add self-hosted github runners for nix, deskctl, betterNAS

New github-runners.nix module configures services.github-runners with shared caches, dedicated system user, and resource limits.
2026-04-15 05:02:10 +00:00 · 2026-04-05 11:24:28 -04:00 · 2026-04-05 11:24:28 -04:00 · 9e289a1b66
commit 9e289a1b66
parent b5abb31094
2 changed files with 118 additions and 0 deletions
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@ -19,6 +19,7 @@ in
    ./forgejo.nix
    ./betternas.nix
    ./openclaw-gateway.nix
+    ./github-runners.nix
    ../../modules/base.nix
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/headless.nix")
--- a/hosts/netty/github-runners.nix
+++ b/hosts/netty/github-runners.nix
@ -0,0 +1,117 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cacheRoot = "/var/cache/github-runner";
+
+  sanitize =
+    repo:
+    lib.toLower (
+      lib.replaceStrings
+        [ "." ]
+        [ "-" ]
+        repo
+    );
+
+  repos = [
+    "nix"
+    "deskctl"
+    "betterNAS"
+  ];
+
+  workDir = repo: "/var/lib/github-runner/work/${repo}";
+
+  cacheDirs = [
+    "${cacheRoot}/cargo"
+    "${cacheRoot}/npm"
+    "${cacheRoot}/pip"
+    "${cacheRoot}/pre-commit"
+    "${cacheRoot}/rustup"
+    "${cacheRoot}/uv"
+    "${cacheRoot}/xdg-cache"
+    "${cacheRoot}/xdg-data"
+  ];
+
+  mkRunner =
+    repo:
+    let
+      runnerId = sanitize repo;
+    in
+    lib.nameValuePair runnerId {
+      enable = true;
+      url = "https://github.com/harivansh-afk/${repo}";
+      tokenFile = "/etc/github-runner/token";
+      tokenType = "access";
+      name = "netty-${runnerId}";
+      replace = true;
+      user = "github-runner";
+      group = "github-runner";
+      workDir = workDir repo;
+      extraLabels = [
+        "netty"
+        "nix"
+        "cache"
+      ];
+      extraPackages = with pkgs; [
+        curl
+        fd
+        gh
+        gnumake
+        jq
+        nodejs_22
+        pkg-config
+        pnpm
+        python3
+        python3Packages.pip
+        ripgrep
+        stdenv.cc
+        unzip
+        uv
+        wget
+        xz
+        zip
+      ];
+      extraEnvironment = {
+        CARGO_HOME = "${cacheRoot}/cargo";
+        PIP_CACHE_DIR = "${cacheRoot}/pip";
+        PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
+        RUSTUP_HOME = "${cacheRoot}/rustup";
+        UV_CACHE_DIR = "${cacheRoot}/uv";
+        XDG_CACHE_HOME = "${cacheRoot}/xdg-cache";
+        XDG_DATA_HOME = "${cacheRoot}/xdg-data";
+        npm_config_cache = "${cacheRoot}/npm";
+      };
+      serviceOverrides = {
+        IOSchedulingClass = "best-effort";
+        IOSchedulingPriority = 7;
+        Nice = 10;
+        ReadWritePaths = [ cacheRoot ];
+      };
+    };
+in
+{
+  users.users.github-runner = {
+    isSystemUser = true;
+    group = "github-runner";
+    home = "/var/lib/github-runner";
+  };
+
+  users.groups.github-runner = { };
+
+  nix.settings.trusted-users = [ "github-runner" ];
+
+  systemd.tmpfiles.rules =
+    [
+      "d /etc/github-runner 0750 root root -"
+      "d /var/cache/github-runner 0750 github-runner github-runner -"
+      "d /var/lib/github-runner 0750 github-runner github-runner -"
+      "d /var/lib/github-runner/work 0750 github-runner github-runner -"
+    ]
+    ++ map (dir: "d ${dir} 0750 github-runner github-runner -") cacheDirs
+    ++ map (repo: "d ${workDir repo} 0750 github-runner github-runner -") repos;
+
+  services.github-runners = lib.listToAttrs (map mkRunner repos);
+}