Add Forgejo Actions Runner with sops secrets

configuration.nix

@@ -146,6 +146,18 @@
     enable = true;
     domain = "git.ashisgreat.xyz";
     disableRegistration = true; # Admin only
+    runner = {
+      enable = true;
+      tokenFile = config.sops.templates."forgejo-runner.env".path;
+    };
+  };
+
+  # Forgejo runner secrets
+  sops.secrets.forgejo_runner_token = { };
+  sops.templates."forgejo-runner.env" = {
+    content = ''
+      TOKEN=${config.sops.placeholder.forgejo_runner_token}
+    '';
   };
 
   # === CrowdSec ===

modules/forgejo.nix

@@ -38,6 +38,28 @@ in
       default = true;
       description = "Disable public user registration";
     };
+
+    runner = {
+      enable = lib.mkEnableOption "Forgejo Actions Runner";
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = config.networking.hostName;
+        description = "Name of the runner";
+      };
+      tokenFile = lib.mkOption {
+        type = lib.types.path;
+        description = "Path to the token file (containing TOKEN=...)";
+      };
+      labels = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [
+          "native:host"
+          "ubuntu-latest:docker://node:20-bullseye"
+          "debian-latest:docker://node:20-bullseye"
+        ];
+        description = "Labels for the runner";
+      };
+    };
   };
 
   config = lib.mkIf cfg.enable {
@@ -87,5 +109,22 @@ in
     myModules.backup.paths = [
       config.services.forgejo.stateDir
     ];
+
+    # Actions Runner
+    services.gitea-actions-runner = lib.mkIf cfg.runner.enable {
+      package = pkgs.forgejo-runner;
+      instances.default = {
+        enable = true;
+        name = cfg.runner.name;
+        url = "https://${cfg.domain}";
+        tokenFile = cfg.runner.tokenFile;
+        labels = cfg.runner.labels;
+        settings = {
+          container = {
+            network = "bridge";
+          };
+        };
+      };
+    };
   };
 }