From 9e289a1b664253432161cbc001e99461b521e9a3 Mon Sep 17 00:00:00 2001
From: Harivansh Rathi <rathiharivansh@gmail.com>
Date: Sun, 5 Apr 2026 11:24:28 -0400
Subject: [PATCH] add self-hosted github runners for nix, deskctl, betterNAS

New github-runners.nix module configures services.github-runners
with shared caches, dedicated system user, and resource limits.
---
 hosts/netty/configuration.nix  |   1 +
 hosts/netty/github-runners.nix | 117 +++++++++++++++++++++++++++++++++
 2 files changed, 118 insertions(+)
 create mode 100644 hosts/netty/github-runners.nix

diff --git a/hosts/netty/configuration.nix b/hosts/netty/configuration.nix
index d3560f9..ec3db7d 100644
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@@ -19,6 +19,7 @@ in
     ./forgejo.nix
     ./betternas.nix
     ./openclaw-gateway.nix
+    ./github-runners.nix
     ../../modules/base.nix
     (modulesPath + "/profiles/minimal.nix")
     (modulesPath + "/profiles/headless.nix")
diff --git a/hosts/netty/github-runners.nix b/hosts/netty/github-runners.nix
new file mode 100644
index 0000000..c72cb5b
--- /dev/null
+++ b/hosts/netty/github-runners.nix
@@ -0,0 +1,117 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cacheRoot = "/var/cache/github-runner";
+
+  sanitize =
+    repo:
+    lib.toLower (
+      lib.replaceStrings
+        [ "." ]
+        [ "-" ]
+        repo
+    );
+
+  repos = [
+    "nix"
+    "deskctl"
+    "betterNAS"
+  ];
+
+  workDir = repo: "/var/lib/github-runner/work/${repo}";
+
+  cacheDirs = [
+    "${cacheRoot}/cargo"
+    "${cacheRoot}/npm"
+    "${cacheRoot}/pip"
+    "${cacheRoot}/pre-commit"
+    "${cacheRoot}/rustup"
+    "${cacheRoot}/uv"
+    "${cacheRoot}/xdg-cache"
+    "${cacheRoot}/xdg-data"
+  ];
+
+  mkRunner =
+    repo:
+    let
+      runnerId = sanitize repo;
+    in
+    lib.nameValuePair runnerId {
+      enable = true;
+      url = "https://github.com/harivansh-afk/${repo}";
+      tokenFile = "/etc/github-runner/token";
+      tokenType = "access";
+      name = "netty-${runnerId}";
+      replace = true;
+      user = "github-runner";
+      group = "github-runner";
+      workDir = workDir repo;
+      extraLabels = [
+        "netty"
+        "nix"
+        "cache"
+      ];
+      extraPackages = with pkgs; [
+        curl
+        fd
+        gh
+        gnumake
+        jq
+        nodejs_22
+        pkg-config
+        pnpm
+        python3
+        python3Packages.pip
+        ripgrep
+        stdenv.cc
+        unzip
+        uv
+        wget
+        xz
+        zip
+      ];
+      extraEnvironment = {
+        CARGO_HOME = "${cacheRoot}/cargo";
+        PIP_CACHE_DIR = "${cacheRoot}/pip";
+        PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
+        RUSTUP_HOME = "${cacheRoot}/rustup";
+        UV_CACHE_DIR = "${cacheRoot}/uv";
+        XDG_CACHE_HOME = "${cacheRoot}/xdg-cache";
+        XDG_DATA_HOME = "${cacheRoot}/xdg-data";
+        npm_config_cache = "${cacheRoot}/npm";
+      };
+      serviceOverrides = {
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+        Nice = 10;
+        ReadWritePaths = [ cacheRoot ];
+      };
+    };
+in
+{
+  users.users.github-runner = {
+    isSystemUser = true;
+    group = "github-runner";
+    home = "/var/lib/github-runner";
+  };
+
+  users.groups.github-runner = { };
+
+  nix.settings.trusted-users = [ "github-runner" ];
+
+  systemd.tmpfiles.rules =
+    [
+      "d /etc/github-runner 0750 root root -"
+      "d /var/cache/github-runner 0750 github-runner github-runner -"
+      "d /var/lib/github-runner 0750 github-runner github-runner -"
+      "d /var/lib/github-runner/work 0750 github-runner github-runner -"
+    ]
+    ++ map (dir: "d ${dir} 0750 github-runner github-runner -") cacheDirs
+    ++ map (repo: "d ${workDir repo} 0750 github-runner github-runner -") repos;
+
+  services.github-runners = lib.listToAttrs (map mkRunner repos);
+}