feat: basic forgejo setup

applications/git/forgejo.nix

@@ -35,22 +35,19 @@ in {
     };
 
     forgejo = {
-          port = mkOption {
-            type = types.port;
-            default = 3000;
-          };
-
-
+      port = mkOption {
+        type = types.port;
+        default = 3000;
+      };
     };
   };
 
   config = mkIf cfg.enable {
-
-#    age.secrets.forgejo-mailer-password = {
-#      file = ../../secrets/forgejo/mailer-password.age;
-#      mode = "400";
-#      owner = "forgejo";
-#    };
+    #    age.secrets.forgejo-mailer-password = {
+    #      file = ../../secrets/forgejo/mailer-password.age;
+    #      mode = "400";
+    #      owner = "forgejo";
+    #    };
 
     services.skynet.acme.domains = [
       "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}"
@@ -79,38 +76,38 @@ in {
       };
     };
 
-
     services.forgejo = {
-        enable = true;
-        database.type = "sqlite3";
-        # Enable support for Git Large File Storage
-        lfs.enable = true;
-        settings = {
-          server = {
-            DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
-            # You need to specify this to remove the port from URLs in the web UI.
-            ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
-            HTTP_PORT = cfg.forgejo.port;
-          };
-
-          # You can temporarily allow registration to create an admin user.
-          service.DISABLE_REGISTRATION = true;
-          # Add support for actions, based on act: https://github.com/nektos/act
-#          actions = {
-#            ENABLED = true;
-#            DEFAULT_ACTIONS_URL = "github";
-#          };
-          # Sending emails is completely optional
-          # You can send a test email from the web UI at:
-          # Profile Picture > Site Administration > Configuration >  Mailer Configuration
-#          mailer = {
-#            ENABLED = true;
-#            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
-#            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
-#            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
-#          };
+      enable = true;
+      package = pkgs.forgejo;
+      database.type = "sqlite3";
+      # Enable support for Git Large File Storage
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = "${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
+          # You need to specify this to remove the port from URLs in the web UI.
+          ROOT_URL = "https://${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}/";
+          HTTP_PORT = cfg.forgejo.port;
         };
-#        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+
+        # You can temporarily allow registration to create an admin user.
+        service.DISABLE_REGISTRATION = true;
+        # Add support for actions, based on act: https://github.com/nektos/act
+        #          actions = {
+        #            ENABLED = true;
+        #            DEFAULT_ACTIONS_URL = "github";
+        #          };
+        # Sending emails is completely optional
+        # You can send a test email from the web UI at:
+        # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+        #          mailer = {
+        #            ENABLED = true;
+        #            SMTP_ADDR = "mail.${cfg.domain.base}.${cfg.domain.tld}";
+        #            FROM = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
+        #            USER = "noreply@${cfg.domain.sub}.${cfg.domain.base}.${cfg.domain.tld}";
+        #          };
       };
+      #        mailerPasswordFile = config.age.secrets.forgejo-mailer-password.path;
+    };
   };
 }

applications/git/forgejo_runner.nix

@@ -0,0 +1,145 @@
+{
+  config,
+  pkgs,
+  lib,
+  inputs,
+  ...
+}:
+with lib; let
+  name = "forgejo_runner";
+  cfg = config.services.skynet."${name}";
+in {
+  imports = [
+  ];
+
+  options.services.skynet."${name}" = {
+    enable = mkEnableOption "Skynet ForgeJo Runner";
+
+    runner = {
+      name = mkOption {
+        type = types.str;
+        default = config.networking.hostName;
+      };
+
+      website = mkOption {
+        default = "https://forgejo.skynet.ie";
+        type = types.str;
+      };
+
+      user = mkOption {
+        default = "gitea-runner";
+        type = types.str;
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # https://search.nixos.org/options?from=0&size=50&sort=alpha_desc&type=packages&query=services.gitlab-runner.
+    environment.systemPackages = with pkgs; [
+      forgejo-actions-runner
+    ];
+
+    age.secrets.forgejo_runner_token = {
+      file = ../../secrets/forgejo/runners/token.age;
+      owner = cfg.runner.user;
+      group = cfg.runner.user;
+    };
+
+    # make sure the ssh config stuff is in teh right palce
+    systemd.tmpfiles.rules = [
+      #"d  /home/${cfg.runner.user}             0755 ${cfg.runner.user} ${cfg.runner.user}"
+      "L+ /home/${cfg.runner.user}/.ssh/config 0755 ${cfg.runner.user} ${cfg.runner.user}  -   ${./ssh_config}"
+    ];
+    age.secrets.forgejo_runner_ssh = {
+      file = ../../secrets/forgejo/runners/ssh.age;
+      mode = "600";
+      owner = "${cfg.runner.user}";
+      group = "${cfg.runner.user}";
+      symlink = false;
+      path = "/home/${cfg.runner.user}/.ssh/skynet/root";
+    };
+
+    nix = {
+      settings = {
+        trusted-users = [
+          # allow the runner to build nix stuff and to use the cache
+          "gitea-runner"
+        ];
+        trusted-public-keys = [
+          "skynet-cache:zMFLzcRZPhUpjXUy8SF8Cf7KGAZwo98SKrzeXvdWABo="
+          "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        ];
+        substituters = [
+          "https://nix-cache.skynet.ie/skynet-cache/"
+          "https://cache.nixos.org/"
+        ];
+        trusted-substituters = [
+          "https://nix-cache.skynet.ie/skynet-cache/"
+          "https://cache.nixos.org/"
+        ];
+      };
+    };
+
+    # very basic setup to always be watching for changes in teh cache
+    systemd.services.attic-uploader = {
+      enable = true;
+      serviceConfig = {
+        ExecStart = "${pkgs.attic-client}/bin/attic watch-store skynet-cache";
+        User = "root";
+        Restart = "always";
+        RestartSec = 1;
+      };
+    };
+
+    # give teh runner user a home to store teh ssh config stuff
+    systemd.services.gitea-runner-default.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = lib.mkForce cfg.runner.user;
+    };
+    users = {
+      groups."${cfg.runner.user}" = {};
+      users."${cfg.runner.user}" = {
+        #isSystemUser = true;
+        isNormalUser = true;
+        group = cfg.runner.user;
+        createHome = true;
+        shell = pkgs.bash;
+      };
+    };
+
+    # the actual runner
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = cfg.runner.name;
+        url = cfg.runner.website;
+        tokenFile = config.age.secrets.forgejo_runner_token.path;
+        labels = [
+          ## optionally provide native execution on the host:
+          "nix:host"
+          "docker:docker://node:16-bullseye"
+          "ubuntu-latest:docker://node:16-bullseye"
+        ];
+
+        hostPackages = with pkgs; [
+          # default ones
+          bash
+          coreutils
+          curl
+          gawk
+          gitMinimal
+          gnused
+          nodejs
+          wget
+
+          # used in deployments
+          inputs.colmena.defaultPackage."x86_64-linux"
+          attic-client
+          nix
+          openssh
+        ];
+      };
+    };
+  };
+}

applications/git/ssh_config

@@ -0,0 +1,5 @@
+Host *.skynet.ie 193.1.99.* 193.1.96.165
+   User root
+   IdentityFile ~/.ssh/skynet/root
+   IdentitiesOnly yes
+

machines/wheatly.nix

@@ -26,6 +26,7 @@ Notes:
 in {
   imports = [
     ../applications/git/gitlab_runner.nix
+    ../applications/git/forgejo_runner.nix
   ];
 
   deployment = {
@@ -44,5 +45,7 @@ in {
       enable = true;
       runner.name = "runner01";
     };
+
+    forgejo_runner.enable = true;
   };
 }

secrets/forgejo/runners/token.age

@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-ed25519 V1pwNA bGirG6sUND19fSIwyvtjS3RDjyNUc+kXmzRoN4P1bC8
+kPJr2S9BlGWWnoggce6dx1OR0/r57AB5Rcgz+qY0qKE
+-> ssh-ed25519 4PzZog iciiKCHhfK38SwvSPrdoMK7C250qTV5eBgv657iyKwU
+dEiSS1FuxEpovNAl1HPZk+MRCcjLGiKgTfpi5Ssi38M
+-> ssh-ed25519 5Nd93w FFgxLg0NNK6Op64FHu24sjaerv3jgDaPz6uKPi/A8AE
+ZvHbJ2K3T7CUJSrrpF9fMmP6FWCQ3i6m/5Fi2UNtbew
+-> ssh-ed25519 q8eJgg nVm1H/mbEsGt2O87i7VKUL5do6Rc7n5nvSilUtQ4cBU
+WWtsNbIatU5ZostueLntGgKD/nxcavZPheU9afRvbH0
+-> ssh-ed25519 KVr8rw Nnroz2PgUoJsd/frf+N+b7xdJDAzj3NsmJaogsIkYGk
+xX73tnCCYGBNA3BRjjPMn/IV+qwjIwEUk+IZbhCCfHY
+-> ssh-ed25519 fia1eQ GLYqWGKYKwkBRwQ7SxSnErmz1MFw5gPCexfap8VM9Rk
+Z+dIKhk+JH7W07diX1Abr/Deezkw8xGkzXQuYn1HfJI
+-> ssh-ed25519 yvS9bw Lwo77pDciewUZemyFc1EUboIlXFCBx3CY6BGuizach4
+AkWzgV1zRJzLtfRxkfhmd80EU8fW1w+5sxMAfWgdEMI
+--- ac6h3StxSHr+HFsyPIBPENQRcfKzXX8fzJlZ0MER/8c
+å¯ñ„üzwyCÉ>þÖ¸Æ\k¡±êu/<2F>óí{z§©€<>¢Õ®¼<C2AE>º<EFBFBD>ø£jDÇÐÒßã4õ{^mÃDsÝ妞ÂÎ#kiné“xo

secrets/secrets.nix

@@ -134,6 +134,9 @@ in {
   "gitlab/runners/runner01.age".publicKeys = users ++ gitlab_runners;
   "gitlab/runners/runner02.age".publicKeys = users ++ gitlab_runners;
 
+  "forgejo/runners/token.age".publicKeys = users ++ gitlab_runners;
+  "forgejo/runners/ssh.age".publicKeys = users ++ gitlab_runners;
+
   # for ldap
   "ldap/pw.age".publicKeys = users ++ ldap ++ bitwarden;
   # for use connectring to teh ldap