From 29e1185694a3b89a7a8069d4128f8dcca7b1993d Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Fri, 1 May 2026 15:58:24 +0100
Subject: [PATCH] runner: add Forgejo Actions runner on the mediaserver

Adds services/forgejo-runner.nix as a host-gated module on the mediaserver
and switches the flake-update workflow from runs-on: ubuntu-latest to the
self-hosted fred-nix label, mapped to catthehacker/ubuntu:act-latest for
GitHub-action compatibility. Token lives at /var/secrets/forgejo-runner-token
so it stays out of the Nix store.

Also drops the stray result/ build symlink from the worktree.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .forgejo/workflows/update.yml |  2 +-
 common.nix                    |  1 +
 services/forgejo-runner.nix   | 31 +++++++++++++++++++++++++++++++
 3 files changed, 33 insertions(+), 1 deletion(-)
 create mode 100644 services/forgejo-runner.nix

diff --git a/.forgejo/workflows/update.yml b/.forgejo/workflows/update.yml
index ba11d3e..156e0ca 100644
--- a/.forgejo/workflows/update.yml
+++ b/.forgejo/workflows/update.yml
@@ -7,7 +7,7 @@ on:
  
 jobs:
   update:
-    runs-on: ubuntu-latest
+    runs-on: fred-nix
     permissions:
       contents: write
  
diff --git a/common.nix b/common.nix
index 8735c6d..a324269 100644
--- a/common.nix
+++ b/common.nix
@@ -35,6 +35,7 @@
     ./services/adguard.nix
     ./services/router.nix
     ./services/crowdsec.nix
+    ./services/forgejo-runner.nix
   ];
 
   ### Make build time quicker
diff --git a/services/forgejo-runner.nix b/services/forgejo-runner.nix
new file mode 100644
index 0000000..dd14137
--- /dev/null
+++ b/services/forgejo-runner.nix
@@ -0,0 +1,31 @@
+# services/forgejo-runner.nix — self-hosted Forgejo Actions runner.
+#
+# Registers with forg.gregersen.it and runs jobs in Docker containers.
+# Workflows in this repo target `runs-on: fred-nix`, which maps to the
+# catthehacker ubuntu image (the de-facto compatibility image for running
+# GitHub-style workflows on self-hosted runners).
+#
+# The runner registration token is one-time-use: it must exist at the path
+# below on first activation, after which the runner stores its own auth in
+# /var/lib/gitea-runner. To register:
+#
+#   echo 'YOUR_REGISTRATION_TOKEN' | sudo tee /var/secrets/forgejo-runner-token
+#   sudo chmod 600 /var/secrets/forgejo-runner-token
+{ config, lib, pkgs, ... }:
+{
+  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "mediaserver";
+        url = "https://forg.gregersen.it";
+        tokenFile = "/var/secrets/forgejo-runner-token";
+        labels = [
+          "fred-nix:docker://catthehacker/ubuntu:act-latest"
+        ];
+      };
+    };
+  };
+}