diff --git a/.forgejo/workflows/deploy-rs.yml b/.forgejo/workflows/deploy-rs.yml
index 9f47ff60..9389bd5e 100644
--- a/.forgejo/workflows/deploy-rs.yml
+++ b/.forgejo/workflows/deploy-rs.yml
@@ -10,7 +10,7 @@ on:
jobs:
deploy-rs:
- runs-on: headscale-runner
+ runs-on: forgejo
container:
image: git.sysctl.io/albert/actions-container-images/headscale-runner:latest
options: --mount type=bind,src=/dev/net/tun,dst=/dev/net/tun --privileged
diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index d70ce195..254c45d5 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -1,26 +1,25 @@
----
-iname: Deploy Systems
-on:
- workflow_dispatch:
+name: Deploy Systems
+on: [workflow_dispatch]
jobs:
deploy:
runs-on: nix
steps:
- - name: Checkout repository
- uses: https://code.forgejo.org/actions/checkout@v4
+ - uses: https://git.madhouse-project.org/actions/nix/setup@v2
+ with:
+ nix_path: nixpkgs=flake:nixpkgs
- - name: Validate Flake
- run: nix flake check
+ - uses: https://git.madhouse-project.org/actions/nix/build@v2
+ with:
+ flake: .
+ targets: |
+ nixosConfigurations
- - name: Build Systems
- run: nix build .#nixosConfigurations --show-trace
-
- - name: Deploy with deploy-rs
- run: nix run .#deploy -- -- --confirm
- env:
- DEPLOY_SSH_USER: ${{ secrets.SSH_USER }}
- DEPLOY_SSH_KEY: ${{ secrets.SSH_PRIVATE_KEY }}
+ - uses: https://git.madhouse-project.org/actions/nix/deploy-rs@v2
+ with:
+ ssh_user: ${{ secrets.SSH_USER }}
+ ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
+ confirm: true
- uses: https://git.sysctl.io/actions/gotify-action@master
if: always()
@@ -32,3 +31,4 @@ jobs:
notification_message: |
Status: ${{ job.status }}
Commit: ${{ github.sha }}
+
diff --git a/nixos/common/services/forgejo-runner.nix b/nixos/common/services/forgejo-runner.nix
index dfd5f396..51f932e5 100644
--- a/nixos/common/services/forgejo-runner.nix
+++ b/nixos/common/services/forgejo-runner.nix
@@ -5,7 +5,7 @@
owner = "root";
mode = "0444"; # gitea-actions-runner uses "DynamicUser"
sopsFile = ../../../secrets/secrets.yaml;
- restartUnits = [ "gitea-actions-runner-${hostname}.service" ];
+ restartUnits = [ "gitea-actions-runner-default.service" ];
};
services.gitea-actions-runner = {
@@ -14,34 +14,51 @@
enable = true;
name = "${hostname}";
labels = [
- "nix:host://self-hsoted"
- "${hostname}:host://self-hosted"
- "self-hosted:host://self-hosted"
- "alpine:docker://alpine:edge"
- "ubuntu:docker://ubuntu:latest"
- "headscale-runner:docker://git.sysctl.io/albert/actions-container-images/headscale-runner:latest"
- ];
+ # Host runners (direct execution)
+ "nix:host" # Simplified host label
+ "${hostname}:host" # Host identifier
+ "self-hosted:host" # Standard host designation
+ # Docker wildcards
+ "docker:docker:*:*"
+ "forgejo:docker:git.sysctl.io/**/*:*"
+ ];
url = "https://git.sysctl.io";
tokenFile = /run/secrets/services/forgejo_token;
- hostPackages = with pkgs; [
- nodejs_20 # Explicitly use Node.js 20.x
- deploy-rs
- coreutils
- git
- gnutar
- gzip
- ];
+ hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
+ settings = {
+ valid_volumes = [
+ "/run/podman/podman.sock:/run/podman/podman.sock:rw" # Docker socket
+ "/dev/net/tun:/dev/net/tun:rw" # Tunnel device mapping
+ "/nix/store:/nix/store:ro" # Standard Nix requirement
+ ];
+ container_security = {
+ allow-privileged = false;
+ allow-host-namespace = false;
+ };
+ docker-opts = [
+ "--cap-drop=ALL" # Drop all caps first
+ "--security-opt=no-new-privileges"
+ "--cap-add=NET_ADMIN" # Required for TUN device access
+ ];
+ };
};
};
-
+
systemd.services.gitea-actions-runner-default = {
serviceConfig = {
- CacheDirectory = "gitea-actions-runner-default"; # Add this line
- StateDirectory = "gitea-actions-runner-default";
- RuntimeDirectory = "gitea-actions-runner-default";
+ ReadWritePaths = [
+ "/dev/net/tun"
+ "/var/lib/gitea-runner"
+ ];
+ BindReadOnlyPaths = [
+ "/nix/store"
+ ];
+ DeviceAllow = [
+ "char-10-200 rw" # Allow TUN device access
+ ];
};
- preStop = ''
- rm -rf /var/lib/gitea-runner/default/.cache/act/*
- ''; # Cache cleanup
- };
+ unitConfig = {
+ RequiresMountsFor = "/dev/net/tun";
+ };
+ };
}