From 107ac22292ac76db5bea03b72f1922df9e5bc014 Mon Sep 17 00:00:00 2001
From: Superredstone <patrickcanal3@gmail.com>
Date: Thu, 28 May 2026 11:39:34 +0200
Subject: [PATCH] feat(gitea): add ci runner

---
 machines/bomba/secrets.nix        | 10 +++++++++-
 machines/bomba/services/gitea.nix | 14 ++++++++++++--
 secrets/bomba.sops.yaml           |  5 +++--
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/machines/bomba/secrets.nix b/machines/bomba/secrets.nix
index 8dd11ab..5b06807 100644
--- a/machines/bomba/secrets.nix
+++ b/machines/bomba/secrets.nix
@@ -1,4 +1,4 @@
-{ ... }:
+{ config, ... }:
 {
   sops =
     let
@@ -20,6 +20,14 @@
         prowlarr_api_key = default;
         seerr_api_key = default;
         indexers_ilcorsaroblu_password = default;
+        gitea_registration_token = default;
+      };
+      templates = {
+        "gitea_runner.env".content = ''
+          GITEA_INSTANCE_URL=${config.services.gitea.settings.server.ROOT_URL}
+          GITEA_RUNNER_NAME="Runner"
+          GITEA_RUNNER_REGISTRATION_TOKEN=${config.sops.placeholder.gitea_registration_token}
+        '';
       };
     };
 }
diff --git a/machines/bomba/services/gitea.nix b/machines/bomba/services/gitea.nix
index e0b2174..4b74309 100644
--- a/machines/bomba/services/gitea.nix
+++ b/machines/bomba/services/gitea.nix
@@ -1,6 +1,6 @@
-{ ... }:
+{ config, ... }:
 {
-  services.gitea = {
+  config.services.gitea = {
     enable = true;
     settings = {
       server = {
@@ -11,4 +11,14 @@
       service.DISABLE_REGISTRATION = true;
     };
   };
+
+  config.virtualisation.oci-containers.containers.gitea-act-runner = {
+    image = "docker.io/gitea/act_runner:latest";
+    environmentFiles = [
+      config.sops.templates."gitea_runner.env".path
+    ];
+    volumes = [
+      "/var/run/docker.sock:/var/run/docker.sock"
+    ];
+  };
 }
diff --git a/secrets/bomba.sops.yaml b/secrets/bomba.sops.yaml
index fae4222..cacc528 100644
--- a/secrets/bomba.sops.yaml
+++ b/secrets/bomba.sops.yaml
@@ -8,6 +8,7 @@ sonarr_api_key: ENC[AES256_GCM,data:nm9lcY9/3aMce7MIEK9E+su9o0f7RdOafx52a8vgG8hx
 prowlarr_api_key: ENC[AES256_GCM,data:UDpnqIP64k8Qt9k/sjbESNostFiGHfLo3CEYfyWppHEwfkjVu1oirdtzDgAO056rxWaLwwcqJs0jDFau5VZi8Q==,iv:N9d9Sdbo/akFecQRYfbrkigq2Za3CXzsRJvNljm1MQM=,tag:Et1kIBHPX4bLlCgqpZf4CA==,type:str]
 seerr_api_key: ENC[AES256_GCM,data:KDQxxo2W4tz9UokscAUSz7pf7wY2AfsEQpZh2aXGjsQOBgSLt1DEe5LUxealBZju8gabhp4sNGFvp0+ioZpfkg==,iv:V/rbR6bZtVnDhLLVmygGyTf5Ujm8sb2xHy4JuvLiiV8=,tag:MxGzXHbZWgu3H+ICS2tSNQ==,type:str]
 indexers_ilcorsaroblu_password: ENC[AES256_GCM,data:w3CIGQqLxHEkUHvscZc=,iv:fjsB3zt4Z43MKRECjpa7+gNDzM8D+JK0sbKt2P+Hdiw=,tag:KvLawon+KfrhGmi1TWRHLw==,type:str]
+gitea_registration_token: ENC[AES256_GCM,data:aHoUBwPXtlme9RgGObwWt1V90JU5qeVBUtpINrb1hY6XjKi4+kLxAg==,iv:zkgDdx82Lku7/oNIoSoKUIrxvZuyPaGUI411V/rkW9c=,tag:0eBC0Kd71UwokH9scs/AKA==,type:str]
 sops:
     age:
         - enc: |
@@ -19,7 +20,7 @@ sops:
             ZQ17gIIOjhKHlGx8Lo5t/PekzFyQKCKdijS7caq74dVib1vO3tk+uQ==
             -----END AGE ENCRYPTED FILE-----
           recipient: age1ynu6zhhy84rr5xqce0flp25x5tnfgskesxfe39u7ewsk900fvagq9sq0lx
-    lastmodified: "2026-05-24T10:44:51Z"
-    mac: ENC[AES256_GCM,data:vKUOBMV/FHyWdfJhsGpFmyhyFIM9RjhucfHRCE+jT2orlWDyu215qSfiWlhHLtLSqdh7IIrv2QFDUDhz0JNa0nHe5aoePyg6dsuLeDLvBTlmidSpDITsCcp+yYWtUx1TegmOXXs4GV2mvOboIFo+Ks7mCVy7WOVzoVubhZmHTzo=,iv:FoQbhWk+JZTohbd2CaYLVVcIp792GCH/TtQE7jGQ9+o=,tag:jJrC5nFZODIr856rb+CEiQ==,type:str]
+    lastmodified: "2026-05-28T09:37:32Z"
+    mac: ENC[AES256_GCM,data:NNYUj3P5mdw+zS7DLmMVwUOAP1Vz/GTYFLAZWP6pR1Y9+g9/R4mTo2Cb/piMb0Wqopifo4a2VeMPSwkgz2+yGKajqU+LsgCFQRCeWurJxo1NTZTW3jabWYY4aw20piIQAWaOwfpy4pC2uukwS48Wat0vbL+l4hgBRNUUymfukDU=,iv:If1h3b0WVEPwh7mrU/VKqnXG7Yz0wXnXxdiBwiNaYIs=,tag:LojwaxKBLUu40TrDROapnQ==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.13.1