fw/nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added runner token

Browse source
This commit is contained in:
fwastring 2025-09-23 15:31:53 +02:00
parent bc496c8204
commit ebcdc49ea1
2 changed files with 42 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

41
moduler/services/forgejo/default.nix
View file

@ -16,12 +16,17 @@ with lib;
port = lib.mkOption {
type = lib.types.int;
default = 8003;
description = "The port that Actual is served on.";
description = "The port that Forgejo is served on.";
};
sshPort = lib.mkOption {
type = lib.types.int;
default = 3022;
description = "The ssh port that Forgejo is served on.";
};
domain = lib.mkOption {
type = lib.types.str;
default = "git.wastring.com";
description = "The hostname that Actual is served on.";
description = "The hostname that Forgejo is served on.";
};
};
};
@ -52,6 +57,37 @@ with lib;
# ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true
'';
systemd.sockets.forgejo = {
requiredBy = [ "forgejo.service" ];
wantedBy = [ "sockets.target" ];
listenStreams = [
(toString config.services.forgejo.settings.server.SSH_PORT)
];
};
sops.secrets.forgejo-runner-token = {};
services.gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances.default = {
enable = true;
name = "monolith";
url = "https://git.wastring.com";
# Obtaining the path to the runner token file may differ
# tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
tokenFile = config.sops.secrets.forgejo-runner-token.path;
labels = [
"ubuntu-latest:docker://node:20-bullseye"
# "ubuntu-22.04:docker://node:16-bullseye"
# "ubuntu-20.04:docker://node:16-bullseye"
# "ubuntu-18.04:docker://node:16-buster"
## optionally provide native execution on the host:
# "native:host"
];
};
};
services.forgejo = {
enable = true;
database.type = "postgres";
@ -63,6 +99,7 @@ with lib;
# You need to specify this to remove the port from URLs in the web UI.
ROOT_URL = "https://${config.forgejo.domain}/";
HTTP_PORT = config.forgejo.port;
SSH_PORT = config.forgejo.sshPort;
};
# You can temporarily allow registration to create an admin user.
service.DISABLE_REGISTRATION = true;

5
secrets/sops.yaml
View file

@ -4,6 +4,7 @@ wireguard_public_key: ENC[AES256_GCM,data:4ETVdAeLrqwPh7LZGN6wounajnh8bD9zdq4GWM
github_password: ENC[AES256_GCM,data:2Q27cc0cqsWFt/lBNUApWPVRQaXi7uZ3UEn051G/Ar8lZs9zTYYWrg==,iv:s81MlK8u7QzP1azsNw2CtKouJqe/pAHZ7wy5aCWEEuI=,tag:Lf9o6RbLdsQ7ZYCMdVXglQ==,type:str]
smtp_password: ENC[AES256_GCM,data:h1K973qeehIIATdoqFhrLiY7XiU=,iv:ltrsG9KZ8rQuSJXNXswMnbIW/N8+CGbRmiTiENzcGTM=,tag:mD/VpM1FqZaiwksWQpAAog==,type:str]
forgejo-admin-password: ENC[AES256_GCM,data:FuDfqjeQ2T5KcOO1BQ==,iv:ueX7XjbiChuwfYm1B/MJvJaYdWbCmoIs91lj9h9uFYE=,tag:qUszDTRZklwSKrS0PpJhTA==,type:str]
forgejo-runner-token: ENC[AES256_GCM,data:1AUeTy5Sqoa4u5L/TGjt/v69p2xF/mp0oXVv08TA+squzRVW9/t40xfY2yD8HQ==,iv:uWf9jKIIsajh362vY2NBw8od+iOFGfIQ7NJVFgjWlBw=,tag:hCOzvSKoDbKCGceqNkRx7g==,type:str]
sops:
age:
- recipient: age1jeyw96795qu52swmtkjqgr2w3g4vxc43ckc5r4hlwpje23ptnfwsheah0s
@ -33,7 +34,7 @@ sops:
OU8yT0cvcnZMMXphMFVHSXpHNjc4dEkKyXiwholsJthB9O7onb0buF6qHNVNZA3s
A2+HSl5P0HCyaZhDIDBFdaUL2r0CHKOPCN3Lrd5+Rirnx48RnDxwBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-23T11:21:30Z"
mac: ENC[AES256_GCM,data:/bLDPC0lRZhs/KY3wQ+nEapiIaMjjWCFUVQLgojiGfKvp7Cp7XmyGaHx1GbcxVSbh67TxjlbojEtno6QVtbfT64gFFq6X5Y96S1UCLBgTzsbn7c8NKzXvf3viUPgf8zZJDnKT2nzq6p3FVt+ZNcheZfpBUO1WmXadEbmCNGMR6A=,iv:BAh9rLxGcfNt0xrwgJDe9edLaAHoRFFSb0nnlbH6FMQ=,tag:2f3L7mQ+on/3wy64nhCC/Q==,type:str]
lastmodified: "2025-09-23T11:59:25Z"
mac: ENC[AES256_GCM,data:AND2KnSFn0pgZZ4rT6Vt8sF8IFoysn77JKkiA0c829op3LKZe9NjT0O+PkZegOTlJbqKGyScSNqPidEoVpACAbODd3jtos80AO/LbWHgKo7DUuuPsnB7MgDqFF/khvdQQrvOIVoS0JmDScMnPfzZYYn79dilWuSdUcy0AvCdxPk=,iv:tUG1vtt4hHgHByH8IF9snth34MqesgHQmX6J8QH7vns=,tag:QcUXbmS+8+INuGONOzXL4A==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2