From ab03b04e8e41d719bde9a1fa8711b6afc5a8d1a8 Mon Sep 17 00:00:00 2001
From: Harivansh Rathi <rathiharivansh@gmail.com>
Date: Mon, 6 Apr 2026 02:04:57 +0000
Subject: [PATCH] update runners

---
 hosts/netty/configuration.nix  |   2 +-
 hosts/netty/forgejo-runner.nix |  83 ++++++++++++++++++++++
 hosts/netty/forgejo.nix        |  19 +++++
 hosts/netty/github-runners.nix | 122 ---------------------------------
 4 files changed, 103 insertions(+), 123 deletions(-)
 create mode 100644 hosts/netty/forgejo-runner.nix
 delete mode 100644 hosts/netty/github-runners.nix

diff --git a/hosts/netty/configuration.nix b/hosts/netty/configuration.nix
index ec3db7d..dd18a40 100644
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@@ -19,7 +19,7 @@ in
     ./forgejo.nix
     ./betternas.nix
     ./openclaw-gateway.nix
-    ./github-runners.nix
+    ./forgejo-runner.nix
     ../../modules/base.nix
     (modulesPath + "/profiles/minimal.nix")
     (modulesPath + "/profiles/headless.nix")
diff --git a/hosts/netty/forgejo-runner.nix b/hosts/netty/forgejo-runner.nix
new file mode 100644
index 0000000..1dc6f68
--- /dev/null
+++ b/hosts/netty/forgejo-runner.nix
@@ -0,0 +1,83 @@
+{
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  cacheRoot = "/var/cache/forgejo-runner";
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${cacheRoot} 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/cargo 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/npm 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pip 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/pre-commit 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/rustup 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/uv 0750 forgejo-runner forgejo-runner -"
+    "d ${cacheRoot}/actcache 0750 forgejo-runner forgejo-runner -"
+  ];
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+
+    instances.netty = {
+      enable = true;
+      name = "netty";
+      url = "https://git.harivan.sh";
+      tokenFile = "/etc/forgejo-runner/token";
+
+      labels = [
+        "native:host"
+        "ubuntu-latest:docker://node:20-bookworm"
+      ];
+
+      hostPackages = with pkgs; [
+        bash
+        coreutils
+        curl
+        fd
+        gh
+        git
+        gnumake
+        gnused
+        gawk
+        jq
+        nodejs_22
+        pkg-config
+        pnpm
+        python3
+        python3Packages.pip
+        ripgrep
+        rustup
+        stdenv.cc
+        unzip
+        uv
+        wget
+        xz
+        zip
+      ];
+
+      settings = {
+        log.level = "info";
+        runner = {
+          capacity = 2;
+          timeout = "3h";
+          envs = {
+            CARGO_HOME = "${cacheRoot}/cargo";
+            PIP_CACHE_DIR = "${cacheRoot}/pip";
+            PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
+            RUSTUP_HOME = "${cacheRoot}/rustup";
+            UV_CACHE_DIR = "${cacheRoot}/uv";
+            npm_config_cache = "${cacheRoot}/npm";
+          };
+        };
+        cache = {
+          enabled = true;
+          dir = "${cacheRoot}/actcache";
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/netty/forgejo.nix b/hosts/netty/forgejo.nix
index 55af7ef..1ffa1a3 100644
--- a/hosts/netty/forgejo.nix
+++ b/hosts/netty/forgejo.nix
@@ -1,11 +1,14 @@
 {
   pkgs,
+  lib,
   username,
   ...
 }:
 let
   forgejoDomain = "git.harivan.sh";
   forgejoApiUrl = "http://127.0.0.1:19300";
+  gitCredentialFile = "/var/lib/forgejo/.git-credentials";
+  mirrorEnvFile = "/etc/forgejo-mirror.env";
 in
 {
   users.users.git = {
@@ -16,11 +19,23 @@ in
   };
   users.groups.git = { };
 
+  # Generate git credential store for GitHub mirror fetches.
+  # Appended after the module's own preStart (which handles app.ini and migrations).
+  # preStart runs as the forgejo user (git), and the env file is world-readable.
+  systemd.services.forgejo.preStart = lib.mkAfter ''
+    . ${mirrorEnvFile}
+    printf 'https://oauth2:%s@github.com\n' "$GITHUB_TOKEN" > ${gitCredentialFile}
+    chmod 600 ${gitCredentialFile}
+  '';
+
   services.forgejo = {
     enable = true;
     user = "git";
     group = "git";
     settings = {
+      "git.config" = {
+        "credential.helper" = "store --file ${gitCredentialFile}";
+      };
       repository = {
         FORCE_PRIVATE = true;
         DEFAULT_PRIVATE = "private";
@@ -41,6 +56,10 @@ in
         DEFAULT_INTERVAL = "1h";
         MIN_INTERVAL = "10m";
       };
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://github.com";
+      };
     };
   };
 
diff --git a/hosts/netty/github-runners.nix b/hosts/netty/github-runners.nix
deleted file mode 100644
index 33ff2f5..0000000
--- a/hosts/netty/github-runners.nix
+++ /dev/null
@@ -1,122 +0,0 @@
-{
-  pkgs,
-  lib,
-  ...
-}:
-
-let
-  cacheRoot = "/var/cache/github-runner";
-
-  sanitize =
-    repo:
-    lib.toLower (
-      lib.replaceStrings
-        [ "." ]
-        [ "-" ]
-        repo
-    );
-
-  repos = [
-    "nix"
-    "deskctl"
-    "betterNAS"
-  ];
-
-  workDir = repo: "/var/lib/github-runner/work/${repo}";
-
-  cacheDirs = [
-    "${cacheRoot}/cargo"
-    "${cacheRoot}/npm"
-    "${cacheRoot}/pip"
-    "${cacheRoot}/pre-commit"
-    "${cacheRoot}/rustup"
-    "${cacheRoot}/uv"
-    "${cacheRoot}/xdg-cache"
-    "${cacheRoot}/xdg-data"
-  ];
-
-  mkRunner =
-    repo:
-    let
-      runnerId = sanitize repo;
-    in
-    lib.nameValuePair runnerId {
-      enable = true;
-      url = "https://github.com/harivansh-afk/${repo}";
-      tokenFile = "/etc/github-runner/token";
-      tokenType = "access";
-      name = "netty-${runnerId}";
-      replace = true;
-      user = "github-runner";
-      group = "github-runner";
-      workDir = workDir repo;
-      extraLabels = [
-        "netty"
-        "nix"
-        "cache"
-      ];
-      extraPackages = with pkgs; [
-        curl
-        fd
-        gh
-        gnumake
-        jq
-        nodejs_22
-        pkg-config
-        pnpm
-        python3
-        python3Packages.pip
-        ripgrep
-        rustup
-        stdenv.cc
-        unzip
-        uv
-        wget
-        libx11
-        libx11.dev
-        libxtst
-        xvfb-run
-        xz
-        zip
-      ];
-      extraEnvironment = {
-        CARGO_HOME = "${cacheRoot}/cargo";
-        PIP_CACHE_DIR = "${cacheRoot}/pip";
-        PRE_COMMIT_HOME = "${cacheRoot}/pre-commit";
-        RUSTUP_HOME = "${cacheRoot}/rustup";
-        UV_CACHE_DIR = "${cacheRoot}/uv";
-        XDG_CACHE_HOME = "${cacheRoot}/xdg-cache";
-        XDG_DATA_HOME = "${cacheRoot}/xdg-data";
-        npm_config_cache = "${cacheRoot}/npm";
-      };
-      serviceOverrides = {
-        IOSchedulingClass = "best-effort";
-        IOSchedulingPriority = 7;
-        Nice = 10;
-        ReadWritePaths = [ cacheRoot ];
-      };
-    };
-in
-{
-  users.users.github-runner = {
-    isSystemUser = true;
-    group = "github-runner";
-    home = "/var/lib/github-runner";
-  };
-
-  users.groups.github-runner = { };
-
-  nix.settings.trusted-users = [ "github-runner" ];
-
-  systemd.tmpfiles.rules =
-    [
-      "d /etc/github-runner 0750 root root -"
-      "d /var/cache/github-runner 0750 github-runner github-runner -"
-      "d /var/lib/github-runner 0750 github-runner github-runner -"
-      "d /var/lib/github-runner/work 0750 github-runner github-runner -"
-    ]
-    ++ map (dir: "d ${dir} 0750 github-runner github-runner -") cacheDirs
-    ++ map (repo: "d ${workDir repo} 0750 github-runner github-runner -") repos;
-
-  services.github-runners = lib.listToAttrs (map mkRunner repos);
-}