# services/forgejo-runner.nix — self-hosted Forgejo Actions runner.
#
# Registers with forg.gregersen.it and runs jobs in Docker containers.
# Workflows in this repo target `runs-on: fred-nix`, which maps to the
# catthehacker ubuntu image (the de-facto compatibility image for running
# GitHub-style workflows on self-hosted runners).
#
# The runner registration token is one-time-use: it must exist at the path
# below on first activation, after which the runner stores its own auth in
# /var/lib/gitea-runner. The module loads this file as a systemd
# EnvironmentFile, so it must use KEY=value format (not the raw token):
#
#   echo 'TOKEN=YOUR_REGISTRATION_TOKEN' | sudo tee /var/secrets/forgejo-runner-token
#   sudo chmod 600 /var/secrets/forgejo-runner-token
{ config, lib, pkgs, ... }:
{
  config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {

    services.gitea-actions-runner = {
      package = pkgs.forgejo-runner;
      instances.default = {
        enable = true;
        name = "mediaserver";
        url = "https://forg.gregersen.it";
        tokenFile = "/var/secrets/forgejo-runner-token";
        labels = [
          "fred-nix:docker://catthehacker/ubuntu:act-latest"
        ];
        # Resolve `uses: org/repo@v1` against github.com — without this the
        # runner falls back to the Forgejo instance's mirror (data.forgejo.org)
        # which doesn't host most GitHub-marketplace actions.
        settings.runner.default_actions_url = "https://github.com";
      };
    };
  };
}