infra/nix/oracle-gitea-runner/configuration.nix

{ config, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware.nix
    ];
  nix.settings.experimental-features = [ "nix-command" "flakes" ];
  boot.tmp.cleanOnBoot = true;
  zramSwap.enable = true;
  environment.systemPackages = with pkgs; [
    vim
    wget
    git
    htop
    tailscale
  ];

  services.gitea-actions-runner = {
    package = pkgs.forgejo-actions-runner;
    instances = {
      oracle-arm = {
        name = "oracle-arm";
        enable = true;
        labels = [
          "debian-latest-arm:docker://node:18-bullseye"
          "arm:host"
        ];
        hostPackages = with pkgs; [
          bash
          coreutils
          curl
          gawk
          gitMinimal
          gnused
          nodejs
          wget
          docker
          nix
          zstd
        ];
        url = "https://git.gmem.ca";
        token = "rclEuf0ZKhWKe7IhvWZqgJpb1y84iYBJsJi7Wslh";
        settings = {
          cache.port = 4328;
        };
      };
    };
  };

  programs.zsh.enable = true;
  programs.fish.enable = true;
  environment.shells = with pkgs; [ zsh fish ];

  networking = {
    hostName = "forgejo-action-runner";
    domain = "gmem.ca";
    nameservers = [ "1.1.1.1" "1.0.0.1" ];
    firewall = {
      trustedInterfaces = ["tailscale0"];
      checkReversePath = "loose";
      enable = true;
      allowedTCPPorts = [ 22 80 443 4328 ];
      allowedUDPPorts = [ ];
    };
    nftables.enable = true;
  };
  
  users.users = {
    root.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILIztwQxt+jqroFONSgq+xzPMuE2I5Dq/zWPQ8RcTYJr" 
    ];
  };
  virtualisation = {
    docker = {
      enable = true;
    };
  };
  
  services.openssh.enable = true;
  services.tailscale.enable = true;
  system.stateVersion = "23.11";
}