{ config, lib, outputs, ... }: with lib; let vars = import ../vars.nix; cfg = config.services.nix_builder; in { options.services.nix_builder = { bridgeName = mkOption { type = types.str; default = "br-nix-builder"; description = "Bridge name for the builder containers."; }; containers = mkOption { type = types.attrsOf ( types.submodule ( { name, ... }: { options.enable = mkEnableOption "GitHub runner container"; } ) ); default = { }; description = "GitHub runner container configurations"; }; }; config = { containers = mapAttrs ( name: containerCfg: mkIf containerCfg.enable { autoStart = true; privateNetwork = true; hostBridge = cfg.bridgeName; ephemeral = true; bindMounts = { storage = { hostPath = "/zfs/media/github-runners/${name}"; mountPoint = "/zfs/media/github-runners/${name}"; isReadOnly = false; }; host-nix = { mountPoint = "/host-nix/var/nix/daemon-socket"; hostPath = "/nix/var/nix/daemon-socket"; isReadOnly = false; }; pat = { hostPath = "${vars.secrets}/services/github-runners/runner_pat"; mountPoint = "${vars.secrets}/services/github-runners/runner_pat"; isReadOnly = true; }; }; config = { config, pkgs, lib, ... }: { networking = { useDHCP = lib.mkDefault true; interfaces.eth0.useDHCP = true; # Ensure containers don't inherit the host's stub resolver (127.0.0.53) which was causing issues useHostResolvConf = false; }; nix.settings = { trusted-substituters = [ "https://cache.nixos.org" "https://cache.tmmworkshop.com" "https://nix-community.cachix.org" ]; substituters = [ "https://cache.nixos.org/?priority=2&want-mass-query=true" "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true" "https://nix-community.cachix.org/?priority=10&want-mass-query=true" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; experimental-features = [ "flakes" "nix-command" ]; sandbox = true; allowed-users = [ "github-runners" ]; trusted-users = [ "root" "github-runners" ]; }; nixpkgs = { overlays = builtins.attrValues outputs.overlays; config.allowUnfree = true; }; services.github-runners.${name} = { enable = true; replace = true; workDir = "/zfs/media/github-runners/${name}"; url = "https://github.com/RichieCahill/dotfiles"; extraLabels = [ "nixos" ]; tokenFile = "${vars.secrets}/services/github-runners/runner_pat"; user = "github-runners"; group = "github-runners"; extraPackages = with pkgs; [ nixfmt nixos-rebuild treefmt my_python ]; }; users = { users.github-runners = { shell = pkgs.bash; isSystemUser = true; group = "github-runners"; uid = 601; }; groups.github-runners.gid = 601; }; system.stateVersion = "24.05"; }; } ) cfg.containers; }; }