actions-runner: switch back to containers

modules/web01/gitea/actions-runner.nix

@@ -1,6 +1,19 @@
 { config, self, pkgs, lib, ... }:
-
+let
+  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
+in
 {
+  systemd.services.gitea-runner-nix-image = {
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      ${lib.getExe pkgs.podman} load --input=${actions-runner}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
   systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
     after = [ "gitea.service" ];
@@ -23,9 +36,18 @@
     };
   };
 
+  # Format of the token file:
+  virtualisation.podman.enable = true;
+
   systemd.services.gitea-runner-nix = {
-    after = [ "gitea-runner-nix-token.service" ];
-    requires = [ "gitea-runner-nix-token.service" ];
+    after = [
+      "gitea-runner-nix-token.service"
+      "gitea-runner-nix-image.service"
+    ];
+    requires = [
+      "gitea-runner-nix-token.service"
+      "gitea-runner-nix-image.service"
+    ];
 
     # TODO: systemd confinment
     serviceConfig = {
@@ -110,7 +132,7 @@
     url = config.services.gitea.settings.server.ROOT_URL;
     # use your favourite nix secret manager to get a path for this
     tokenFile = "/var/lib/gitea-actions-runner/token";
-    labels = [ "nix:host" ];
+    labels = [ "nix:docker://${actions-runner.imageName}" ];
     hostPackages = with pkgs; [
       bash
       coreutils