feat: set forgejo runner and cachix

agenix.nix

@@ -10,4 +10,5 @@ in {
   "secrets/matrix-macaroon.age".publicKeys = [ server jet ];
   "secrets/ntfy-admin-hash.age".publicKeys = [ server jet ];
   "secrets/mymx-webhook.age".publicKeys = [ server jet ];
+  "secrets/forgejo-runner-token.age".publicKeys = [ server jet ];
 }

configuration.nix

@@ -12,6 +12,7 @@
     ./modules/ntfy.nix
     ./modules/uptime-kuma.nix
     ./modules/noisebell.nix
+    ./modules/harmonia.nix
     # mymx module is imported via flake input in flake.nix
   ];
 
@@ -25,6 +26,7 @@
     matrix-macaroon = { file = ./secrets/matrix-macaroon.age; owner = "matrix-synapse"; };
     ntfy-admin-hash.file = ./secrets/ntfy-admin-hash.age;
     mymx-webhook = { file = ./secrets/mymx-webhook.age; owner = "mymx"; };
+    forgejo-runner-token.file = ./secrets/forgejo-runner-token.age;
   };
 
   # Bootloader

modules/forgejo.nix

@@ -52,6 +52,11 @@ in
         ENABLE_SWAGGER = false;
       };
 
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "https://code.forgejo.org";
+      };
+
       openid = {
         ENABLE_OPENID_SIGNIN = false;
         ENABLE_OPENID_SIGNUP = false;
@@ -63,6 +68,31 @@ in
 
   services.postgresql.enable = true;
 
+  # Forgejo Actions runner (native shell executor for Nix builds)
+  services.gitea-actions-runner.package = pkgs.forgejo-runner;
+  services.gitea-actions-runner.instances.nix-builder = {
+    enable = true;
+    name = "nix-builder";
+    url = "https://git.extremist.software";
+    tokenFile = config.age.secrets.forgejo-runner-token.path;
+    labels = [ "native:host" ];
+    hostPackages = with pkgs; [
+      bash
+      coreutils
+      curl
+      gawk
+      git
+      gnused
+      nix
+      nodejs
+      wget
+    ];
+    settings = {
+      runner.capacity = 1;
+      cache.enabled = true;
+    };
+  };
+
   # Deploy custom theme CSS to Forgejo's custom directory
   systemd.tmpfiles.rules = [
     "d ${customDir}/public 0755 forgejo forgejo -"

modules/harmonia.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, ... }:
+
+let
+  cacheKeyDir = "/var/lib/harmonia";
+  privKeyPath = "${cacheKeyDir}/cache-priv-key.pem";
+  pubKeyPath = "${cacheKeyDir}/cache-pub-key.pem";
+in
+{
+  # Generate signing key pair on first boot
+  systemd.services.harmonia-setup = {
+    description = "Generate Harmonia binary cache signing key";
+    wantedBy = [ "multi-user.target" ];
+    before = [ "harmonia.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      if [ ! -f ${privKeyPath} ]; then
+        mkdir -p ${cacheKeyDir}
+        ${pkgs.nix}/bin/nix-store --generate-binary-cache-key cache.extremist.software-1 ${privKeyPath} ${pubKeyPath}
+        chmod 600 ${privKeyPath}
+        chmod 644 ${pubKeyPath}
+        echo "Signing key generated. Public key:"
+        cat ${pubKeyPath}
+      fi
+    '';
+  };
+
+  # Harmonia binary cache server
+  services.harmonia = {
+    enable = true;
+    signKeyPath = privKeyPath;
+    settings.bind = "[::]:5000";
+  };
+
+  # Caddy reverse proxy for the cache
+  services.caddy.virtualHosts."cache.extremist.software" = {
+    extraConfig = ''
+      reverse_proxy localhost:5000
+    '';
+  };
+}

secrets/forgejo-runner-token.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 uKftJg fU0ZcssAn/hiRWz31kST0e0uZ0hJhWJn5YDs/5E0Zkg
+H+fZ4adFjLlJ0qvQXMio1rSZkDGBRSeJV/+C8MRvF5U
+-> ssh-ed25519 Ziw7aw IffhRiV6YqLS2RMwp/IeMr+WVcEM7oYK/miN9M6OeCM
+yx50F2Rl6G9AkfvZYdnW3BVVD1Mm5s/0io3nWZi81l4
+--- rM34wtM+TnYXOi1O56eRGchr1mwAl6NXgGpDhjctW/8
+þјaX7<EFBFBD>\<5C>bÇË-³‘îøä¥f)ºH+¤§(o¦éòrÖŒcýuM–ßf8G¼n¼æïæ"k©¢¤˜l¾Õ‘oLŒ`‹™P