From 3a86148352806eb4bf887343c521854f5897c0d5 Mon Sep 17 00:00:00 2001
From: Richie Cahill <Richie@tmmworkshop.com>
Date: Sat, 2 May 2026 17:10:02 -0400
Subject: [PATCH] working nix builder

---
 systems/jeeves/runners/nix_builder.nix | 40 ++++++++++++++++++++------
 1 file changed, 31 insertions(+), 9 deletions(-)

diff --git a/systems/jeeves/runners/nix_builder.nix b/systems/jeeves/runners/nix_builder.nix
index e38ee04..bcff4cd 100644
--- a/systems/jeeves/runners/nix_builder.nix
+++ b/systems/jeeves/runners/nix_builder.nix
@@ -2,6 +2,7 @@
   config,
   lib,
   outputs,
+  utils,
   ...
 }:
 
@@ -9,6 +10,8 @@ with lib;
 let
   vars = import ../vars.nix;
   cfg = config.services.nix_builder;
+  runnerUsername = "gitea-runner";
+  runnerUserid = 601;
 in
 {
   options.services.nix_builder = {
@@ -33,6 +36,15 @@ in
   };
 
   config = {
+    users = {
+      users.${runnerUsername} = {
+        isSystemUser = true;
+        group = runnerUsername;
+        uid = runnerUserid;
+      };
+      groups.${runnerUsername}.gid = runnerUserid;
+    };
+
     containers = mapAttrs (
       name: containerCfg:
       mkIf containerCfg.enable {
@@ -41,19 +53,14 @@ in
         hostBridge = cfg.bridgeName;
         ephemeral = true;
         bindMounts = {
-          storage = {
-            hostPath = "/zfs/media/github-runners/${name}";
-            mountPoint = "/var/lib/gitea-runner/${name}";
-            isReadOnly = false;
-          };
           host-nix = {
             mountPoint = "/host-nix/var/nix/daemon-socket";
             hostPath = "/nix/var/nix/daemon-socket";
             isReadOnly = false;
           };
           token = {
-            hostPath = "${vars.secrets}/services/gitea-runners/registration-token";
-            mountPoint = "${vars.secrets}/services/gitea-runners/registration-token";
+            hostPath = "${vars.secrets}/services/gitea-runners";
+            mountPoint = "/run/secrets/gitea-runners";
             isReadOnly = true;
           };
         };
@@ -102,21 +109,36 @@ in
               overlays = builtins.attrValues outputs.overlays;
               config.allowUnfree = true;
             };
+            users = {
+              users.${runnerUsername} = {
+                isSystemUser = true;
+                group = runnerUsername;
+                uid = runnerUserid;
+              };
+              groups.${runnerUsername}.gid = runnerUserid;
+            };
             services.gitea-actions-runner.instances.${name} = {
               enable = true;
               name = "jeeves-${name}";
-              url = "https://gitea.tmmworkshop.com";
+              url = "http://192.168.99.14:6443/";
               labels = [
                 "self-hosted:host"
                 "nixos:host"
               ];
-              tokenFile = "${vars.secrets}/services/gitea-runners/registration-token";
+              tokenFile = "/run/secrets/gitea-runners/registration-token";
               hostPackages = with pkgs; [
                 nixos-rebuild
                 treefmt
                 my_python
               ];
             };
+            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
+              serviceConfig = {
+                DynamicUser = mkForce false;
+                User = mkForce runnerUsername;
+                Group = mkForce runnerUsername;
+              };
+            };
             system.stateVersion = "24.05";
           };
       }