feat: add github-runners

.github/actionlint.yaml

@@ -0,0 +1,4 @@
+---
+self-hosted-runner:
+  labels:
+    - deedee

.github/workflows/nixcache.yaml

@@ -0,0 +1,38 @@
+# yamllint disable rule:comments
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: nix cache
+'on':
+  push:
+    branches:
+      - master
+  pull_request:
+jobs:
+  lint-build-and-push:
+    runs-on: deedee
+    steps:
+      - name: Generate Token
+        uses: actions/create-github-app-token@c1a285145b9d317df6ced56c09f525b5c2b6f755 # v1
+        id: app-token
+        with:
+          app-id: "${{ secrets.BOT_APP_ID }}"
+          private-key: "${{ secrets.BOT_APP_PRIVATE_KEY }}"
+
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          token: "${{ steps.app-token.outputs.token }}"
+          persist-credentials: false
+
+      - name: Flake Check
+        run: nix flake check
+
+      - name: Build and push to cache
+        run: |
+          for sub in $(nix eval --json '.#nixlab.nixConfig.substituters' | jq -r '.[]' | grep '^s3:'); do
+            for machine in $(nix flake show --json 2> /dev/null | jq -r '.nixosConfigurations | keys | .[]'); do
+              nix copy --to "$sub" ".#nixosConfigurations.$machine.config.system.build.toplevel"
+            done
+
+            nix copy --to "$sub" .#devShells.x86_64-linux.default
+          done

flake.nix

@@ -111,6 +111,8 @@ rec {
     }
     // {
       nixlab = {
+        inherit nixConfig;
+
         system = ./modules/system;
         hardware = {
           incus = ./modules/hardware/incus.nix;

machines/deedee/configuration.nix

@@ -158,6 +158,8 @@ rec {
       pruneAll = true;
     };
 
+    github-runners.enable = true;
+
     incus = {
       enable = true;
       enableUI = true;

machines/deedee/secrets.sops.yaml

@@ -66,6 +66,8 @@ system:
                 FORGEJO__security__SECRET_KEY: ENC[AES256_GCM,data:uvE7nZW/5p7WrrgMPoQb3wHSIJD2LQUAcb6J6J2ODBjpYGGsqZ/syKgt4UldMxbRZZbUhgtFpifiHlyIfXJrzw==,iv:07DDGF0CiAxeQ8qEtM5P+q50KmHIYOUdgUmCNIiE+So=,tag:5O+A8AbDPNyb8YepM3EM/Q==,type:str]
                 FORGEJO__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:mphYVMOM7lQ1qrc7fWghZF5dLJ4VqW30mDfJELH8dX1Q/O+z6t3tCw==,iv:iPdwFYPRvbR9/VmnHGajztDtA+VHhRMuaXmGYWdOBNw=,tag:pkGnUyn9AvQ10F8cmPjg7g==,type:str]
                 FORGEJO__session__PROVIDER_CONFIG: ENC[AES256_GCM,data:qaWz0iQzexcXRNeKVMlsVhidTeACRciCCsePxdtG34GhTRM+G/sl9CqhVhOFaUzsSxdCDgbBg6LOqF3vD7w2whiWKAY62GLumJOC,iv:dNbbOHkzYMHg+Dp93qr8kX7BDtX37owT21tveE5l75Q=,tag:NhgoC+C84dbkEObq0sBPOA==,type:str]
+        github-runners:
+            github_token: ENC[AES256_GCM,data:lyfnLwRBLA3vjEQw1wknORwyax0HomKvbKUNdNjDjY9SXe7WHeBw0S63SU+KCqGG0EeeAftLJHE9bQnoEZZseJ+1aGd3OkIPmkCALDg3tDhQZLRLWBqP2bbvPpsc,iv:2IwJ7YenjWDalR157yHB18jVsIyn55GvreHXiWkYcBM=,tag:VD4Eq1CidC9lfZluDkk1pA==,type:str]
         gluetun:
             env:
                 WIREGUARD_ADDRESSES: ENC[AES256_GCM,data:uucQ8ck/exE9Umjjk8Y2,iv:PlW7cvJFbPp2S9kdXcDRkONbBXt05CE5jpKlRfCdk8A=,tag:Oaya22wc2cBAI3XbCDJWJQ==,type:str]
@@ -217,8 +219,8 @@ sops:
             c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV
             bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-09T13:11:34Z"
-    mac: ENC[AES256_GCM,data:2l3FZ+ImkW1iGJikBCbinDZaNm90rCHyy+Ur/q/YfzRVopwftajtSyoAmjuD6XX9a4Y449qlhAyX21r1RmN8tmSRaVIbOG62bCGsI55rhrhzXC5GnAgJN1xWYeBnIIYAOgTIc0PzaV6aCZVI+WtFyiwIyiznooMEnKMuJagqrVs=,iv:GP0cQW8jL9meecBfP3SRSFG2WyO4wyLxvM6L/1u1TBI=,tag:NBnG9xxyfwIpUO/T/mOgtg==,type:str]
+    lastmodified: "2025-01-13T09:40:41Z"
+    mac: ENC[AES256_GCM,data:vU8sGb5SRIok83pYnJoZOJZMzAqv40D5wQXWuzTrVSQGwqKZAf5k6FbBkBSwYdDBFGiNm0+HG71e2DUZDVUNNbsqco9WiflNlmPhbSiRaYLahoTCKzLj3cpzUiFvWGBVLb7HomEKdOSMCgJuVvQPIooSF7tGyYJEZ1cm250cgkk=,iv:QZpsP/NppImZ8ONZe8SRUON2D+cm68yaXmmx7XcDF94=,tag:wq7jaNtNVqb3X4BBDBCtWQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.2

modules/system/apps/default.nix

@@ -5,6 +5,7 @@ _: {
     ./adguardhome
     ./ddclient
     ./docker
+    ./github-runners
     ./incus
     ./letsencrypt
     ./mosquitto

modules/system/apps/github-runners/default.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  cfg = config.mySystemApps.github-runners;
+in
+{
+  options.mySystemApps.github-runners = {
+    enable = lib.mkEnableOption "github runners";
+    runners = lib.mkOption {
+      type = lib.types.int;
+      description = "Number of runners";
+      default = 4;
+    };
+    githubTokenSopsSecret = lib.mkOption {
+      type = lib.types.str;
+      description = "Sops secret name containing cloudflare token.";
+      default = "system/apps/github-runners/github_token";
+    };
+  };
+
+  config =
+    let
+      paddedNum = n: if n < 10 then "0${builtins.toString n}" else builtins.toString n;
+
+      name = "deedee-ops";
+      host = config.networking.hostName;
+      user = "github-runner";
+      group = "github-runner";
+    in
+    lib.mkIf cfg.enable {
+      sops.secrets."${cfg.githubTokenSopsSecret}" = {
+        restartUnits = builtins.map (i: "github-runner-${host}-${name}-${paddedNum i}.service") (
+          lib.lists.range 1 cfg.runners
+        );
+      };
+
+      users = {
+        users."${user}" = {
+          inherit group;
+          isSystemUser = true;
+        };
+        groups."${group}" = { };
+      };
+      nix.settings.trusted-users = [ user ];
+
+      services.github-runners = builtins.listToAttrs (
+        builtins.map (i: {
+          name = "${host}-${name}-${paddedNum i}";
+          value = {
+            inherit user group;
+
+            enable = true;
+            ephemeral = true;
+            extraLabels = [ host ];
+            extraPackages = [
+              pkgs.nix
+              pkgs.coreutils
+              pkgs.gnutar
+              pkgs.jq
+              pkgs.which
+            ];
+            noDefaultLabels = true;
+            replace = true;
+            tokenFile = config.sops.secrets."${cfg.githubTokenSopsSecret}".path;
+            url = "https://github.com/${name}";
+          };
+        }) (lib.lists.range 1 cfg.runners)
+      );
+    };
+}