url

nix/home-server.nix

@@ -287,6 +287,73 @@
     };
   };
 
+  services.gitea-actions-runner = {
+    instances.infrastructure = {
+      enable = true;
+      name = "infrastructure-runner";
+      url = "https://git.alexmickelson.guru";
+      tokenFile = "/data/runner/gitea-infrastructure-token.txt";
+      labels = [
+        "home-server"
+        "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+      ];
+      hostPackages = with pkgs; [
+        docker
+        git
+        git-secret
+        zfs
+        sanoid
+        mbuffer
+        lzop
+        kubectl
+        kubernetes-helm
+      ];
+    };
+  };
+
+  systemd.services.gitea-runner-infrastructure.serviceConfig = {
+ 
+    ReadWritePaths = [
+      "/data/cloudflare/"
+      "/data/runner/infrastructure"
+      "/data/runner"
+      "/home/github/infrastructure"
+    ];
+
+    PrivateDevices = false;
+    DeviceAllow = [ "/dev/zfs rw" ];
+
+    ProtectProc = "default";
+    ProtectSystem = false;
+    PrivateMounts = false;
+    PrivateUsers = false;
+    ProtectHome = false;
+
+    Restart = lib.mkForce "always";
+  };
+  users.users.gitea-runner = {
+    isNormalUser = true;
+    description = "Gitea Actions Runner";
+    home = "/home/gitea-runner";
+    createHome = true;
+    extraGroups = [ "docker" ];
+    packages = with pkgs; [
+      kubernetes-helm
+    ];
+    shell = pkgs.bashInteractive;
+  };
+  # users.users.github = {
+  #   isNormalUser = true;
+  #   description = "github";
+  #   extraGroups = [ "docker" ];
+  #   shell = pkgs.fish;
+  #   packages = with pkgs; [
+  #     kubernetes-helm
+  #   ];
+  # };
+
+
+  
   networking.firewall.enable = false;
 
   # This value determines the NixOS release from which the default