flake.lock

@@ -82,16 +82,16 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1689638193,
-        "narHash": "sha256-7SCl/TEswRCtVSFD9p2SXKH4iWbXDmly2O1oYsxidDc=",
-        "owner": "DavHau",
+        "lastModified": 1689838306,
+        "narHash": "sha256-rKQERGxsbP+Mkkwgepmy/a3KgYYdbFR7vTgEZ6GMoIA=",
+        "owner": "Mic92",
         "repo": "nixpkgs",
-        "rev": "2ab9f837047affd23ebf27b0175aff34d6b9e7e3",
+        "rev": "4bfb50dc6d66a86e61c6b38f567f7770d54db53e",
         "type": "github"
       },
       "original": {
-        "owner": "DavHau",
-        "ref": "gitea",
+        "owner": "Mic92",
+        "ref": "daemon",
         "repo": "nixpkgs",
         "type": "github"
       }

flake.nix

@@ -8,7 +8,7 @@
 
   inputs = {
     # https://github.com/NixOS/nixpkgs/pull/243252
-    nixpkgs.url = "github:DavHau/nixpkgs/gitea";
+    nixpkgs.url = "github:Mic92/nixpkgs/daemon";
     flake-parts.url = "github:hercules-ci/flake-parts";
     flake-parts.inputs.nixpkgs-lib.follows = "nixpkgs";
     treefmt-nix.url = "github:numtide/treefmt-nix";
@@ -43,8 +43,9 @@
         inputs.treefmt-nix.flakeModule
         ./targets/flake-module.nix
         ./modules/flake-module.nix
+        ./pkgs/flake-module.nix
       ];
-      perSystem = { config, pkgs, inputs', ... }: {
+      perSystem = { pkgs, inputs', ... }: {
         treefmt = {
           projectRootFile = "flake.nix";
           programs.terraform.enable = true;
@@ -70,9 +71,6 @@
               ]))
             ];
           };
-          inherit (pkgs.callPackage ./pkgs/renovate { }) renovate;
-        } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
-          gitea = pkgs.callPackage ./pkgs/gitea { };
         };
       };
     });

modules/web01/gitea/actions-runner.nix

@@ -1,6 +1,19 @@
 { config, self, pkgs, lib, ... }:
-
+let
+  inherit (self.packages.${pkgs.hostPlatform.system}) actions-runner;
+in
 {
+  systemd.services.gitea-runner-nix-image = {
+    wantedBy = [ "multi-user.target" ];
+    script = ''
+      ${lib.getExe pkgs.podman} load --input=${actions-runner}
+    '';
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+  };
+
   systemd.services.gitea-runner-nix-token = {
     wantedBy = [ "multi-user.target" ];
     after = [ "gitea.service" ];
@@ -11,21 +24,30 @@
     script = ''
       set -euo pipefail
       token=$(${lib.getExe self.packages.${pkgs.hostPlatform.system}.gitea} actions generate-runner-token)
-      echo "TOKEN=$token" > /var/lib/gitea-actions-runner/token
+      echo "TOKEN=$token" > /var/lib/gitea-runner/token
     '';
-    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-actions-runner/token" ];
+    unitConfig.ConditionPathExists = [ "!/var/lib/gitea-runner/token" ];
     serviceConfig = {
       User = "gitea";
       Group = "gitea";
-      StateDirectory = "gitea-actions-runner";
+      StateDirectory = "gitea-runner";
       Type = "oneshot";
       RemainAfterExit = true;
     };
   };
 
+  # Format of the token file:
+  virtualisation.podman.enable = true;
+
   systemd.services.gitea-runner-nix = {
-    after = [ "gitea-runner-nix-token.service" ];
-    requires = [ "gitea-runner-nix-token.service" ];
+    after = [
+      "gitea-runner-nix-token.service"
+      "gitea-runner-nix-image.service"
+    ];
+    requires = [
+      "gitea-runner-nix-token.service"
+      "gitea-runner-nix-image.service"
+    ];
 
     # TODO: systemd confinment
     serviceConfig = {
@@ -109,8 +131,8 @@
     # otherwise you need to set it manually
     url = config.services.gitea.settings.server.ROOT_URL;
     # use your favourite nix secret manager to get a path for this
-    tokenFile = "/var/lib/gitea-actions-runner/token";
-    labels = [ "nix:host" ];
+    tokenFile = "/var/lib/gitea-runner/token";
+    labels = [ "nix:docker://${actions-runner.imageName}" ];
     hostPackages = with pkgs; [
       bash
       coreutils

pkgs/actions-runner.nix

@@ -0,0 +1,43 @@
+{ pkgs, inputs }:
+let
+  # FIXME get rid of nix input?
+  base = import (inputs.nix + "/docker.nix") {
+    inherit pkgs;
+    name = "nix-ci-base";
+    maxLayers = 10;
+    extraPkgs = with pkgs; [
+      nodejs_20 # nodejs is needed for running most 3rdparty actions
+      # add any other pre-installed packages here
+    ];
+    # do we want this at all?
+    channelURL = "https://nixos.org/channels/nixpkgs-unstable";
+    nixConf = {
+      substituters = [
+        "https://cache.nixos.org/"
+        "https://nix-community.cachix.org"
+        # insert any other binary caches here
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        # insert the public keys for those binary caches here
+      ];
+      # allow using the new flake commands in our workflows
+      experimental-features = [ "nix-command" "flakes" ];
+    };
+  };
+in
+pkgs.dockerTools.buildImage {
+  name = "nix-runner";
+  tag = "latest";
+
+  fromImage = base;
+  fromImageName = null;
+  fromImageTag = "latest";
+
+  copyToRoot = pkgs.buildEnv {
+    name = "image-root";
+    paths = [ pkgs.coreutils-full ];
+    pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
+  };
+}

pkgs/flake-module.nix

@@ -0,0 +1,12 @@
+{ lib, inputs, ... }: {
+  perSystem = { pkgs, inputs', ... }: {
+    packages = {
+      inherit (pkgs.callPackage ./renovate { }) renovate;
+    } // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
+      gitea = pkgs.callPackage ./gitea { };
+      actions-runner = pkgs.callPackage ./actions-runner.nix {
+        inherit inputs;
+      };
+    };
+  };
+}