Add Gitea Actions Runner and update OpenCode config

- Add Gitea Actions Runner service on m3-atlas with nixos:host label - Configure agenix secret for runner token - Add Antigravity provider models to OpenCode config - Switch m3ta-nixpkgs to local path for development
2026-01-14 20:55:23 +01:00
parent e1de4805ce
commit f9415c05f9
10 changed files with 235 additions and 61 deletions
--- a/.beads/.sync.lock
+++ b/.beads/.sync.lock
--- a/.beads/sync_base.jsonl
+++ b/.beads/sync_base.jsonl
@@ -0,0 +1,2 @@
 {"id":"nixos-config-gx2","title":"form","status":"tombstone","priority":2,"issue_type":"task","created_at":"2026-01-11T11:49:21.688289476+01:00","created_by":"m3tam3re","updated_at":"2026-01-11T11:51:36.426124223+01:00","deleted_at":"2026-01-11T11:51:36.426124223+01:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"}
 {"id":"nixos-config-n4l","title":"Create Gitea action for nix-update package updates","description":"Create a Gitea action to automatically update packages in this nixos-config repository using nix-update.\n\n**Context:**\n- Gitea instance is already running on m3-atlas at code.m3ta.dev (configured in hosts/m3-atlas/services/gitea.nix)\n- The repository is self-hosted on this Gitea instance\n- nix-update is already referenced in home/features/cli/default.nix\n- Currently no Gitea workflows exist (.gitea/ directory does not exist)\n\n**Goal:**\nAutomate package updates by creating a Gitea Actions workflow that:\n1. Runs nix-update periodically (e.g., weekly or on schedule)\n2. Updates package definitions in pkgs/ directory\n3. Creates pull requests with the updates\n4. Uses appropriate secrets/credentials for the Gitea instance\n\n**Requirements:**\n- Create .gitea/workflows/ directory structure\n- Define workflow file with nix-update command\n- Configure triggers (schedule, manual, or on repository events)\n- Set up proper permissions and secrets\n- Test the workflow execution\n\n**Current Repository State:**\n- pkgs/default.nix exists but is minimal (currently just a comment)\n- Multiple nixpkgs inputs are used (unstable, 25.11, locked, master)\n- Custom m3ta-nixpkgs overlay at code.m3ta.dev/m3tam3re/nixpkgs\n- Uses agenix for secrets management\n\n**Related Files:**\n- hosts/m3-atlas/services/gitea.nix (existing Gitea configuration)\n- hosts/common/ports.nix (port management)\n- home/features/cli/default.nix (nix-update reference)\n\n**Acceptance Criteria:**\n- [ ] Create .gitea/workflows directory\n- [ ] Implement nix-update workflow YAML\n- [ ] Configure appropriate triggers\n- [ ] Test workflow on the repository\n- [ ] Document setup and configuration","status":"closed","priority":2,"issue_type":"feature","owner":"p@m3ta.dev","created_at":"2026-01-13T20:39:49.838916335+01:00","created_by":"m3tm3re","updated_at":"2026-01-13T20:51:43.833041989+01:00","closed_at":"2026-01-13T20:51:43.833041989+01:00","close_reason":"Closed"}
--- a/flake.lock
+++ b/flake.lock
@@ -24,11 +24,11 @@
    "agents": {
      "flake": false,
      "locked": {
-        "lastModified": 1767965833,
+        "lastModified": 1768312204,
-        "narHash": "sha256-8tKEfJU4bxlgPJwUTUDQkVJMbwWQMiYt+moLjMIFeVY=",
+        "narHash": "sha256-wB1pEROaXzJzxCaJwOyXmD0gq8/hv7OeEw3jNXrPwAc=",
        "ref": "refs/heads/master",
-        "rev": "3e20c82603a4ddedf04ff001adf943723a49dc37",
+        "rev": "cfa0f8f942545434a825fedf0a49061d26fff73d",
-        "revCount": 7,
+        "revCount": 9,
        "type": "git",
        "url": "https://code.m3ta.dev/m3tam3re/AGENTS"
      },
@@ -243,8 +243,8 @@
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
-        "lastModified": 1768245745,
+        "lastModified": 1768419432,
-        "narHash": "sha256-CHspl0D+ougqFToY6d0ZQk5KtNfCyB8AWnmeVWkuuRk=",
+        "narHash": "sha256-EwJZcXCEF1ExSfZP4asi1ATOhj1xcvH3tIe5nDSk9Oc=",
        "path": "/home/m3tam3re/p/NIX/nixpkgs",
        "type": "path"
      },
@@ -435,11 +435,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1766309749,
+        "lastModified": 1768127708,
-        "narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
+        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
+        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@@ -22,12 +22,12 @@
    nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
    nixpkgs-master.url = "github:nixos/nixpkgs/master";
-    m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
+    # m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
-    # m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
+    m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
    #
    nur = {
      url = "github:nix-community/NUR";
-      ist456nputs.nixpkgs.follows = "nixpkgs";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    agenix.url = "github:ryantm/agenix";
--- a/home/features/coding/opencode.nix
+++ b/home/features/coding/opencode.nix
@@ -22,8 +22,10 @@
    enable = true;
    settings = {
      theme = "opencode";
-      plugin = ["oh-my-opencode" "opencode-beads"];
+      plugin = ["oh-my-opencode" "opencode-beads" "opencode-antigravity-auth@beta"];
-      agent = builtins.fromJSON (builtins.readFile "${inputs.agents}/agent/agents.json");
+      agent =
        builtins.fromJSON
        (builtins.readFile "${inputs.agents}/agent/agents.json");
      formatter = {
        alejandra = {
          command = ["alejandra" "-q" "-"];
@@ -72,6 +74,129 @@
          enabled = true;
        };
      };
      provider = {
        google = {
          models = {
            antigravity-gemini-3-pro = {
              name = "Gemini 3 Pro (Antigravity)";
              limit = {
                context = 1048576;
                output = 65535;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
              variants = {
                low = {thinkingLevel = "low";};
                high = {thinkingLevel = "high";};
              };
            };
            antigravity-gemini-3-flash = {
              name = "Gemini 3 Flash (Antigravity)";
              limit = {
                context = 1048576;
                output = 65536;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
              variants = {
                minimal = {thinkingLevel = "minimal";};
                low = {thinkingLevel = "low";};
                medium = {thinkingLevel = "medium";};
                high = {thinkingLevel = "high";};
              };
            };
            antigravity-claude-sonnet-4-5 = {
              name = "Claude Sonnet 4.5 (Antigravity)";
              limit = {
                context = 200000;
                output = 64000;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
            };
            antigravity-claude-sonnet-4-5-thinking = {
              name = "Claude Sonnet 4.5 Thinking (Antigravity)";
              limit = {
                context = 200000;
                output = 64000;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
              variants = {
                low = {thinkingConfig = {thinkingBudget = 8192;};};
                max = {thinkingConfig = {thinkingBudget = 32768;};};
              };
            };
            antigravity-claude-opus-4-5-thinking = {
              name = "Claude Opus 4.5 Thinking (Antigravity)";
              limit = {
                context = 200000;
                output = 64000;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
              variants = {
                low = {thinkingConfig = {thinkingBudget = 8192;};};
                max = {thinkingConfig = {thinkingBudget = 32768;};};
              };
            };
            "gemini-2.5-flash" = {
              name = "Gemini 2.5 Flash (Gemini CLI)";
              limit = {
                context = 1048576;
                output = 65536;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
            };
            "gemini-2.5-pro" = {
              name = "Gemini 2.5 Pro (Gemini CLI)";
              limit = {
                context = 1048576;
                output = 65536;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
            };
            "gemini-3-flash-preview" = {
              name = "Gemini 3 Flash Preview (Gemini CLI)";
              limit = {
                context = 1048576;
                output = 65536;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
            };
            "gemini-3-pro-preview" = {
              name = "Gemini 3 Pro Preview (Gemini CLI)";
              limit = {
                context = 1048576;
                output = 65535;
              };
              modalities = {
                input = ["text" "image" "pdf"];
                output = ["text"];
              };
            };
          };
        };
      };
    };
  };
--- a/hosts/m3-atlas/secrets.nix
+++ b/hosts/m3-atlas/secrets.nix
@@ -1,51 +1,35 @@
 {
  age = {
    secrets = {
-      baserow-env = {
+      baserow-env = { file = ../../secrets/baserow-env.age; };
-        file = ../../secrets/baserow-env.age;
+      ghost-env = { file = ../../secrets/ghost-env.age; };
      };
      ghost-env = {
        file = ../../secrets/ghost-env.age;
      };
      kestra-config = {
        file = ../../secrets/kestra-config.age;
        mode = "644";
      };
-      kestra-env = {
+      kestra-env = { file = ../../secrets/kestra-env.age; };
-        file = ../../secrets/kestra-env.age;
+      littlelink-m3tam3re = { file = ../../secrets/littlelink-m3tam3re.age; };
-      };
+      minio-root-cred = { file = ../../secrets/minio-root-cred.age; };
-      littlelink-m3tam3re = {
+      n8n-env = { file = ../../secrets/n8n-env.age; };
-        file = ../../secrets/littlelink-m3tam3re.age;
+      paperless-key = { file = ../../secrets/paperless-key.age; };
-      };
+      restreamer-env = { file = ../../secrets/restreamer-env.age; };
-      minio-root-cred = {
+      searx = { file = ../../secrets/searx.age; };
-        file = ../../secrets/minio-root-cred.age;
+      tailscale-key = { file = ../../secrets/tailscale-key.age; };
      };
      n8n-env = {
        file = ../../secrets/n8n-env.age;
      };
      paperless-key = {
        file = ../../secrets/paperless-key.age;
      };
      restreamer-env = {
        file = ../../secrets/restreamer-env.age;
      };
      searx = {
        file = ../../secrets/searx.age;
      };
      tailscale-key = {
        file = ../../secrets/tailscale-key.age;
      };
      traefik = {
        file = ../../secrets/traefik.age;
        owner = "traefik";
      };
-      vaultwarden-env = {
+      vaultwarden-env = { file = ../../secrets/vaultwarden-env.age; };
        file = ../../secrets/vaultwarden-env.age;
      };
      m3tam3re-secrets = {
        file = ../../secrets/m3tam3re-secrets.age;
        owner = "m3tam3re";
      };
      gitea-runner-token = {
        file = ../../secrets/gitea-runner-token.age;
        mode = "600";
        owner = "gitea-runner";
        group = "gitea-runner";
      };
    };
  };
 }
--- a/hosts/m3-atlas/services/default.nix
+++ b/hosts/m3-atlas/services/default.nix
@@ -2,6 +2,7 @@
  imports = [
    ./containers
    ./gitea.nix
    ./gitea-actions-runner.nix
    ./headscale.nix
    ./minio.nix
    ./mysql.nix
--- a/hosts/m3-atlas/services/gitea-actions-runner.nix
+++ b/hosts/m3-atlas/services/gitea-actions-runner.nix
@@ -0,0 +1,58 @@
 {
  config,
  pkgs,
  ...
 }: {
  services.gitea-actions-runner = {
    instances.default = {
      enable = true;
      name = "${config.networking.hostName}-runner";
      url = "https://code.m3ta.dev";
      tokenFile = config.age.secrets.gitea-runner-token.path;
      # nixos:host is primary, ubuntu is fallback
      labels = [
        # Primary: Run directly on host (fastest, has Nix installed)
        "nixos:host"
        # Fallback: Docker-based execution for compatibility
        "ubuntu-latest:docker://node:18-bullseye"
        "ubuntu-22.04:docker://node:20-bullseye"
      ];
      # Host execution packages
      hostPackages = with pkgs; [
        git
        bash
        coreutils
        nix
        # Add any other tools you need for nix-update workflows
      ];
      # Advanced settings
      settings = {
        runner = {
          capacity = 1; # One job at a time (increase if you have resources)
          timeout = "4h"; # Nix builds can take a while
        };
        cache = {enabled = true;};
        container = {
          enable_ipv6 = true;
          privileged = false;
        };
      };
    };
  };
  # User management (auto-created by module, but ensuring proper setup)
  users.users.gitea-runner = {
    home = "/var/lib/gitea-runner";
    group = "gitea-runner";
    isSystemUser = true;
    createHome = true;
  };
  users.groups.gitea-runner = {};
  # Firewall: Allow Podman bridge networks for cache actions
  networking.firewall.trustedInterfaces = ["br-+"];
 }
--- a/secrets.nix
+++ b/secrets.nix
@@ -1,22 +1,20 @@
 let
  # SYSTEMS
-  m3-ares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s";
+  m3-ares =
-  m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s";
-  m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";
+  m3-kratos =
-  m3-atlas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H";
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
  m3-helios =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";
  m3-atlas =
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H";
  # USERS
-  m3tam3re = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
+  m3tam3re =
-  users = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
-    m3tam3re
+  users = [ m3tam3re ];
  ];
-  systems = [
+  systems = [ m3-atlas m3-ares m3-helios m3-kratos ];
    m3-atlas
    m3-ares
    m3-helios
    m3-kratos
  ];
 in {
  "secrets/anytype-key.age".publicKeys = systems ++ users;
  "secrets/anytype-key-ares.age".publicKeys = systems ++ users;
@@ -31,6 +29,7 @@ in {
  "secrets/paperless-key.age".publicKeys = systems ++ users;
  "secrets/ref-key.age".publicKeys = systems ++ users;
  "secrets/exa-key.age".publicKeys = systems ++ users;
  "secrets/gitea-runner-token.age".publicKeys = systems ++ users;
  "secrets/restreamer-env.age".publicKeys = systems ++ users;
  "secrets/searx.age".publicKeys = systems ++ users;
  "secrets/tailscale-key.age".publicKeys = systems ++ users;
--- a/secrets/gitea-runner-token.age
+++ b/secrets/gitea-runner-token.age
@@ -0,0 +1,5 @@
 age-encryption.org/v1
 -> ssh-ed25519 4NLKrw yQsk1NS2ujPzm4WJLl/CYi0EZRCIFvgJP2aLG09KJQE
 H2QT+huNTEpE2ndSeyL38e1JW1Z+UEHObqhZQ66E28M
 --- 1lhPBj02CB6BsouveThOL4pyTKXQhrUro59YXz0+fRk
 qœË=÷¼V<C2BC>wÃ×Ü®1A<31>½ß²uš!óI›(ÏÄ?¤CC"ßÞ‹’3.ëÎåŽãsŒô :"úÔº|¦ÑæÃ†çY2”þ\ï<>ýˆ›Í¨«
		`@@ -0,0 +1,2 @@`
							`{"id":"nixos-config-gx2","title":"form","status":"tombstone","priority":2,"issue_type":"task","created_at":"2026-01-11T11:49:21.688289476+01:00","created_by":"m3tam3re","updated_at":"2026-01-11T11:51:36.426124223+01:00","deleted_at":"2026-01-11T11:51:36.426124223+01:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"}`
							{"id":"nixos-config-n4l","title":"Create Gitea action for nix-update package updates","description":"Create a Gitea action to automatically update packages in this nixos-config repository using nix-update.\n\nContext:\n- Gitea instance is already running on m3-atlas at code.m3ta.dev (configured in hosts/m3-atlas/services/gitea.nix)\n- The repository is self-hosted on this Gitea instance\n- nix-update is already referenced in home/features/cli/default.nix\n- Currently no Gitea workflows exist (.gitea/ directory does not exist)\n\nGoal:\nAutomate package updates by creating a Gitea Actions workflow that:\n1. Runs nix-update periodically (e.g., weekly or on schedule)\n2. Updates package definitions in pkgs/ directory\n3. Creates pull requests with the updates\n4. Uses appropriate secrets/credentials for the Gitea instance\n\nRequirements:\n- Create .gitea/workflows/ directory structure\n- Define workflow file with nix-update command\n- Configure triggers (schedule, manual, or on repository events)\n- Set up proper permissions and secrets\n- Test the workflow execution\n\nCurrent Repository State:\n- pkgs/default.nix exists but is minimal (currently just a comment)\n- Multiple nixpkgs inputs are used (unstable, 25.11, locked, master)\n- Custom m3ta-nixpkgs overlay at code.m3ta.dev/m3tam3re/nixpkgs\n- Uses agenix for secrets management\n\nRelated Files:\n- hosts/m3-atlas/services/gitea.nix (existing Gitea configuration)\n- hosts/common/ports.nix (port management)\n- home/features/cli/default.nix (nix-update reference)\n\nAcceptance Criteria:\n- [ ] Create .gitea/workflows directory\n- [ ] Implement nix-update workflow YAML\n- [ ] Configure appropriate triggers\n- [ ] Test workflow on the repository\n- [ ] Document setup and configuration","status":"closed","priority":2,"issue_type":"feature","owner":"p@m3ta.dev","created_at":"2026-01-13T20:39:49.838916335+01:00","created_by":"m3tm3re","updated_at":"2026-01-13T20:51:43.833041989+01:00","closed_at":"2026-01-13T20:51:43.833041989+01:00","close_reason":"Closed"}