Add more runner slots

nixos/common/services/forgejo-runner.nix

@@ -1,70 +1,62 @@
-{ pkgs, hostname, ... }: {
-
-  # Set up the secret for the password:
+{ config, pkgs, hostname, ... }: 
+let
+  mkRunner = name: {
+    enable = true;
+    inherit name;
+    labels = [ 
+      "nix:host"
+      "${hostname}:host"
+      "self-hosted:host"
+      "docker:docker:*:*"
+      "forgejo:docker:git.sysctl.io/**/*:*"
+    ];
+    tokenFile = config.sops.secrets."services/forgejo_token".path;
+    hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
+    settings = {
+      container = {
+        force_pull = true;
+        clean_working_directory = true;
+        privileged = true;
+      };
+      valid_volumes = [
+        "/run/podman/podman.sock:/run/podman/podman.sock:rw"
+        "/run/podman/docker.sock:/run/podman/docker.sock:rw"
+        "/dev/net/tun:/dev/net/tun:rw"
+        "/nix/store:/nix/store:ro"
+      ];
+      container_security = {
+        allow-privileged = true;
+        allow-host-namespace = false;
+      };
+      docker-opts = [ "--cap-add=NET_ADMIN" ];
+    };
+  };
+in {
   sops.secrets."services/forgejo_token" = {
     owner = "root";
-    mode = "0444"; # gitea-actions-runner uses "DynamicUser"
+    mode = "0444";
     sopsFile = ../../../secrets/secrets.yaml;
-    restartUnits = [ "gitea-actions-runner-default.service" ];
+    restartUnits = [ "gitea-actions-runner-primary.service" ];
   };
 
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;
-    instances.default = {
-      enable = true;
-      name = "${hostname}";
-      labels = [ 
-        # Host runners (direct execution)
-        "nix:host"                   # Simplified host label
-        "${hostname}:host"           # Host identifier
-        "self-hosted:host"           # Standard host designation
-        # Docker wildcards 
-        "docker:docker:*:*"
-        "forgejo:docker:git.sysctl.io/**/*:*"
-      ];      
-      url = "https://git.sysctl.io";
-      tokenFile = /run/secrets/services/forgejo_token;
-      hostPackages = with pkgs; [ nix deploy-rs nodejs coreutils git gnutar gzip ];
-      settings = {
-        container = {
-          force_pull = true;
-          clean_working_directory = true;
-          privileged = true;
-        };
-        valid_volumes = [
-          "/run/podman/podman.sock:/run/podman/podman.sock:rw" # Poadman socket
-          "/run/podman/docker.sock:/run/podman/docker.sock:rw" # Docker socket
-          "/dev/net/tun:/dev/net/tun:rw"  # Tunnel device mapping
-          "/nix/store:/nix/store:ro"      # Standard Nix requirement
-        ];
-      container_security = {
-        allow-privileged = true;
-          allow-host-namespace = false;
-        };
-        docker-opts = [
-          # "--cap-drop=ALL"  # Drop all caps first
-          # "--security-opt=no-new-privileges"
-          "--cap-add=NET_ADMIN"            # Required for TUN device access
-        ];
-      };
+    instances = {
+      runner1 = mkRunner "${hostname}-1";
+      runner2 = mkRunner "${hostname}-2";
+      runner3 = mkRunner "${hostname}-3";
+      runner4 = mkRunner "${hostname}-4";
+      runner5 = mkRunner "${hostname}-5";
     };
   };
 
-  systemd.services.gitea-actions-runner-default = {
+  systemd.services = builtins.mapAttrs (name: cfg: {
     serviceConfig = {
-      ReadWritePaths = [
-        "/dev/net/tun"
-        "/var/lib/gitea-runner"
-      ];
-      BindReadOnlyPaths = [
-        "/nix/store"
-      ];
-      DeviceAllow = [
-        "char-10-200 rw"              # Allow TUN device access
-      ];
+      ReadWritePaths = [ "/dev/net/tun" "/var/lib/gitea-runner" ];
+      BindReadOnlyPaths = [ "/nix/store" ];
+      DeviceAllow = [ "char-10-200 rw" ];
     };
-    unitConfig = {
-      RequiresMountsFor = "/dev/net/tun";
-    };
-  }; 
+    unitConfig.RequiresMountsFor = "/dev/net/tun";
+  }) config.services.gitea-actions-runner.instances;
 }
+