9 changed files with 112 additions and 48 deletions
--- a/.forgejo/workflows/ci.yaml
+++ b/.forgejo/workflows/ci.yaml
@ -0,0 +1,24 @@
 on:
  push:
    branches:
    - main
  pull_request:
 env:
  NIX_CONFIG: 'extra-platforms = x86_64-linux'
 jobs:
  check:
    runs-on: ubuntu-latest-aarch64
    steps:
      - uses: https://github.com/docker/setup-qemu-action@v3
      - uses: actions/checkout@v4
      - uses: https://github.com/cachix/install-nix-action@v26
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          github_access_token: '${{ secrets.GH_TOKEN }}'
      - uses: https://github.com/cachix/cachix-action@v14
        with:
          name: kitchen
          authToken: '${{ secrets.CACHIX_TOKEN }}'
      - run: nix flake check --accept-flake-config
--- a/.forgejo/workflows/update-flake.yaml
+++ b/.forgejo/workflows/update-flake.yaml
@ -0,0 +1,37 @@
 on:
  schedule:
    - cron: '0 0 * * 1'
 jobs:
  update-flake:
    runs-on: ubuntu-latest-aarch64
    steps:
      - uses: actions/checkout@v4
      - uses: https://github.com/cachix/install-nix-action@v26
        with:
          nix_path: nixpkgs=channel:nixos-unstable
          github_access_token: '${{ secrets.GH_TOKEN }}'
      - name: Create branch
        run: git switch -c update/flake-lock
      - name: Update flake.lock
        run: nix flake update --commit-lock-file
        env:
          GIT_AUTHOR_NAME: kitchen-ci
          GIT_AUTHOR_EMAIL: do-not-reply@buffets.kitchen
          GIT_COMMITTER_NAME: kitchen-ci
          GIT_COMMITTER_EMAIL: do-not-reply@buffets.kitchen
      - name: Push to repo
        run: git push -f origin update/flake-lock
      - name: Create PR
        run: >
          curl -X POST "${{ env.GITHUB_API_URL }}/repos/${{ env.GITHUB_REPOSITORY }}/pulls"
          --fail
          -H "Content-Type: application/json"
          -H "Authorization: token ${{ secrets.BOT_TOKEN }}"
          -d '{
               "title": "build(flake): update inputs",
               "body": "",
               "base": "main",
               "head": "update/flake-lock",
               "assignee": "chef"
              }' || echo PR already open
--- a/hosts/ami/acme.nix
+++ b/hosts/ami/acme.nix
@ -11,7 +11,6 @@
      extraDomainNames = [
        "*.buffet.sh"
        "*.buffets.kitchen"
        "buffets.kitchen"
      ];
    };
--- a/hosts/ami/default.nix
+++ b/hosts/ami/default.nix
@ -19,7 +19,6 @@
    ./murmur.nix
    ./nginx.nix
    ./upgrade.nix
    ./woodpecker.nix
    ../../users/maintainer
  ];
--- a/hosts/ami/forgejo-action-runner.nix
+++ b/hosts/ami/forgejo-action-runner.nix
@ -0,0 +1,47 @@
 {
  config,
  lib,
  pkgs,
  ...
 }: let
  numRunners = 1;
 in {
  age.secrets.kitchen-runner-token = {
    file = ../../secrets/kitchen-runner-token.age;
    owner = "gitea-runner";
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances = lib.genAttrs (builtins.genList (n: "runner${builtins.toString n}") numRunners) (name: {
      enable = true;
      inherit name;
      url = config.services.forgejo.settings.server.ROOT_URL;
      tokenFile = config.age.secrets.kitchen-runner-token.path;
      labels = ["docker-aarch64" "ubuntu-latest-aarch64:docker://ghcr.io/catthehacker/ubuntu:act-latest"];
      settings = {
        log.level = "warn";
        container.network = "host";
      };
    });
  };
  systemd.services = lib.genAttrs (builtins.genList (n: "gitea-runner-runner${builtins.toString n}") numRunners) (_: {
    serviceConfig.Nice = 15;
  });
  virtualisation.podman = {
    enable = true;
    autoPrune.enable = true;
    dockerSocket.enable = true;
  };
  users.groups.gitea-runner = {};
  users.users.gitea-runner = {
    isSystemUser = true;
    group = "gitea-runner";
    extraGroups = ["podman"];
    home = "/var/lib/gitea-runner/";
  };
 }
--- a/hosts/ami/forgejo.nix
+++ b/hosts/ami/forgejo.nix
@ -1,6 +1,10 @@
 {pkgs, ...}: let
  port = 3000;
 in {
  imports = [
    ./forgejo-action-runner.nix
  ];
  services = {
    forgejo = {
      enable = true;
@ -10,10 +14,6 @@ in {
          APP_NAME = "buffet's kitchen";
        };
        actions = {
          ENABLED = false;
        };
        admin = {
          SEND_NOTIFICATION_EMAIL_ON_NEW_USER = true;
        };
@ -69,10 +69,6 @@ in {
          DISABLE_REGISTRATION = true;
          ENABLE_NOTIFY_MAIL = true;
        };
        webhook = {
          ALLOWED_HOST_LIST = "external,loopback";
        };
      };
    };
--- a/hosts/ami/woodpecker.nix
+++ b/hosts/ami/woodpecker.nix
@ -1,37 +0,0 @@
 {config, ...}: {
  age.secrets.woodpecker.file = ../../secrets/woodpecker.age;
  services = let
    port = 3007;
  in {
    woodpecker-server = {
      enable = true;
      environment = {
        WOODPECKER_OPEN = "true";
        WOODPECKER_ORGS = "kitchen";
        WOODPECKER_ADMIN = "chef";
        WOODPECKER_HOST = "https://ci.buffets.kitchen/";
        WOODPECKER_SERVER_ADDR = ":${toString port}";
        WOODPECKER_FORGEJO = "true";
        WOODPECKER_FORGEJO_URL = "https://buffets.kitchen/";
      };
      environmentFile = config.age.secrets.woodpecker.path;
    };
    nginx = {
      virtualHosts."build.buffets.kitchen" = {
        useACMEHost = "buffet.sh";
        forceSSL = true;
        locations = {
          "/" = {
            proxyPass = "http://localhost:${toString port}";
          };
        };
      };
    };
  };
 }
--- a/secrets.nix
+++ b/secrets.nix
@ -6,5 +6,4 @@ in {
  "secrets/hetzner-dns.age".publicKeys = [buffet];
  "secrets/kitchen-runner-token.age".publicKeys = [buffet];
  "secrets/msmtppassword.age".publicKeys = [buffet];
  "secrets/woodpecker.age".publicKeys = [buffet];
 }
--- a/secrets/woodpecker.age
+++ b/secrets/woodpecker.age