gh: works

2025-12-27 07:44:58 +08:00 · 2024-03-26 14:28:26 -04:00 · 2024-03-26 14:28:26 -04:00 · 4cb3d3f1ed
commit 4cb3d3f1ed
parent fbfe594def
2 changed files with 26 additions and 2 deletions
--- a/flake.nix
+++ b/flake.nix
@ -77,6 +77,7 @@
            targetHost = "github-runner";
            targetUser = "srid";
            keys."github-runner-token.secret" = {
+              user = "github-runner";
              keyCommand = read1Password "github-runner-token";
            };
          };
--- a/systems/github-runner.nix
+++ b/systems/github-runner.nix
@ -3,7 +3,7 @@
 # - [ ] Colmena deploy, with keys from 1Password.
 # - [ ] Github Runners
 # - [ ] Distributed builder to host (macOS)
-{ flake, pkgs, lib, ... }:
+{ flake, pkgs, ... }:

 let
  inherit (flake) inputs;
@ -14,6 +14,7 @@ in
    inputs.disko.nixosModules.disko
    "${self}/nixos/disko/trivial.nix"
    "${self}/nixos/parallels-vm.nix"
+    "${self}/nixos/nix.nix"
    "${self}/nixos/self/primary-as-admin.nix"
    "${self}/nixos/server/harden/basics.nix"
  ];
@ -28,6 +29,28 @@ in
      efi.canTouchEfiVariables = true;
    };
  };
-  nix.settings.trusted-users = [ "root" "@wheel" ];
  services.openssh.enable = true;
+
+  # Runners
+  users.users.github-runner = {
+    isSystemUser = true;
+    group = "github-runner";
+  };
+  users.groups.github-runner = { };
+  nix.settings.trusted-users = [ "github-runner" ];
+  services.github-runners = {
+    perpetuum = {
+      enable = true;
+      replace = true;
+      tokenFile = "/run/keys/github-runner-token.secret";
+      extraPackages = with pkgs; [
+        coreutils
+        nixci
+      ];
+      user = "github-runner";
+      group = "github-runner";
+      url = "https://github.com/srid/perpetuum";
+      name = "perpetuum-1";
+    };
+  };
 }