actions-runner: add Forgejo runner to nix-cache02 with Vault token

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-10 00:41:24 +01:00
parent ff5f166855
commit 117e54a849
5 changed files with 34 additions and 3 deletions
--- a/hosts/nix-cache02/actions-runner.nix
+++ b/hosts/nix-cache02/actions-runner.nix
@@ -0,0 +1,16 @@
+{ ... }:
+{
+  # Fetch runner token from Vault
+  vault.secrets.forgejo-runner-token = {
+    secretPath = "hosts/nix-cache02/forgejo-runner-token";
+    extractKey = "token";
+    mode = "0444";
+    services = [ "gitea-runner-actions1" ];
+  };
+
+  # Override token source and runner capacity
+  services.gitea-actions-runner.instances.actions1 = {
+    tokenFile = "/run/secrets/forgejo-runner-token";
+    settings.runner.capacity = 4;
+  };
+}
--- a/hosts/nix-cache02/default.nix
+++ b/hosts/nix-cache02/default.nix
@@ -3,6 +3,8 @@
    ./configuration.nix
    ./builder.nix
    ./scheduler.nix
+    ./actions-runner.nix
    ../../services/nix-cache
+    ../../services/actions-runner
  ];
 }
--- a/services/actions-runner/default.nix
+++ b/services/actions-runner/default.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  # Trust podman interfaces so containers can reach the runner's cache service.
  # "podman+" is a wildcard matching any interface starting with "podman".
@@ -17,7 +17,7 @@
      enable = true;
      name = config.networking.hostName;
      url = "https://code.t-juice.club";
-      tokenFile = "/var/lib/forgejo-runner/token";
+      tokenFile = lib.mkDefault "/var/lib/forgejo-runner/token";
      labels = [
        "nix:docker://code.t-juice.club/torjus/runner-images/nix:latest"
        "node-bookworm:docker://node:lts-bookworm-slim"
@@ -25,7 +25,7 @@
        "golang:docker://code.t-juice.club/torjus/runner-images/golang:latest"
      ];
      settings = {
-        runner.capacity = 2;
+        runner.capacity = lib.mkDefault 2;
        cache = {
          enabled = true;
          dir = "/var/lib/gitea-runner/actions1/cache";
--- a/terraform/vault/secrets.tf
+++ b/terraform/vault/secrets.tf
@@ -145,6 +145,12 @@ locals {
      password_length = 64
    }

+    # Forgejo runner token for nix-cache02
+    "hosts/nix-cache02/forgejo-runner-token" = {
+      auto_generate = false
+      data          = { token = var.forgejo_runner_token }
+    }
+
    # Loki push authentication (used by Promtail on all hosts)
    "shared/loki/push-auth" = {
      auto_generate   = true
--- a/terraform/vault/variables.tf
+++ b/terraform/vault/variables.tf
@@ -109,3 +109,10 @@ variable "sonarr_api_key" {
  sensitive   = true
 }

+variable "forgejo_runner_token" {
+  description = "Forgejo Actions runner token for nix-cache02"
+  type        = string
+  default     = "PLACEHOLDER"
+  sensitive   = true
+}
+