forgejo runner for nixos rebuild

modules/system/homelab/git.nix

@@ -1,48 +1,65 @@
 { pkgs, homelab, ... }: {
-  services.forgejo = {
+  security.sudo.extraRules = [{ # for configuration activation on push to git
-    enable = true;
+    users = [ "gitea-runner" ]; 
-    lfs.enable = true;
+    commands = [{ 
-    stateDir = "/mnt/data/forgejo";
+      command = "/run/current-system/sw/bin/nixos-rebuild"; 
-    package = pkgs.forgejo;
+      options = [ "NOPASSWD" ]; 
-    #secrets = {
+    }];
-    #  oauth2.JWT_SECRET = "/mnt/data/forgejo/custom/conf/oauth2_jwt_secret";
+  }];
-    #  server.LFS_JWT_SECRET = "/mnt/data/forgejo/custom/conf/lfs_jwt_secret";
+  services = {
-    #  security = {
+    forgejo = {
-    #    INTERNAL_TOKEN = "/mnt/data/forgejo/custom/conf/internal_token";
+      enable = true;
-    #    SECRET_KEY = "/mnt/data/forgejo/custom/conf/secret_key";
+      lfs.enable = true;
-    #  };
+      stateDir = "/mnt/data/forgejo";
-    #};
+      package = pkgs.forgejo;
-    settings = {
+      #secrets = {
-      server = {
+      #  oauth2.JWT_SECRET = "/mnt/data/forgejo/custom/conf/oauth2_jwt_secret";
-        DISABLE_SSH = false;
+      #  server.LFS_JWT_SECRET = "/mnt/data/forgejo/custom/conf/lfs_jwt_secret";
-        START_SSH_SERVER = true;
+      #  security = {
-        SSH_DOMAIN = "main.dns.${homelab.domain}";
+      #    INTERNAL_TOKEN = "/mnt/data/forgejo/custom/conf/internal_token";
-        SSH_LISTEN_HOST = "0.0.0.0";
+      #    SECRET_KEY = "/mnt/data/forgejo/custom/conf/secret_key";
-        SSH_LISTEN_PORT = 5822;
+      #  };
-        SSH_PORT = 5822;
+      #};
-        DOMAIN = "git.${homelab.domain}";
+      settings = {
-        HTTP_ADDR = "127.0.0.1";
+        server = {
-        HTTP_PORT = 5080;
+          DISABLE_SSH = false;
-        PROTOCOL = "http";
+          START_SSH_SERVER = true;
-        ROOT_URL = "https://git.${homelab.domain}";
+          SSH_DOMAIN = "main.dns.${homelab.domain}";
-        LANDING_PAGE = "explore";
+          SSH_LISTEN_HOST = "0.0.0.0";
+          SSH_LISTEN_PORT = 5822;
+          SSH_PORT = 5822;
+          DOMAIN = "git.${homelab.domain}";
+          HTTP_ADDR = "127.0.0.1";
+          HTTP_PORT = 5080;
+          PROTOCOL = "http";
+          ROOT_URL = "https://git.${homelab.domain}";
+          LANDING_PAGE = "explore";
+        };
+        oauth2_client.ENABLE_AUTO_REGISTRATION=true;
+        service = {
+          DISABLE_REGISTRATION = true;
+          ENABLE_OPENID_SIGNIN = false;
+          ENABLE_OPENID_SIGNUP = false;
+          ENABLE_INTERNAL_SIGNIN = true; 
+          SHOW_REGISTRATION_BUTTON = false;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+          ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+          REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
+        };
+        user.ENABLE_FOLLOWING = false;
+        repository = {
+          DISABLE_STARS = true;
+          DISABLE_FORKS = true;
+          ENABLE_PUSH_CREATE_USER = true;
+        };
       };
-      oauth2_client.ENABLE_AUTO_REGISTRATION=true;
+      gitea-actions-runner.instances.nixos-deploy = {
-      service = {
+        enable = true;
-        DISABLE_REGISTRATION = true;
+        name = "nixos-server-runner";
-        ENABLE_OPENID_SIGNIN = false;
+        url = "https://git.proxy.${homelab.domain}";
-        ENABLE_OPENID_SIGNUP = false;
+        tokenFile = "/mnt/data/forgejo/runner/nixos_deploy_runner_token"; 
-        ENABLE_INTERNAL_SIGNIN = true; # TODO: set false after migration complete
+        labels = [ "nixos-server" ];
-        SHOW_REGISTRATION_BUTTON = false;
+        hostPackages = with pkgs; [ bash coreutils git nix ];
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
-        ALLOW_ONLY_INTERNAL_REGISTRATION = false;
-        REQUIRE_EXTERNAL_REGISTRATION_PASSWORD = true;
-      };
-      user.ENABLE_FOLLOWING = false;
-      repository = {
-        DISABLE_STARS = true;
-        DISABLE_FORKS = true;
-        ENABLE_PUSH_CREATE_USER = true;
       };
     };
   };