92ceb7923c87dfcfcf84415407b0ca63e17548b",
         "type": "github"
       },
       "original": {
@@ -796,11 +796,11 @@
         "systems": "systems_3"
       },
       "locked": {
-        "lastModified": 1781637822,
+        "lastModified": 1781713417,
-        "narHash": "sha256-6Fwwt8BBGF5rqwGPhj/9ZMyyjXeJQzeHHJQfPuqJP3I=",
+        "narHash": "sha256-Kaj44jTNmnaFhKrcADx8nXmUYPa7l2HYfb7m6lEPy7Q=",
         "owner": "nix-community",
         "repo": "nixvim",
-        "rev": "d43c763fd9fae0912bdb4103cd842f26fea5b0ed",
+        "rev": "caee4e5d4161778815f522d9ea1c9e3dc42462b7",
         "type": "github"
       },
       "original": {
@@ -817,11 +817,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1781694117,
+        "lastModified": 1781800183,
-        "narHash": "sha256-TobjUrIR9hSn3PdjooxvNYjuQuCbZ+HIQzExWatX6Bo=",
+        "narHash": "sha256-NcRZr/JQiAvqC2qCyMxcfx/98Hf1epwdtjcbwKHeMf8=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "fea207887cf1f76cb19452ffd6978b82311d9746",
+        "rev": "0559d992b12ee209570bb325d79e90007b13da52",
         "type": "github"
       },
       "original": {

flake.nix

@@ -227,5 +227,7 @@
           }
         ];
       };
+
+      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixfmt-rfc-style;
     };
 }

hosts/cyper-desktop/configuration.nix

@@ -33,11 +33,13 @@
     efi.canTouchEfiVariables = true;
   };
 
-  services.desktopManager.plasma6.enable = false;
+  services = {
-  services.displayManager.sddm = {
+    desktopManager.plasma6.enable = false;
+    displayManager.sddm = {
       enable = false;
       wayland.enable = true;
     };
+  };
 
   environment.pathsToLink = [
     "/share/applications"
@@ -45,4 +47,7 @@
   ];
 
   system.stateVersion = "26.11";
+
+  virtualisation.docker.enable = true;
+  users.users.phil.extraGroups = [ "docker" ];
 }

nixos/roles/gitea.nix

@@ -36,6 +36,10 @@ in
       owner = "gitea";
       group = "gitea";
     };
+    "gitea/runnerToken" = {
+      owner = "gitea";
+      group = "gitea";
+    };
     "kanidm_gitea_secret" = {
       owner = "gitea";
       group = "gitea";
@@ -43,24 +47,8 @@ in
     };
   };
 
-  services.postgresql = {
+  systemd.services = {
-    enable = true;
+    gitea-db-password = {
-    package = pkgs.postgresql_14;
-    ensureDatabases = [ "gitea" ];
-    ensureUsers = [
-      {
-        name = "gitea";
-        ensureDBOwnership = true;
-      }
-    ];
-    authentication = lib.mkOverride 10 ''
-      local all all trust
-      host  all all 127.0.0.1/32 md5
-      host  all all ::1/128      md5
-    '';
-  };
-
-  systemd.services.gitea-db-password = {
       description = "Set gitea postgres user password";
       requires = [ "postgresql.service" ];
       after = [ "postgresql.service" ];
@@ -78,7 +66,35 @@ in
       '';
     };
 
-  services.gitea = {
+    gitea.preStart = lib.mkAfter ''
+      themeDir="${config.services.gitea.stateDir}/custom/public/assets/css"
+      mkdir -p "$themeDir"
+      for f in ${giteaTheme}/*.css; do
+        name=$(basename "$f")
+        ln -sf "$f" "$themeDir/$name"
+      done
+    '';
+  };
+
+  services = {
+    postgresql = {
+      enable = true;
+      package = pkgs.postgresql_14;
+      ensureDatabases = [ "gitea" ];
+      ensureUsers = [
+        {
+          name = "gitea";
+          ensureDBOwnership = true;
+        }
+      ];
+      authentication = lib.mkOverride 10 ''
+        local all all trust
+        host  all all 127.0.0.1/32 md5
+        host  all all ::1/128      md5
+      '';
+    };
+
+    gitea = {
       enable = true;
       package = pkgs.gitea;
       user = "gitea";
@@ -188,24 +204,29 @@ in
       };
     };
 
-  # symlink catppuccin css files into gitea's custom dir on every service start
+    gitea-actions-runner.instances."cyper-nix" = {
-  systemd.services.gitea.preStart = lib.mkAfter ''
+      enable = true;
-    themeDir="${config.services.gitea.stateDir}/custom/public/assets/css"
+      url = "https://git.cyperpunk.de";
-    mkdir -p "$themeDir"
+      tokenFile = config.sops.secrets."gitea/runnerToken".path;
-    for f in ${giteaTheme}/*.css; do
+      name = "cyper-controller";
-      name=$(basename "$f")
+      labels = [
-      ln -sf "$f" "$themeDir/$name"
+        "nix:host"
-    done
+      ];
-  '';
+    };
+  };
 
-  users.users.gitea = {
+  users = {
+    users = {
+      gitea = {
         isSystemUser = true;
         group = "gitea";
         home = "/var/lib/gitea";
         createHome = true;
       };
-  users.groups.gitea = { };
+      postgres.extraGroups = [ "gitea" ];
-  users.users.postgres.extraGroups = [ "gitea" ];
+    };
+    groups.gitea = { };
+  };
 
   networking.firewall.allowedTCPPorts = [
     httpPort

secrets/secrets.yaml

@@ -30,6 +30,7 @@ gitea:
     internalToken: ENC[AES256_GCM,data:7N8TkPNb1YdCk2uAcCvVd2pKRVOf85//DYxAvz0UCg1E8ccEI5630xVyKafDFiSTM4ER7xiYelartzXL0jLWSf3QNOjSHUP8TIAz4bJRAZUJPxO917bURSLGGe7WEOfONzqy3Ts5QhrJ,iv:DiIs1ytlwLvqD/Ejep6m2fmpSqdFZkxBcgLNt6+29jY=,tag:8jsEcOkH0p+1mP9cnVjiDQ==,type:str]
     lfsJwtSecret: ENC[AES256_GCM,data:L20mFZ6zwsF3ZUoodarTJV+vhUdLlBrUbHz7FpEzJ2/C6AdFc1ZZcioN3g==,iv:E2C3gg1OYQ46Ae2bGnhF+3uw+q77l+yph3Kd2fxwW9M=,tag:VQkQ4R9S8Dr39rSLhL/X1w==,type:str]
     mailerPassword: ""
+    runnerToken: ENC[AES256_GCM,data:af4j9ZkTaiRCR6Tv87JAxGCDBWu1DoA1YN/AlasEyHeDTK4TZTXy6A==,iv:KiV8Ovc3z5q6Nb4muYTXkG6F9LgsfwC6KUxMmIJ5KGM=,tag:kQtMAWZeww8hOzVj+Ghl3Q==,type:str]
 ssh_private_key: ENC[AES256_GCM,data:R511mVFVk1ogAd5CKk/2P6rtT4NnHIFfKyqeCen545QgcvDqDFmW0rFBmPJyipaya2srJNoWvKJbnvxWtTYeJh2tPAybRMoUicStIFMUn3FPNfjx/WuQFLhKLoU3UOHHPJnkFqkQ9MBqLq2k5K7MVsNNFTxIDCKS1jPgkTmAWjRZ0EFiRXLa+Gvnz3GP5ltgfjDwdPeb5xp0/AqKPD8jea9w5ClR6ckrRHCLsfXhL2e9IaF4B96JlIv4rICLX3HmeIgM2PKl2MnSt8we5z39bBoLSA0yWG6BvpiMBaFqbo7jeHf1SxI6R404/emHhwW3pwSCDrq2ZE1ATG2UmA5NssFcVuaBPBoQer+n5haVYMNpNUp6rtKZeAIbf5JEOXJ6CJqiInfnnzOMNGhGFkGUYkhsy3p6Ti/lmNMPX/xtY+8ZqMwXf5drssm5KgnQ5nDbVqnTWAhoT/D3t+cJVAaXGTGw88fU0X95dZr8vaL/5nBCj1uUdv5cRBJ8PGhqbBX8PoiXrtGooBGhxf6nHbxIneSzG1++MZGo3e1G,iv:D1lgCnZKm3Gyv6cZpQ7zGW7JXN5RCwoaas+LroTkhPc=,tag:WI6Nr1cX8gm5pjFpu/Ok0w==,type:str]
 ssh_github_key: ENC[AES256_GCM,data:vZAH4cRDsgGXLAppQKOyUPOvmBJZ27bujMGz4hQ8tt0xhGFUP28llwGZz/VRuU02Yv4alLgVWBAIPuyhZT9f35KnjIR1Mmb7HXk/6oaNM59/lBiISLrnOpC10WmJ9O5krKdxwP8ZDvHA34B0s+oYNkTNXiU0S8AVg3icploax7ylKH5Dorj53kjdYSTjd8KN6ZsgCKmcz97+GnP0IgdmauyNL7e+kv9WIfE8Xx1kGvC8WVnidX2YhSxm6vt8l60eUj9etRigU88oFYTDZ+mIf4lucSpzaLZutz2fM/16D/o9SS7mmTrEllj2S+IXc9ZZTRKKDLbW+yv0XUi0XZi+OHAdZScjS54NZKyT9uWrc/IDJHammGsoHRQpHZtbGhkeFi/KdJsYBsWItslXjM0xJVtFIM2tMnd10kv9UGuXsSl9J4NC0rpz3aXnQqG4ZAhMjN9D/DTJpB4K0pcFyd2FDWdrbKq5iPfnU/V6ecnHPML6wCt6gua/LdK1MWoG3l2SqwMLYj1r7UW5fQZqSw1EK0BAtp9cQMLBL/2w8ykMfWpLekE=,iv:gcinU7xOoXQkFVkLNB3sQYHAcZy3pZN+bDRIq4sspys=,tag:yawgAHBKIkGpnKPHsRId4g==,type:str]
 sops:
@@ -43,7 +44,7 @@ sops:
             6fuez+zApathZfl14w41kAUojPWBznnxDqYtNvzVVLXwnpp3BMx+7w==
             -----END AGE ENCRYPTED FILE-----
           recipient: age10pyhca0jy75wtqv5hrn0gf0jcam5272zx9h73a8xwwaxyfq89c0qs5dr9t
-    lastmodified: "2026-05-27T20:55:18Z"
+    lastmodified: "2026-06-22T17:45:52Z"
-    mac: ENC[AES256_GCM,data:qHJwYNk4rR37KAKFKGpMfkY/Q3VJ+15yM3cUUaF6/MrHn5BtE6aoV9jjxoXbftTjNTmRRw37M4rVJJjaw+5baWwLrHpBGD5vNJC3HLwH9Mx/UmL9m90dpUWxQN9U5ah3jcg5uZzIZWhC32YNNYiuBz+qK7FwtxgEoXPbxVuh8zM=,iv:QTKO8cF5wIad/yIIs4a4/WC0lxIrCgYNZ9vfMiI28Ic=,tag:cKdCiu9w4pvpxAuMmZxDTA==,type:str]
+    mac: ENC[AES256_GCM,data:/5b3uUOiHP4UY0/9e+wBVvr1w0iF1+00444URUTgAOnzX8eZgtB3ZUmNJQ/dHuqB9cptR3EuoOdI/xmmlTlBZcMZr/sPuCmi3KQFvOJIoF7ws/NjavOPJPaqMoJAOJWb4LjYOVabvrkP0jSqWAELvest6bEuIXHzwSXr2eUQWbQ=,iv:t/actyMRvWMOZ4mEImMCKhRjALzKUo9fCk46FCauPac=,tag:r4zQ4inr77+b4zQQGVT5ig==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.13.1