feat: set forgejo runner and cachix

2026-03-18 12:25:09 -07:00 · 2026-03-18 12:25:09 -07:00 · 231ff004e1
commit 231ff004e1
parent 5ff23b18ef
5 changed files with 83 additions and 0 deletions
--- a/modules/forgejo.nix
+++ b/modules/forgejo.nix
@ -52,6 +52,11 @@ in
        ENABLE_SWAGGER = false;
      };

+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
+      };
+
      openid = {
        ENABLE_OPENID_SIGNIN = false;
        ENABLE_OPENID_SIGNUP = false;
@ -63,6 +68,31 @@ in

  services.postgresql.enable = true;

+  # Forgejo Actions runner (native shell executor for Nix builds)
+  services.gitea-actions-runner.package = pkgs.forgejo-runner;
+  services.gitea-actions-runner.instances.nix-builder = {
+    enable = true;
+    name = "nix-builder";
+    url = "https://git.extremist.software";
+    tokenFile = config.age.secrets.forgejo-runner-token.path;
+    labels = [ "native:host" ];
+    hostPackages = with pkgs; [
+      bash
+      coreutils
+      curl
+      gawk
+      git
+      gnused
+      nix
+      nodejs
+      wget
+    ];
+    settings = {
+      runner.capacity = 1;
+      cache.enabled = true;
+    };
+  };
+
  # Deploy custom theme CSS to Forgejo's custom directory
  systemd.tmpfiles.rules = [
    "d ${customDir}/public 0755 forgejo forgejo -"
--- a/modules/harmonia.nix
+++ b/modules/harmonia.nix
@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+let
+  cacheKeyDir = "/var/lib/harmonia";
+  privKeyPath = "${cacheKeyDir}/cache-priv-key.pem";
+  pubKeyPath = "${cacheKeyDir}/cache-pub-key.pem";
+in
+{
+  # Generate signing key pair on first boot
+  systemd.services.harmonia-setup = {
+    description = "Generate Harmonia binary cache signing key";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "harmonia.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -f ${privKeyPath} ]; then
+        mkdir -p ${cacheKeyDir}
+        ${pkgs.nix}/bin/nix-store --generate-binary-cache-key cache.extremist.software-1 ${privKeyPath} ${pubKeyPath}
+        chmod 600 ${privKeyPath}
+        chmod 644 ${pubKeyPath}
+        echo "Signing key generated. Public key:"
+        cat ${pubKeyPath}
+      fi
+    '';
+  };
+
+  # Harmonia binary cache server
+  services.harmonia = {
+    enable = true;
+    signKeyPath = privKeyPath;
+    settings.bind = "[::]:5000";
+  };
+
+  # Caddy reverse proxy for the cache
+  services.caddy.virtualHosts."cache.extremist.software" = {
+    extraConfig = ''
+      reverse_proxy localhost:5000
+    '';
+  };
+}