enable gitea actions

nixos/boxes/bolty/default.nix

@@ -2,6 +2,7 @@
   imports = [
     ../cli.nix
     ./bolty-boot.nix
+    ./gitea-runner.nix
     ./grafana.nix
     ./home-assistant.nix
     ./home-security.nix

nixos/boxes/bolty/gitea-runner-token.sops

@@ -0,0 +1,56 @@
+{
+	"data": "ENC[AES256_GCM,data:FxM+PrQKjDJWrIXJlflAItiZDBtUdmETo54H1slOIMQ1bMP+KamjMwOXOwIDjohq,iv:QllifcjA3Hy6RsJqjMO4EeyuR1DjOjZmr4bIOSVdpsQ=,tag:SqScsAAIddlxBKE8tCLm3g==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age1qpxvqf2254vynw7aah2pyd8tm0lqtfqr9maguewdj3uqjp8smqvssjp43n",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyeEpheDNYa0hCaHBUZDkr\nVGtrMmdzdllTeno2dDU2Sko5RldKWE9kYlFVCkx5L0hVdDhEaFZCWkpidUtpa045\ncldvYmtFNjlRK3VDQ1M0SGJQQzNVVG8KLS0tIFRSaGovTEZhWnFJbGxtQVIwbHdY\nWk1IZFBxZVl1cVkrTnFpd0tmUGxCZDgKTjrh/HhZeuCJX3a4TBUU/GS75nv5GsqJ\niDejCu5wvjuUCfpN79Ubh0SXqgTjBwe8F9/sQAy2l3dFfr0pKQuO8g==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1s3z2rfske90kt93a3z7twp6kew6mqd08sgunupym0gpmuh8ezqqscdrv7m",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4c3RDQmJVUnVVTmxCNXNY\ndXRVbGVzc2QxelBJVHhmVTNYWjY0aHBDZVNBCmRXeW1WdVcrbGpGcUZqQmVoMGtO\nY2g0RzAwSUVUR2wzN0NJY01OaGtjM2sKLS0tIERsUHhnZS9YRkJSUHNDNkpiaEFJ\nWGtYcG03SzFQazZPbXNPcDhZWHV6QlEKiM7qX/n2jpLhu89saXd3+L6ri7mwqSxN\ncwkn0aHOq+c98vXFp2i6dSyepWgZynke3rZyFbgxPx74m+RAqm77wg==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1p76577kkfttxxj8ckwwkhyhhz7qq2d7qf2lenyaa0g3v2gd3eecqhhf9jn",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQVnJkRHJJamltek9EckNJ\nRVowSHJXQWMxUENBeE84WWwzKzZybVFkL3pzCkRuNFFVRXl6TFl0Q0krVEc3cXEx\nSjRCWnFOSWJleWcvRE9NNUx1d0RZNWMKLS0tIHRkRFhySEVTM3hkUGc5SUo0dklV\neWcrc3RaeWZETEhONC9CNUtudldiOGcKGRNR6h5po4jHtBkDFjFPcQlDwsUaYJZq\naBnFfu/kdcwuvvCzxVVBJ1y9RfgqVxOVnAZXUXCyA97orHxa22Hk+A==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1mpgtj57e256q9nqz8jt0jt9ntxrldu0p7aunxx3y5vnerfz04vqqdst2gt",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTCs2ZWtQVEdCcmlkY1dP\nMjRVV3FKM2Ezek1Tak5ZTUtxMU43NVJSam4wCkxSeS9sRkFhNUw3aHcvL1gxV2lM\nNTdYbExZUzhrRlorVzU5MU8zZEREUVkKLS0tIC9hbTVkcFQwcWdTQlJ0V3BteDBD\nQlg4eUpwei9ncW95MjBJdDhiUmhEWEkKEvqPQx1AjKsntfeH0cL7bP4kSqFO7JKB\n0sm+Z6Q8/TI4XasYICj2M2ZOtEMjEpJaIr0dMPwfWOBaWjfgKpkm6w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1msgz4lzqj3wd4yu3mfgxyl5gz0y94al59njv8fqu7s0dvwt9yuvsctlhvu",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTFNOQk9qVmE4UnQwaDFK\ndktmRy84dnZ6b0NIU1FaajI5UXFSWUNZcmhJCmZ3SVY3NjFFOGY3bjQvNDZUcEcv\nM3kwNGR4L25IQVU2MEtNWDJ0WWhIVjQKLS0tIEtjTnl2THZNZjd4aXNJR0ozRWtX\nNFkvVlJaQUNuRlQzalRYWGNCUERxY2sKAXmtyVhvN95s6xrFwEVsw5yyL3yE2bMD\nspOSyP3lungAqVpMJyK5p+iLCOwlk/WtxpgoHUZjn+zdREmj+t9FAA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MDN6UExVTWtzYkJhb0FQ\nZjdWaFIzaE5KcnlzdGpyZk1GZEhMQ2djUVRBCm9xc0xqSVkxUHVXV0UvaytBWE5l\nRFRnMVd1YzBjenJUV3RseWZLTUhva1UKLS0tIEo4R0ZRV1VNSTIrdU5JZmZIMjVi\nT1AxUGplUWJ3VldxOTU1K3BUKzJ6TDgK6NA2ppe4LO5QBnBD3Mj+k0CzGi4s3coT\nHq2SBqy5JDyZOmkJ9uXdKg3LyJtXtR/LMVG9FdVErHCqoWgIhBSnzQ==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age10f7djsyu5fwew2l2x89a4st4qw4xdkyr3z7qd8frs54yqz7cayvqruttla",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0NE4yT0xmUWo0QTZqS2FQ\nQXJaT1lkbWhHdkhvNDEyblVNS0Q3NE5aNlNRCnlWY0pudXdiSzlpYWZEQnFlYTE0\ncGlqblA0ZUxqUFFEZ0dqRk9Bdkpvb1EKLS0tIFBPeUw5K3ZLam4zRTh6b3dERVhm\nV3lEakQrcFVCc0F3Vkd6cWswRStLY1EK4Yg6cDOoknpPB4pzkRjAmf095IHTOAxJ\n4pqsQdc6xFy9SKACtfVWh9cNLFyDCEtsvu072tfMrqLJ0lWc2Kw8Hw==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age18vg9wvmj2jc8tdcyc202v46lvfndqfe3dse2hewx0snalpvk43fqc22n6y",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5a0ZDVko1N3cxUlVhWUV0\nc0lXTGNIMXBzOTdTR25qaCs1YklaQ3dqazJRCmY1UGkvczRmZWZ2ckhudld1SjIv\nVk1wQ3g5dHl3c3E2ZWI0RG9sZXJnWUEKLS0tIDBBVjZZTUpLWHVqWlFqVXJWTlFr\nb3dWWU9SRER0VjVWRTlhTWhZS0h1a3MKUCM6eGPPd+Pjz3sLjYyBvkqMTZhDZbXl\nVdKhvbL2vcJBgBKe4uFIBXDpcIytVhx72qu4z1WgWZKsHqyQx8OETA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1n09swn3qekcuw23vksp7hv4hpg0krlag3c5qcjjaf08m99c3ysqs6sxeyk",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmOEpXU3ZrQmZHZFdtNDJE\neVVBa2pDR3l4NURuYm1tSkVTMTVmbVF4YVZJClZCdEx6ZUNxRlhCb0s2ZnVaYVJB\nTVcxNnlIN1NGMTVpOURTc0s2UXRRcWMKLS0tIDlyWlZCNmFsUEF0WjlHSW9MUndV\nd3RRM2pOMXNMTmZhSEh5aE1ONkErUTgKBCQvdhHADUvvRdN0HeUvwaZY/XrXv5u3\nSxQAOt3wb+OT0WZZVkSiQ9nUbavcaC7aBk7LmDYbcG2hDZJbiLY17w==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age1tt4c8t72fha2fj7xlm0dew5avmkdxujmgplte4qm7sxlcucggedq0eyk7t",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRTXVwRzVSd2NSSi90SVVu\na05jeitPNnE5TVJ1NXk5WGd6UnhObUwveHg0CjU0dTNxUUdtb253ZHdTMFkycWdI\nbjZsanUwSGdHcFZkckIrRDRTWldha3cKLS0tIE8wM09WMnhNeklnYytUWkVTc01E\neldXYlJXRm1OMWo0T1U3UlY4SFBndVEKs56uk3j02g1g7Ae16UGfwRQJghPvS8iG\nDcIrJp6tb5ToYKeAGcTDpDvaQeNWKBX6fSLVIiJbgDWIbbZp1HRYpw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2023-06-01T21:09:15Z",
+		"mac": "ENC[AES256_GCM,data:i5yS9G0BiQppdmQSIZ0e1iPt3HmpiSogIZQ4f4sOjvDh/cGII8KzcYhjjQkzVpDqYjXiFag3YnrzoCgOTH19D2H2ud+iTULqDIM+T4DSmAfc2cxzhrfqC1qp1EEuLY7dLr3QKUhd5NNv1PhQX4jbBzzz6CRo/nGKp65uMDBIFTw=,iv:ExFa9n/vZJESH+UhOpQy4SROwUN1Q8SbNEGOcmGJNtw=,tag:OqQnV4DCjSqc8t7WdT0uBQ==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.7.3"
+	}
+}

nixos/boxes/bolty/gitea-runner.nix

@@ -0,0 +1,17 @@
+{ config, pkgs, inputs, lib, ... }: {
+  sops.secrets."gitea-runner-token" = {
+    sopsFile = ./gitea-runner-token.sops;
+    format = "binary";
+  };
+  virtualisation.podman = {
+    enable = true;
+    autoPrune.enable = true;
+  };
+  services.gitea-actions-runner.instances.bolty1 = {
+    enable = true;
+    url = "https://git.cyplo.dev";
+    tokenFile = config.sops.secrets."gitea-runner-token".path;
+    name = "bolty1";
+    labels = [ ];
+  };
+}

nixos/boxes/bolty/woodpecker-agent.nix

@@ -1,111 +0,0 @@
-{ config, pkgs, inputs, lib, ... }:
-let
-  agentPort = 9000;
-  domain = "ci.cyplo.dev";
-  uid = 2061;
-  gid = 3061;
-  systemUserName = "woodpecker";
-  systemGroupName = "woodpecker";
-  podmanGid = 994;
-  secretSettings = {
-    owner = systemUserName;
-    group = systemGroupName;
-  };
-  woodpeckerEnvSecretName = "woodpecker-env";
-  woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}";
-  woodpeckerNixStorePath = "/var/lib/woodpecker/nix-store";
-  woodpeckerAgentContainer = {
-    autoStart = true;
-    forwardPorts = [ ];
-    bindMounts = {
-      "${woodpeckerEnvSecretPath}" = {
-        hostPath = "${woodpeckerEnvSecretPath}";
-        isReadOnly = true;
-      };
-      "${woodpeckerNixStorePath}" = {
-        hostPath = woodpeckerNixStorePath;
-        isReadOnly = false;
-      };
-      "/var/run/docker.sock" = {
-        hostPath = "/var/run/podman/podman.sock";
-        isReadOnly = false;
-      };
-    };
-    config = { config, pkgs, lib, ... }: {
-      system.stateVersion = "22.11";
-      users = {
-        mutableUsers = false;
-        allowNoPasswordLogin = true;
-        users."${systemUserName}" = {
-          inherit uid;
-          isSystemUser = true;
-          isNormalUser = false;
-          group = systemGroupName;
-        };
-        groups."${systemGroupName}" = {
-          inherit gid;
-          members = [ "${systemUserName}" ];
-        };
-        groups."podman" = {
-          gid = podmanGid;
-          members = [ "${systemUserName}" ];
-        };
-      };
-
-      systemd.services.woodpecker-agent = {
-        enable = true;
-        wantedBy = [ "multi-user.target" ];
-
-        environment = {
-          WOODPECKER_SERVER = "${domain}:${toString agentPort}";
-          WOODPECKER_MAX_PROCS = "1";
-          WOODPECKER_DEBUG_PRETTY = "true";
-          WOODPECKER_LOG_LEVEL = "debug";
-        };
-        serviceConfig = {
-          EnvironmentFile = [ woodpeckerEnvSecretPath ];
-          ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent";
-          User = systemUserName;
-          Group = systemGroupName;
-        };
-      };
-    };
-  };
-in {
-  users = {
-    users."${systemUserName}" = {
-      inherit uid;
-      isSystemUser = true;
-      isNormalUser = false;
-      group = systemGroupName;
-      extraGroups = [ "podman" ];
-    };
-    groups."${systemGroupName}" = {
-      inherit gid;
-      members = [ "${systemUserName}" ];
-    };
-    groups."podman" = {
-      gid = podmanGid;
-      members = [ "${systemUserName}" ];
-    };
-  };
-
-  sops.secrets."woodpecker-env" = {
-    sopsFile = ../vpsfree1/gitea.sops;
-    format = "binary";
-    path = woodpeckerEnvSecretPath;
-  } // secretSettings;
-
-  virtualisation.podman = { enable = true; };
-  systemd.services.woodpecker-make-path = {
-    script = ''
-      mkdir -p ${woodpeckerNixStorePath}
-      chown -R ${systemUserName}:${systemGroupName} ${woodpeckerNixStorePath}
-    '';
-    serviceConfig = { Type = "oneshot"; };
-  };
-
-  containers.woodpecker-agent1 = woodpeckerAgentContainer;
-  systemd.services."container@woodpecker-agent1".requires =
-    [ "woodpecker-make-path.service" ];
-}

nixos/boxes/vpsfree1/gitea.nix

@@ -94,6 +94,7 @@ in {
           security.INSTALL_LOCK = true;
           oauth2.ENABLE = false;
           log.LEVEL = "Info";
+          actions.ENABLED = true;
           "markup.mermaid" = {
             ENABLED = true;
             FILE_EXTENSIONS = ".md";