{ config, lib, outputs, utils, ... }: with lib; let vars = import ../vars.nix; cfg = config.services.nix_builder; runnerUsername = "gitea-runner"; runnerUserid = 601; in { options.services.nix_builder = { bridgeName = mkOption { type = types.str; default = "br-nix-builder"; description = "Bridge name for the builder containers."; }; containers = mkOption { type = types.attrsOf ( types.submodule ( { name, ... }: { options.enable = mkEnableOption "Gitea runner container"; } ) ); default = { }; description = "Gitea runner container configurations"; }; }; config = { users = { users.${runnerUsername} = { isSystemUser = true; group = runnerUsername; uid = runnerUserid; }; groups.${runnerUsername}.gid = runnerUserid; }; containers = mapAttrs ( name: containerCfg: mkIf containerCfg.enable { autoStart = true; privateNetwork = true; hostBridge = cfg.bridgeName; bindMounts = { host-nix = { mountPoint = "/host-nix/var/nix/daemon-socket"; hostPath = "/nix/var/nix/daemon-socket"; isReadOnly = false; }; token = { hostPath = "${vars.secrets}/services/gitea-runners"; mountPoint = "/run/secrets/gitea-runners"; isReadOnly = true; }; }; config = { config, pkgs, lib, ... }: { networking = { useDHCP = lib.mkDefault true; interfaces.eth0.useDHCP = true; # Ensure containers don't inherit the host's stub resolver (127.0.0.53) which was causing issues useHostResolvConf = false; }; nix.settings = { trusted-substituters = [ "https://cache.nixos.org" "https://cache.tmmworkshop.com" "https://nix-community.cachix.org" ]; substituters = [ "https://cache.nixos.org/?priority=2&want-mass-query=true" "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; experimental-features = [ "flakes" "nix-command" ]; sandbox = true; allowed-users = [ "gitea-runner" ]; trusted-users = [ "root" "gitea-runner" ]; }; nixpkgs = { overlays = builtins.attrValues outputs.overlays; config.allowUnfree = true; }; users = { users.${runnerUsername} = { isSystemUser = true; group = runnerUsername; uid = runnerUserid; }; groups.${runnerUsername}.gid = runnerUserid; }; services.gitea-actions-runner.instances.${name} = { enable = true; name = "jeeves-${name}"; url = "http://192.168.99.14:6443/"; labels = [ "self-hosted:host" "nixos:host" ]; tokenFile = "/run/secrets/gitea-runners/registration-token"; hostPackages = with pkgs; [ nixos-rebuild treefmt my_python ]; }; systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = { serviceConfig = { DynamicUser = mkForce false; User = mkForce runnerUsername; Group = mkForce runnerUsername; }; }; system.stateVersion = "24.05"; }; } ) cfg.containers; systemd.services = builtins.listToAttrs ( map (name: { name = "container@${name}"; value = { requires = [ "gitea.service" ]; after = [ "gitea.service" ]; }; }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers)) ); }; }