feat: add forgejo runners for cicd

modules/server/forgejo/runners.nix

@@ -0,0 +1,32 @@
+inp: {
+  flake.modules.nixos.server = {
+    pkgs,
+    config,
+    lib,
+    ...
+  }: {
+    sops.secrets."forgejo/token" = {};
+
+    services.gitea-actions-runner = lib.mkIf config.services.forgejo.enable {
+      package = pkgs.forgejo-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://git.${inp.config.flake.meta.web.domain.domain}";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = "/run/secrets/forgejo/token";
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+          "ubuntu-22.04:docker://node:16-bullseye"
+          "ubuntu-20.04:docker://node:16-bullseye"
+          "ubuntu-18.04:docker://node:16-buster"
+          ## optionally provide native execution on the host:
+          # "native:host"
+        ];
+      };
+    };
+
+    virtualisation.docker.enable = true;
+  };
+}

secrets.yaml

@@ -7,6 +7,8 @@ copyparty:
 cloudflare:
     copyparty: ENC[AES256_GCM,data:SK8qhyjIiOsKzZsnh8W8/BRJmbHoLA6rCGGUzKb9ucbTiiCUhfnaR7A/0SSKKecrMwTmuCos0WnEUe0ixGWJcHncEoLpMyAQMfmL81wbyfDhkxrEjc77aSRomAqM9X/jWg3ocp4oxKKUkEfnnKUqkv4vse+J/lBZjlOoTtwiPoJ1V/GL2JKru/f/LoERQqCEaAqMnQeXJyi/5pf4wPCKLbRQxZ1LCmxeyMMRU0FgOQ==,iv:HqAmQR1SMd4D3uf0eSCfKBCO61mM/Zdfiv/RBlaiJkc=,tag:7ESjgrqkG9RWDAmV/2wGdA==,type:str]
     git: ENC[AES256_GCM,data:QxpLDjVsPiIxSKq6hWUOBS0wWxZ2ccLmSYQA64U3n+Y42Uuaf92pJHt3CQ2ZSaIXWbgpVotln/vBexRA1RH4ZpF5vwyYX1XUwCisv3qdkS/P4/kZIt8TtdvYV1pVwxZRqm58aA0L4ZuNk0q5a1tscrXtLVJ2+uvF9we6Oloz5uMA+XCBwzkqo6Ucbc/47gbUPTRSzMRpY1n8ma71NiensFn0lGtyWfB7TW26pLbSVg==,iv:mZmufTufxBuRkE0YNBwRNV4Shq1Uq2r+MzsNuzPkzQI=,tag:igtKa2VSLBjY9eKWONoKOg==,type:str]
+forgejo:
+    token: ENC[AES256_GCM,data:3bsyRuBeK7+Blph3YUFB92b1pWgLcSUjy5j+2KfigaFubHs6c26zAEuH0bKBZg==,iv:lAJWyZlaV1hP6W6Y2ZkMfFFACcGjnHW/pNuXgPSOLlU=,tag:POmNl8JIidEoHhnjaqqz4A==,type:str]
 sops:
     age:
         - recipient: age1fdrtfvf3ywarc4sq7jjc5d6elas3fr73cfenkkyyj0ck6z9x2d0qlpn92h
@@ -36,7 +38,7 @@ sops:
             MFp0UW1HSW9MbmppcHlNM25CaFhqOWcKppF0dE4YNh+mN1tyZju4zxM6ZFBSKx9U
             cGYtUemtt4s9ko3hPt8ZM/ysKOeZgnYoeG7QQnwSoF3F+/gurvb0Bg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-06T19:57:02Z"
+    lastmodified: "2026-02-10T14:02:32Z"
-    mac: ENC[AES256_GCM,data:SWd5spIxeazSCT6L28UpTzPbnOInunxUy1XahAnP8Z1PmWo1yib56cazi4EGjE4gT3c2kHDcyTTPxj8FEDGHVWfQ3TFtFGMFEBWetC0TUTx7iLcSBCYue3LKtcabIkhsbl01VG5DR/srGWNao0hqp6oMPhsm4dE4DnvKXdJMlWw=,iv:nS/FsHnQuowQLeW+oVnFoLFtY+ZpqfEDfrQugLdNu4g=,tag:S+ncbjxItjzp3ts96O0t3w==,type:str]
+    mac: ENC[AES256_GCM,data:k7Q1vKz+OApin8eUUf6t87JWeXrryG5eK2MMA7uOKVG303aoZ6Th/0LhVq/0uHADZFQDvY3if+CbTcKt1kydVLzHY60zFsRHb1pea7hT0/VQ7LU5PmaNxCkN6YvLfDfHanZ24CcH4dU6RM70VTgy1Dv20rl9EBjv8wIByPFlu9M=,iv:VAAD+AxEOn9akFJZfkwJ7ylbs2PaGspDxvSrXbIXHD0=,tag:xDHbYEgkClGnvsDexs82Yw==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0