fix(etna): set network to host for forgejo runner

Flake lock file updates:

• Updated input 'ghostty':
    'git+ssh://git@github.com/ghostty-org/ghostty?ref=refs/heads/main&rev=23c924140a2a5054239cd9e4ce773cb5dc613cff' (2024-08-27)
  → 'git+ssh://git@github.com/ghostty-org/ghostty?ref=refs/heads/main&rev=fcb8b04049ba9a4d12d16a18bcc6be4311c9e76e' (2024-08-29)
• Updated input 'mystia':
    'github:soopyc/mystia/affe0b9db4cf176f319fe7f827f99300cede02f3' (2024-08-23)
  → 'github:soopyc/mystia/82be480f3319695151e21ccf4f0a0a648cae4f38' (2024-08-28)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/d0e1602ddde669d5beb01aec49d71a51937ed7be' (2024-08-24)
  → 'github:NixOS/nixpkgs/71e91c409d1e654808b2621f28a327acfdad8dc2' (2024-08-28)
• Updated input 'vscode-extensions':
    'github:nix-community/nix-vscode-extensions/ad07ef4512e976b9537d05b7d2e4a5d7a2965ff7' (2024-08-27)
  → 'github:nix-community/nix-vscode-extensions/7d36ec13978b27d91958a39579a52d28ef015897' (2024-08-29)

configs/common.nix

@@ -3,7 +3,7 @@
   pkgs,
   config,
   _utils,
-  self,
+  camasca,
   nixpkgs,
   agenix,
   home-manager,
@@ -98,12 +98,10 @@ in {
       options = "-d";
     };
 
-    registry = let
+    registry = {
       n.flake = nixpkgs;
-    in {
+      nixpkgs.flake = nixpkgs;
-      inherit n;
+      u.flake = camasca;
-      nixpkgs = n;
-      u.flake = self;
     };
 
     settings = {

configs/desktop.nix

@@ -13,7 +13,7 @@
     ./client.nix
 
     ../programs/ghostty.nix
-    ../programs/gnome.nix
+    ../programs/kde.nix
     ../programs/games.nix
     # ../programs/vscode.nix
 

exprs/default.nix

@@ -1,17 +0,0 @@
-{self, ...}: {
-  flake.nixosModules = {
-    reposilite = import ./reposilite/module.nix self;
-  };
-
-  perSystem = {pkgs, ...}: {
-    packages = {
-      reposilite = pkgs.callPackage ./reposilite/derivation.nix {};
-      enigma = pkgs.callPackage ./pkgs/enigma.nix {};
-      vineflower = pkgs.callPackage ./pkgs/vineflower.nix {};
-
-      wine-discord-ipc-bridge = pkgs.callPackage ./pkgs/wine-discord-ipc-bridge.nix {
-        inherit (pkgs.pkgsCross.mingw32) stdenv;
-      };
-    };
-  };
-}

exprs/pkgs/enigma.nix

@@ -1,42 +0,0 @@
-{
-  stdenv,
-  fetchurl,
-  temurin-bin,
-  makeWrapper,
-  makeDesktopItem,
-  copyDesktopItems,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  name = "enigma";
-  version = "2.5.0";
-
-  src = fetchurl {
-    url = with finalAttrs; "https://maven.fabricmc.net/cuchaz/enigma-swing/${version}/enigma-swing-${version}-all.jar";
-    hash = "sha256-yOPPTKt96aRSbziYDBLBKqfLS2R9GeXgz5m2t1fgFHo=";
-  };
-
-  dontUnpack = true;
-
-  nativeBuildInputs = [makeWrapper copyDesktopItems];
-
-  installPhase = with finalAttrs; ''
-    runHook preInstall
-
-    mkdir -p $out/bin $out/share/${name}
-    cp ${src} $out/share/${name}/${name}.jar
-    makeWrapper ${temurin-bin}/bin/java $out/bin/${name} --add-flags "-jar $out/share/${name}/${name}.jar"
-
-    runHook postInstall
-  '';
-
-  desktopItems = [
-    (makeDesktopItem {
-      name = "enigma";
-      desktopName = "Enigma";
-      exec = "enigma";
-      terminal = false;
-    })
-  ];
-
-  meta.mainProgram = "enigma";
-})

exprs/pkgs/vineflower.nix

@@ -1,31 +0,0 @@
-{
-  stdenv,
-  fetchurl,
-  makeWrapper,
-  jre_headless,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  name = "vineflower";
-  version = "1.10.1";
-
-  src = fetchurl {
-    url = with finalAttrs; "https://github.com/Vineflower/vineflower/releases/download/${version}/vineflower-${version}.jar";
-    hash = "sha256-ubII5QeTtkZXprYpIGdSZhP1Sd50BfkkNiSwL0J25Ak=";
-  };
-
-  nativeBuildInputs = [makeWrapper];
-
-  dontUnpack = true;
-
-  installPhase = with finalAttrs; ''
-    runHook preInstall
-
-    mkdir -p $out/bin $out/share/${name}
-    cp ${src} $out/share/${name}/${name}.jar
-    makeWrapper ${jre_headless}/bin/java $out/bin/${name} --add-flags "-jar $out/share/${name}/${name}.jar"
-
-    runHook postInstall
-  '';
-
-  meta.mainProgram = "vineflower";
-})

exprs/pkgs/wine-discord-ipc-bridge.nix

@@ -1,26 +0,0 @@
-{
-  stdenv,
-  fetchFromGitHub,
-}:
-stdenv.mkDerivation {
-  name = "wine-discord-ipc-bridge";
-
-  src = fetchFromGitHub {
-    owner = "0e4ef622";
-    repo = "wine-discord-ipc-bridge";
-    rev = "f8198c9d52e708143301017a296f7557c4387127";
-    hash = "sha256-tAknITFlG63+gI5cN9SfUIUZkbIq/MgOPoGIcvoNo4Q=";
-  };
-
-  postPatch = ''
-    patchShebangs winediscordipcbridge-steam.sh
-  '';
-
-  installPhase = ''
-    mkdir -p $out/bin
-    cp winediscordipcbridge.exe $out/bin
-    cp winediscordipcbridge-steam.sh $out/bin
-  '';
-
-  meta.platforms = ["i686-windows" "x86_64-linux"];
-}

exprs/reposilite/derivation.nix

@@ -1,38 +0,0 @@
-{
-  lib,
-  stdenv,
-  fetchurl,
-  makeWrapper,
-  jre_headless,
-}:
-stdenv.mkDerivation (finalAttrs: {
-  name = "reposilite";
-  version = "3.5.14";
-
-  src = fetchurl {
-    url = with finalAttrs; "https://maven.reposilite.com/releases/com/reposilite/reposilite/${version}/reposilite-${version}-all.jar";
-    hash = "sha256-qZXYpz6SBXDBj8c0IZkfVgxEFe/+DxMpdhLJsjks8cM=";
-  };
-
-  nativeBuildInputs = [makeWrapper];
-
-  dontUnpack = true;
-
-  installPhase = with finalAttrs; ''
-    runHook preInstall
-
-    mkdir -p $out/bin $out/share/${name}
-    cp ${src} $out/share/${name}/${name}.jar
-    makeWrapper ${jre_headless}/bin/java $out/bin/${name} --add-flags "-jar $out/share/${name}/${name}.jar"
-
-    runHook postInstall
-  '';
-
-  meta = with lib; {
-    description = "Lightweight and easy-to-use repository management software dedicated for the Maven based artifacts in the JVM ecosystem";
-    homepage = "https://reposilite.com/";
-    license = licenses.asl20;
-    platforms = platforms.unix;
-    mainProgram = "reposilite";
-  };
-})

exprs/reposilite/module.nix

@@ -1,79 +0,0 @@
-self: {
-  lib,
-  config,
-  pkgs,
-  ...
-}: let
-  cfg = config.services.reposilite;
-
-  inherit (pkgs.stdenv.hostPlatform) system;
-
-  inherit
-    (lib)
-    getExe
-    literalExpression
-    mdDoc
-    mkDefault
-    mkEnableOption
-    mkIf
-    mkOption
-    mkPackageOption
-    types
-    ;
-in {
-  options.services.reposilite = {
-    enable = mkEnableOption "reposilite";
-    package = mkPackageOption self.packages.${system} "reposilite" {};
-    environmentFile = mkOption {
-      description = mdDoc ''
-        Environment file as defined in {manpage}`systemd.exec(5)`
-      '';
-      type = types.nullOr types.path;
-      default = null;
-      example = literalExpression ''
-        "/run/agenix.d/1/reposilite"
-      '';
-    };
-  };
-
-  config = mkIf cfg.enable {
-    users = {
-      users.reposilite = {
-        isSystemUser = true;
-        group = "reposilite";
-      };
-
-      groups.reposilite = {};
-    };
-
-    systemd.services."reposilite" = {
-      enable = true;
-      wantedBy = mkDefault ["multi-user.target"];
-      after = mkDefault ["network.target"];
-      script = ''
-        ${getExe cfg.package}
-      '';
-
-      serviceConfig = {
-        Type = "simple";
-        Restart = "always";
-
-        EnvironmentFile = mkIf (cfg.environmentFile != null) cfg.environmentFile;
-
-        StateDirectory = "reposilite";
-        StateDirectoryMode = "0700";
-        WorkingDirectory = "/var/lib/reposilite";
-
-        User = "reposilite";
-        Group = "reposilite";
-
-        LimitNOFILE = "1048576";
-        PrivateTmp = true;
-        PrivateDevices = true;
-        ProtectHome = true;
-        ProtectSystem = "strict";
-        AmbientCapabilities = "CAP_NET_BIND_SERVICE";
-      };
-    };
-  };
-}

flake.lock

@@ -50,6 +50,29 @@
         "type": "github"
       }
     },
+    "camasca": {
+      "inputs": {
+        "flake-parts": [
+          "flake-parts"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1724885464,
+        "narHash": "sha256-PQp5tDi+vRp5CEoUTI5NPbdhlDlp109KLDgpwsGH4J8=",
+        "owner": "uku3lig",
+        "repo": "camasca",
+        "rev": "f9ab5b1b70eeb6f5bc0e47375ef11b8f3eb81d25",
+        "type": "github"
+      },
+      "original": {
+        "owner": "uku3lig",
+        "repo": "camasca",
+        "type": "github"
+      }
+    },
     "catppuccin": {
       "locked": {
         "lastModified": 1724469296,
@@ -207,11 +230,11 @@
         "zls": "zls"
       },
       "locked": {
-        "lastModified": 1724730981,
+        "lastModified": 1724906556,
-        "narHash": "sha256-zDUQEJfcKKup13qgVo200kbU/M/ejjLKQF9AkrFI7mY=",
+        "narHash": "sha256-nOU3KyEmLpdIuh1HXLDqKJCYRqtXlelL55doP2rYm24=",
         "ref": "refs/heads/main",
-        "rev": "23c924140a2a5054239cd9e4ce773cb5dc613cff",
+        "rev": "fcb8b04049ba9a4d12d16a18bcc6be4311c9e76e",
-        "revCount": 7080,
+        "revCount": 7101,
         "type": "git",
         "url": "ssh://git@github.com/ghostty-org/ghostty"
       },
@@ -312,11 +335,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724400737,
+        "lastModified": 1724832687,
-        "narHash": "sha256-XDYQF8N7mbQowiqXvPXxK4iQbv0wzakeuKv/m/qbHL0=",
+        "narHash": "sha256-NqhyGfmRbL65TUSItGo5SxNlrMNIqk82RxNU8pbjOwo=",
         "owner": "soopyc",
         "repo": "mystia",
-        "rev": "affe0b9db4cf176f319fe7f827f99300cede02f3",
+        "rev": "82be480f3319695151e21ccf4f0a0a648cae4f38",
         "type": "github"
       },
       "original": {
@@ -371,11 +394,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1724479785,
+        "lastModified": 1724819573,
-        "narHash": "sha256-pP3Azj5d6M5nmG68Fu4JqZmdGt4S4vqI5f8te+E/FTw=",
+        "narHash": "sha256-GnR7/ibgIH1vhoy8cYdmXE6iyZqKqFxQSVkFgosBh6w=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "d0e1602ddde669d5beb01aec49d71a51937ed7be",
+        "rev": "71e91c409d1e654808b2621f28a327acfdad8dc2",
         "type": "github"
       },
       "original": {
@@ -388,6 +411,7 @@
       "inputs": {
         "agenix": "agenix",
         "api-rs": "api-rs",
+        "camasca": "camasca",
         "catppuccin": "catppuccin",
         "crane": "crane",
         "flake-parts": "flake-parts",
@@ -519,11 +543,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1724722238,
+        "lastModified": 1724895129,
-        "narHash": "sha256-DLtiPBpKBIL4+lxu7H8e6gPZvZ3Rb7D8mMh8OieBURM=",
+        "narHash": "sha256-dPFrppp6f2SbgLo2T8+95acFicBhiSLTF/C3iuUrrcw=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "ad07ef4512e976b9537d05b7d2e4a5d7a2965ff7",
+        "rev": "7d36ec13978b27d91958a39579a52d28ef015897",
         "type": "github"
       },
       "original": {

flake.nix

@@ -12,7 +12,6 @@
 
       imports = [
         ./systems
-        ./exprs
       ];
 
       perSystem = {
@@ -22,11 +21,9 @@
       }: {
         apps = (nixinate.nixinate.${system} self).nixinate;
 
-        devShells.default = pkgs.mkShellNoCC {
+        devShells.default = with pkgs;
-          packages = with pkgs; [
+          mkShellNoCC {
-            just
+            packages = [just statix];
-            statix
-          ];
           };
 
         formatter = pkgs.alejandra;
@@ -36,6 +33,12 @@
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-unstable";
 
+    camasca = {
+      url = "github:uku3lig/camasca";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-parts.follows = "flake-parts";
+    };
+
     agenix = {
       url = "github:uku3lig/agenix";
       inputs.nixpkgs.follows = "nixpkgs";

justfile

@@ -8,6 +8,10 @@ switch *args:
     @sudo -v
     sudo nixos-rebuild switch --flake . --keep-going {{args}}
 
+boot *args:
+    @sudo -v
+    sudo nixos-rebuild boot --flake . --keep-going {{args}}
+
 deploy system:
     nix run .#{{system}}
 

programs/fish.nix

@@ -11,6 +11,8 @@
     enable = true;
 
     interactiveShellInit = with pkgs; ''
+      set -gx SSH_AUTH_SOCK /run/user/1000/ssh-agent
+
       if test -f ~/.ssh/id_ed25519
         ssh-add -l | grep -q (ssh-keygen -lf ~/.ssh/id_ed25519) || ssh-add ~/.ssh/id_ed25519
       end

programs/kde.nix

@@ -0,0 +1,22 @@
+{
+  camasca,
+  pkgs,
+  ...
+}: {
+  services.desktopManager.plasma6.enable = true;
+
+  environment = {
+    systemPackages = with pkgs; [
+      flameshot
+      camasca.packages.${pkgs.system}.koi
+    ];
+
+    plasma6.excludePackages = with pkgs.kdePackages; [
+      plasma-browser-integration
+      elisa
+      okular
+      kate
+      khelpcenter
+    ];
+  };
+}

secrets/etna/forgejoRunnerSecret.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1WnZ4dWtjU2JBQ3JDRktR
+K2RDMktEcDdyOGIyOVZ0VGppVm9iRW5kaGlzCno3eXFlc2U2Z3J4TzNIblFiMGlR
+N1FCQnRTcDkxdzhGZkg0WFdqQ2ZpUmMKLT4gWDI1NTE5IC9WbG5iYjdiUFMwNnJK
+QnMwUVordXNGRmlsWXRUNEk4Y1ZSVEV1VzNuVzQKUVZZdStyRGhIdE5oUk5sMTVO
+blVuV2MrejBNNmVhSzdqRmlJYmVlNTlEZwotPiBYMjU1MTkgVTAxKzhxU1JNSWRn
+KzVocEY2ODV2YmxMVk5TRGZyanJjZUFiNjFVMDUyRQpMY0JUU29CeWN1OUM5T2tS
+MVlJYm9MQ3ZvT2VyQXRJanRpMVFWTlJNVENBCi0tLSAyTVplNGFzMm93b1pFVTEr
+MlhKelpvT3dQTWxNNXpqNTdIdHBCbEUrRTZBChSSgqcbi9is6ISM4n0UeA/tsXgM
+6mFlP8XO7o3FWHMvv84gK2861kG8hlITXjAFdsSIkUoA31O45hlr9b6+A/b8M7lu
+PZYdP9leVeh/Dxk=
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -26,4 +26,5 @@ in {
   "etna/nextcloudAdminPass.age".publicKeys = main ++ [etna];
   "etna/turnstileSecret.age".publicKeys = main ++ [etna];
   "etna/navidromeEnv.age".publicKeys = main ++ [etna];
+  "etna/forgejoRunnerSecret.age".publicKeys = main ++ [etna];
 }

systems/etna/default.nix

@@ -76,4 +76,9 @@ in {
     "cloudflared-tunnel-${tunnelId}".serviceConfig.RestartSec = "10s";
     frp.serviceConfig.EnvironmentFile = secrets.get "frpToken";
   };
+
+  virtualisation = {
+    docker.enable = true;
+    oci-containers.backend = "docker";
+  };
 }

systems/etna/forgejo.nix

@@ -1,20 +1,25 @@
 {
+  pkgs,
   config,
   _utils,
   ...
 }: let
-  turnstileSecret = _utils.setupSingleSecret config "turnstileSecret" {
+  secrets = _utils.setupSecrets config {
+    secrets = ["turnstileSecret" "forgejoRunnerSecret"];
+    extra = {
       owner = "forgejo";
       group = "forgejo";
     };
+  };
 in {
-  imports = [turnstileSecret.generate];
+  imports = [secrets.generate];
 
   cfTunnels."git.uku3lig.net" = "http://localhost:3000";
 
   services = {
     forgejo = {
       enable = true;
+      package = pkgs.forgejo; # forgejo-lts by default
 
       database = {
         type = "postgres";
@@ -22,7 +27,7 @@ in {
       };
 
       secrets = {
-        service.CF_TURNSTILE_SECRET = turnstileSecret.path;
+        service.CF_TURNSTILE_SECRET = secrets.get "turnstileSecret";
       };
 
       settings = {
@@ -48,7 +53,10 @@ in {
           ENABLED = true;
         };
 
-        actions.ENABLED = false;
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "https://github.com";
+        };
 
         "ui.meta" = {
           AUTHOR = "uku's forge";
@@ -61,6 +69,29 @@ in {
       };
     };
 
+    gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.etna = {
+        enable = true;
+        name = "etna";
+        url = "https://git.uku3lig.net";
+        tokenFile = secrets.get "forgejoRunnerSecret";
+        labels = [
+          "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
+        ];
+
+        settings = {
+          log.level = "info";
+          container.network = "host";
+          runner = {
+            capacity = 4;
+            timeout = "2h";
+            insecure = false;
+          };
+        };
+      };
+    };
+
     frp.settings.proxies = [
       {
         name = "forgejo-ssh";

systems/etna/minecraft.nix

@@ -44,8 +44,6 @@ in {
     lynn
   ];
 
-  virtualisation.oci-containers.backend = "docker";
-
   systemd.services.restart-minecraft-servers = {
     wantedBy = ["multi-user.target"];
     script = ''

systems/etna/reposilite.nix

@@ -1,5 +1,5 @@
-{self, ...}: {
+{camasca, ...}: {
-  imports = [self.nixosModules.reposilite];
+  imports = [camasca.nixosModules.reposilite];
 
   cfTunnels."maven.uku3lig.net" = "http://localhost:8080";