update runners

2026-04-15 03:00:47 +00:00 · 2026-04-06 02:04:57 +00:00 · 2026-04-06 02:04:57 +00:00 · ab03b04e8e
commit ab03b04e8e
parent 84137476bd
4 changed files with 103 additions and 123 deletions
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@ -19,7 +19,7 @@ in
    ./forgejo.nix
    ./betternas.nix
    ./openclaw-gateway.nix
-    ./github-runners.nix
+    ./forgejo-runner.nix
    ../../modules/base.nix
    (modulesPath + "/profiles/minimal.nix")
    (modulesPath + "/profiles/headless.nix")
--- a/hosts/netty/forgejo-runner.nix
+++ b/hosts/netty/forgejo-runner.nix
@ -0,0 +1,83 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cacheRoot = "/var/cache/forgejo-runner";
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${cacheRoot} 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/cargo 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/npm 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pip 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pre-commit 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/rustup 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/uv 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/actcache 0750 forgejo-runner forgejo-runner -"
+  ];
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.netty = {
+      enable = true;
+      name = "netty";
+      url = "https://git.harivan.sh";
+      tokenFile = "/etc/forgejo-runner/token";
+
+      labels = [
+        "native:host"
+        "ubuntu-latest:docker://node:20-bookworm"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        fd
+        gh
+        git
+        gnumake
+        gnused
+        gawk
+        jq
+        nodejs_22
+        pkg-config
+        pnpm
+        python3
+        python3Packages.pip
+        ripgrep
+        rustup
+        stdenv.cc
+        unzip
+        uv
+        wget
+        xz
+        zip
+      ];
+
+      settings = {
+        log.level = "info";
+        runner = {
+          capacity = 2;
+          timeout = "3h";
+          envs = {
+            CARGO_HOME = "${cacheRoot}/cargo";
+            PIP_CACHE_DIR = "${cacheRoot}/pip";
+            PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
+            RUSTUP_HOME = "${cacheRoot}/rustup";
+            UV_CACHE_DIR = "${cacheRoot}/uv";
+            npm_config_cache = "${cacheRoot}/npm";
+          };
+        };
+        cache = {
+          enabled = true;
+          dir = "${cacheRoot}/actcache";
+        };
+      };
+    };
+  };
+}
--- a/hosts/netty/forgejo.nix
+++ b/hosts/netty/forgejo.nix
@ -1,11 +1,14 @@
 {
  pkgs,
+  lib,
  username,
  ...
 }:
 let
  forgejoDomain = "git.harivan.sh";
  forgejoApiUrl = "http://127.0.0.1:19300";
+  gitCredentialFile = "/var/lib/forgejo/.git-credentials";
+  mirrorEnvFile = "/etc/forgejo-mirror.env";
 in
 {
  users.users.git = {
@ -16,11 +19,23 @@ in
  };
  users.groups.git = { };

+  # Generate git credential store for GitHub mirror fetches.
+  # Appended after the module's own preStart (which handles app.ini and migrations).
+  # preStart runs as the forgejo user (git), and the env file is world-readable.
+  systemd.services.forgejo.preStart = lib.mkAfter ''
+    . ${mirrorEnvFile}
+    printf 'https://oauth2:%s@github.com\n' "$GITHUB_TOKEN" > ${gitCredentialFile}
+    chmod 600 ${gitCredentialFile}
+  '';
+
  services.forgejo = {
    enable = true;
    user = "git";
    group = "git";
    settings = {
+      "git.config" = {
+        "credential.helper" = "store --file ${gitCredentialFile}";
+      };
      repository = {
        FORCE_PRIVATE = true;
        DEFAULT_PRIVATE = "private";
@ -41,6 +56,10 @@ in
        DEFAULT_INTERVAL = "1h";
        MIN_INTERVAL = "10m";
      };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://github.com";
+      };
    };
  };

--- a/hosts/netty/github-runners.nix
+++ b/hosts/netty/github-runners.nix
@ -1,122 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cacheRoot = "/var/cache/github-runner";
-
-  sanitize =
-    repo:
-    lib.toLower (
-      lib.replaceStrings
-        [ "." ]
-        [ "-" ]
-        repo
-    );
-
-  repos = [
-    "nix"
-    "deskctl"
-    "betterNAS"
-  ];
-
-  workDir = repo: "/var/lib/github-runner/work/${repo}";
-
-  cacheDirs = [
-    "${cacheRoot}/cargo"
-    "${cacheRoot}/npm"
-    "${cacheRoot}/pip"
-    "${cacheRoot}/pre-commit"
-    "${cacheRoot}/rustup"
-    "${cacheRoot}/uv"
-    "${cacheRoot}/xdg-cache"
-    "${cacheRoot}/xdg-data"
-  ];
-
-  mkRunner =
-    repo:
-    let
-      runnerId = sanitize repo;
-    in
-    lib.nameValuePair runnerId {
-      enable = true;
-      url = "https://github.com/harivansh-afk/${repo}";
-      tokenFile = "/etc/github-runner/token";
-      tokenType = "access";
-      name = "netty-${runnerId}";
-      replace = true;
-      user = "github-runner";
-      group = "github-runner";
-      workDir = workDir repo;
-      extraLabels = [
-        "netty"
-        "nix"
-        "cache"
-      ];
-      extraPackages = with pkgs; [
-        curl
-        fd
-        gh
-        gnumake
-        jq
-        nodejs_22
-        pkg-config
-        pnpm
-        python3
-        python3Packages.pip
-        ripgrep
-        rustup
-        stdenv.cc
-        unzip
-        uv
-        wget
-        libx11
-        libx11.dev
-        libxtst
-        xvfb-run
-        xz
-        zip
-      ];
-      extraEnvironment = {
-        CARGO_HOME = "${cacheRoot}/cargo";
-        PIP_CACHE_DIR = "${cacheRoot}/pip";
-        PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
-        RUSTUP_HOME = "${cacheRoot}/rustup";
-        UV_CACHE_DIR = "${cacheRoot}/uv";
-        XDG_CACHE_HOME = "${cacheRoot}/xdg-cache";
-        XDG_DATA_HOME = "${cacheRoot}/xdg-data";
-        npm_config_cache = "${cacheRoot}/npm";
-      };
-      serviceOverrides = {
-        IOSchedulingClass = "best-effort";
-        IOSchedulingPriority = 7;
-        Nice = 10;
-        ReadWritePaths = [ cacheRoot ];
-      };
-    };
-in
-{
-  users.users.github-runner = {
-    isSystemUser = true;
-    group = "github-runner";
-    home = "/var/lib/github-runner";
-  };
-
-  users.groups.github-runner = { };
-
-  nix.settings.trusted-users = [ "github-runner" ];
-
-  systemd.tmpfiles.rules =
-    [
-      "d /etc/github-runner 0750 root root -"
-      "d /var/cache/github-runner 0750 github-runner github-runner -"
-      "d /var/lib/github-runner 0750 github-runner github-runner -"
-      "d /var/lib/github-runner/work 0750 github-runner github-runner -"
-    ]
-    ++ map (dir: "d ${dir} 0750 github-runner github-runner -") cacheDirs
-    ++ map (repo: "d ${workDir repo} 0750 github-runner github-runner -") repos;
-
-  services.github-runners = lib.listToAttrs (map mkRunner repos);
-}