dotfiles/systems/jeeves/runners/nix_builder.nix

{
  config,
  lib,
  outputs,
  utils,
  ...
}:

with lib;
let
  vars = import ../vars.nix;
  cfg = config.services.nix_builder;
  runnerUsername = "gitea-runner";
  runnerUserid = 601;
in
{
  options.services.nix_builder = {
    bridgeName = mkOption {
      type = types.str;
      default = "br-nix-builder";
      description = "Bridge name for the builder containers.";
    };

    containers = mkOption {
      type = types.attrsOf (
        types.submodule (
          { name, ... }:
          {
            options.enable = mkEnableOption "Gitea runner container";
          }
        )
      );
      default = { };
      description = "Gitea runner container configurations";
    };
  };

  config = {
    users = {
      users.${runnerUsername} = {
        isSystemUser = true;
        group = runnerUsername;
        uid = runnerUserid;
      };
      groups.${runnerUsername}.gid = runnerUserid;
    };

    containers = mapAttrs (
      name: containerCfg:
      mkIf containerCfg.enable {
        autoStart = true;
        privateNetwork = true;
        hostBridge = cfg.bridgeName;
        bindMounts = {
          host-nix = {
            mountPoint = "/host-nix/var/nix/daemon-socket";
            hostPath = "/nix/var/nix/daemon-socket";
            isReadOnly = false;
          };
          token = {
            hostPath = "${vars.secrets}/services/gitea-runners";
            mountPoint = "/run/secrets/gitea-runners";
            isReadOnly = true;
          };
        };
        config =
          {
            config,
            pkgs,
            lib,
            ...
          }:
          {
            networking = {
              useDHCP = lib.mkDefault true;
              interfaces.eth0.useDHCP = true;
              # Ensure containers don't inherit the host's stub resolver (127.0.0.53) which was causing issues
              useHostResolvConf = false;
            };
            nix.settings = {
              trusted-substituters = [
                "https://cache.nixos.org"
                "https://cache.tmmworkshop.com"
                "https://nix-community.cachix.org"
              ];
              substituters = [
                "https://cache.nixos.org/?priority=2&want-mass-query=true"
                "https://cache.tmmworkshop.com/?priority=2&want-mass-query=true"
                "https://nix-community.cachix.org/?priority=10&want-mass-query=true"
              ];
              trusted-public-keys = [
                "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
                "cache.tmmworkshop.com:jHffkpgbmEdstQPoihJPYW9TQe6jnQbWR2LqkNGV3iA="
                "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
              ];
              experimental-features = [
                "flakes"
                "nix-command"
              ];
              sandbox = true;
              allowed-users = [ "gitea-runner" ];
              trusted-users = [
                "root"
                "gitea-runner"
              ];
            };
            nixpkgs = {
              overlays = builtins.attrValues outputs.overlays;
              config.allowUnfree = true;
            };
            users = {
              users.${runnerUsername} = {
                isSystemUser = true;
                group = runnerUsername;
                uid = runnerUserid;
              };
              groups.${runnerUsername}.gid = runnerUserid;
            };
            services.gitea-actions-runner.instances.${name} = {
              enable = true;
              name = "jeeves-${name}";
              url = "http://192.168.99.14:6443/";
              labels = [
                "self-hosted:host"
                "nixos:host"
              ];
              tokenFile = "/run/secrets/gitea-runners/registration-token";
              hostPackages = with pkgs; [
                bash
                coreutils
                curl
                gawk
                gitMinimal
                gnused
                my_python
                nixos-rebuild
                nodejs
                treefmt
                wget
              ];
            };
            systemd.services."gitea-runner-${utils.escapeSystemdPath name}" = {
              serviceConfig = {
                DynamicUser = mkForce false;
                User = mkForce runnerUsername;
                Group = mkForce runnerUsername;
              };
            };
            system.stateVersion = "24.05";
          };
      }
    ) cfg.containers;

    systemd.services = builtins.listToAttrs (
      map (name: {
        name = "container@${name}";
        value = {
          requires = [ "gitea.service" ];
          after = [ "gitea.service" ];
        };
      }) (builtins.attrNames (filterAttrs (_: c: c.enable) cfg.containers))
    );
  };
}