m3tam3re/nixos-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Gitea Actions Runner and update OpenCode config

Browse Source 
- Add Gitea Actions Runner service on m3-atlas with nixos:host label
- Configure agenix secret for runner token
- Add Antigravity provider models to OpenCode config
- Switch m3ta-nixpkgs to local path for development
This commit is contained in:
m3tm3re
2026-01-14 20:55:23 +01:00
parent e1de4805ce
commit f9415c05f9
10 changed files with 235 additions and 61 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
.beads/.sync.lock Normal file
View File

2
.beads/sync_base.jsonl Normal file
View File

@@ -0,0 +1,2 @@
{"id":"nixos-config-gx2","title":"form","status":"tombstone","priority":2,"issue_type":"task","created_at":"2026-01-11T11:49:21.688289476+01:00","created_by":"m3tam3re","updated_at":"2026-01-11T11:51:36.426124223+01:00","deleted_at":"2026-01-11T11:51:36.426124223+01:00","deleted_by":"daemon","delete_reason":"delete","original_type":"task"}
{"id":"nixos-config-n4l","title":"Create Gitea action for nix-update package updates","description":"Create a Gitea action to automatically update packages in this nixos-config repository using nix-update.\n\n**Context:**\n- Gitea instance is already running on m3-atlas at code.m3ta.dev (configured in hosts/m3-atlas/services/gitea.nix)\n- The repository is self-hosted on this Gitea instance\n- nix-update is already referenced in home/features/cli/default.nix\n- Currently no Gitea workflows exist (.gitea/ directory does not exist)\n\n**Goal:**\nAutomate package updates by creating a Gitea Actions workflow that:\n1. Runs nix-update periodically (e.g., weekly or on schedule)\n2. Updates package definitions in pkgs/ directory\n3. Creates pull requests with the updates\n4. Uses appropriate secrets/credentials for the Gitea instance\n\n**Requirements:**\n- Create .gitea/workflows/ directory structure\n- Define workflow file with nix-update command\n- Configure triggers (schedule, manual, or on repository events)\n- Set up proper permissions and secrets\n- Test the workflow execution\n\n**Current Repository State:**\n- pkgs/default.nix exists but is minimal (currently just a comment)\n- Multiple nixpkgs inputs are used (unstable, 25.11, locked, master)\n- Custom m3ta-nixpkgs overlay at code.m3ta.dev/m3tam3re/nixpkgs\n- Uses agenix for secrets management\n\n**Related Files:**\n- hosts/m3-atlas/services/gitea.nix (existing Gitea configuration)\n- hosts/common/ports.nix (port management)\n- home/features/cli/default.nix (nix-update reference)\n\n**Acceptance Criteria:**\n- [ ] Create .gitea/workflows directory\n- [ ] Implement nix-update workflow YAML\n- [ ] Configure appropriate triggers\n- [ ] Test workflow on the repository\n- [ ] Document setup and configuration","status":"closed","priority":2,"issue_type":"feature","owner":"p@m3ta.dev","created_at":"2026-01-13T20:39:49.838916335+01:00","created_by":"m3tm3re","updated_at":"2026-01-13T20:51:43.833041989+01:00","closed_at":"2026-01-13T20:51:43.833041989+01:00","close_reason":"Closed"}

18
flake.lock generated
View File

@@ -24,11 +24,11 @@
"agents": {
"flake": false,
"locked": {
"lastModified": 1767965833,
"narHash": "sha256-8tKEfJU4bxlgPJwUTUDQkVJMbwWQMiYt+moLjMIFeVY=",
"lastModified": 1768312204,
"narHash": "sha256-wB1pEROaXzJzxCaJwOyXmD0gq8/hv7OeEw3jNXrPwAc=",
"ref": "refs/heads/master",
"rev": "3e20c82603a4ddedf04ff001adf943723a49dc37",
"revCount": 7,
"rev": "cfa0f8f942545434a825fedf0a49061d26fff73d",
"revCount": 9,
"type": "git",
"url": "https://code.m3ta.dev/m3tam3re/AGENTS"
},
@@ -243,8 +243,8 @@
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1768245745,
"narHash": "sha256-CHspl0D+ougqFToY6d0ZQk5KtNfCyB8AWnmeVWkuuRk=",
"lastModified": 1768419432,
"narHash": "sha256-EwJZcXCEF1ExSfZP4asi1ATOhj1xcvH3tIe5nDSk9Oc=",
"path": "/home/m3tam3re/p/NIX/nixpkgs",
"type": "path"
},
@@ -435,11 +435,11 @@
},
"nixpkgs_3": {
"locked": {
"lastModified": 1766309749,
"narHash": "sha256-3xY8CZ4rSnQ0NqGhMKAy5vgC+2IVK0NoVEzDoOh4DA4=",
"lastModified": 1768127708,
"narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a6531044f6d0bef691ea18d4d4ce44d0daa6e816",
"rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
"type": "github"
},
"original": {

6
flake.nix
View File

@@ -22,12 +22,12 @@
nixpkgs-9e58ed7.url = "github:nixos/nixpkgs/9e58ed7ba759d81c98f033b7f5eba21ca68f53b0";
nixpkgs-master.url = "github:nixos/nixpkgs/master";
m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
# m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
# m3ta-nixpkgs.url = "git+https://code.m3ta.dev/m3tam3re/nixpkgs";
m3ta-nixpkgs.url = "path:/home/m3tam3re/p/NIX/nixpkgs";
#
nur = {
url = "github:nix-community/NUR";
ist456nputs.nixpkgs.follows = "nixpkgs";
inputs.nixpkgs.follows = "nixpkgs";
};
agenix.url = "github:ryantm/agenix";

129
home/features/coding/opencode.nix
View File

@@ -22,8 +22,10 @@
enable = true;
settings = {
theme = "opencode";
plugin = ["oh-my-opencode" "opencode-beads"];
agent = builtins.fromJSON (builtins.readFile "${inputs.agents}/agent/agents.json");
plugin = ["oh-my-opencode" "opencode-beads" "opencode-antigravity-auth@beta"];
agent =
builtins.fromJSON
(builtins.readFile "${inputs.agents}/agent/agents.json");
formatter = {
alejandra = {
command = ["alejandra" "-q" "-"];
@@ -72,6 +74,129 @@
enabled = true;
};
};
provider = {
google = {
models = {
antigravity-gemini-3-pro = {
name = "Gemini 3 Pro (Antigravity)";
limit = {
context = 1048576;
output = 65535;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
variants = {
low = {thinkingLevel = "low";};
high = {thinkingLevel = "high";};
};
};
antigravity-gemini-3-flash = {
name = "Gemini 3 Flash (Antigravity)";
limit = {
context = 1048576;
output = 65536;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
variants = {
minimal = {thinkingLevel = "minimal";};
low = {thinkingLevel = "low";};
medium = {thinkingLevel = "medium";};
high = {thinkingLevel = "high";};
};
};
antigravity-claude-sonnet-4-5 = {
name = "Claude Sonnet 4.5 (Antigravity)";
limit = {
context = 200000;
output = 64000;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
};
antigravity-claude-sonnet-4-5-thinking = {
name = "Claude Sonnet 4.5 Thinking (Antigravity)";
limit = {
context = 200000;
output = 64000;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
variants = {
low = {thinkingConfig = {thinkingBudget = 8192;};};
max = {thinkingConfig = {thinkingBudget = 32768;};};
};
};
antigravity-claude-opus-4-5-thinking = {
name = "Claude Opus 4.5 Thinking (Antigravity)";
limit = {
context = 200000;
output = 64000;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
variants = {
low = {thinkingConfig = {thinkingBudget = 8192;};};
max = {thinkingConfig = {thinkingBudget = 32768;};};
};
};
"gemini-2.5-flash" = {
name = "Gemini 2.5 Flash (Gemini CLI)";
limit = {
context = 1048576;
output = 65536;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
};
"gemini-2.5-pro" = {
name = "Gemini 2.5 Pro (Gemini CLI)";
limit = {
context = 1048576;
output = 65536;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
};
"gemini-3-flash-preview" = {
name = "Gemini 3 Flash Preview (Gemini CLI)";
limit = {
context = 1048576;
output = 65536;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
};
"gemini-3-pro-preview" = {
name = "Gemini 3 Pro Preview (Gemini CLI)";
limit = {
context = 1048576;
output = 65535;
};
modalities = {
input = ["text" "image" "pdf"];
output = ["text"];
};
};
};
};
};
};
};

50
hosts/m3-atlas/secrets.nix
View File

@@ -1,51 +1,35 @@
{
age = {
secrets = {
baserow-env = {
file = ../../secrets/baserow-env.age;
};
ghost-env = {
file = ../../secrets/ghost-env.age;
};
baserow-env = { file = ../../secrets/baserow-env.age; };
ghost-env = { file = ../../secrets/ghost-env.age; };
kestra-config = {
file = ../../secrets/kestra-config.age;
mode = "644";
};
kestra-env = {
file = ../../secrets/kestra-env.age;
};
littlelink-m3tam3re = {
file = ../../secrets/littlelink-m3tam3re.age;
};
minio-root-cred = {
file = ../../secrets/minio-root-cred.age;
};
n8n-env = {
file = ../../secrets/n8n-env.age;
};
paperless-key = {
file = ../../secrets/paperless-key.age;
};
restreamer-env = {
file = ../../secrets/restreamer-env.age;
};
searx = {
file = ../../secrets/searx.age;
};
tailscale-key = {
file = ../../secrets/tailscale-key.age;
};
kestra-env = { file = ../../secrets/kestra-env.age; };
littlelink-m3tam3re = { file = ../../secrets/littlelink-m3tam3re.age; };
minio-root-cred = { file = ../../secrets/minio-root-cred.age; };
n8n-env = { file = ../../secrets/n8n-env.age; };
paperless-key = { file = ../../secrets/paperless-key.age; };
restreamer-env = { file = ../../secrets/restreamer-env.age; };
searx = { file = ../../secrets/searx.age; };
tailscale-key = { file = ../../secrets/tailscale-key.age; };
traefik = {
file = ../../secrets/traefik.age;
owner = "traefik";
};
vaultwarden-env = {
file = ../../secrets/vaultwarden-env.age;
};
vaultwarden-env = { file = ../../secrets/vaultwarden-env.age; };
m3tam3re-secrets = {
file = ../../secrets/m3tam3re-secrets.age;
owner = "m3tam3re";
};
gitea-runner-token = {
file = ../../secrets/gitea-runner-token.age;
mode = "600";
owner = "gitea-runner";
group = "gitea-runner";
};
};
};
}

1
hosts/m3-atlas/services/default.nix
View File

@@ -2,6 +2,7 @@
imports = [
./containers
./gitea.nix
./gitea-actions-runner.nix
./headscale.nix
./minio.nix
./mysql.nix

58
hosts/m3-atlas/services/gitea-actions-runner.nix Normal file
View File

@@ -0,0 +1,58 @@
{
config,
pkgs,
...
}: {
services.gitea-actions-runner = {
instances.default = {
enable = true;
name = "${config.networking.hostName}-runner";
url = "https://code.m3ta.dev";
tokenFile = config.age.secrets.gitea-runner-token.path;
# nixos:host is primary, ubuntu is fallback
labels = [
# Primary: Run directly on host (fastest, has Nix installed)
"nixos:host"
# Fallback: Docker-based execution for compatibility
"ubuntu-latest:docker://node:18-bullseye"
"ubuntu-22.04:docker://node:20-bullseye"
];
# Host execution packages
hostPackages = with pkgs; [
git
bash
coreutils
nix
# Add any other tools you need for nix-update workflows
];
# Advanced settings
settings = {
runner = {
capacity = 1; # One job at a time (increase if you have resources)
timeout = "4h"; # Nix builds can take a while
};
cache = {enabled = true;};
container = {
enable_ipv6 = true;
privileged = false;
};
};
};
};
# User management (auto-created by module, but ensuring proper setup)
users.users.gitea-runner = {
home = "/var/lib/gitea-runner";
group = "gitea-runner";
isSystemUser = true;
createHome = true;
};
users.groups.gitea-runner = {};
# Firewall: Allow Podman bridge networks for cache actions
networking.firewall.trustedInterfaces = ["br-+"];
}

27
secrets.nix
View File

@@ -1,22 +1,20 @@
let
# SYSTEMS
m3-ares = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s";
m3-kratos = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
m3-helios = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";
m3-atlas = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H";
m3-ares =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG+M4CygEQ29eTmLqgyIAFCxy0rgfO23klNiARBEA+3s";
m3-kratos =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDl+LtFGsk/A7BvxwiUCyq5wjRzGtQSrBJzzLGxINF4O";
m3-helios =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIyHuLITpI+M45ZZem33wDusY2X988mBoWpD1HDeZNRJ";
m3-atlas =
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBYK1wsFkUPIb/lX1BH7+VyXmmGSbdEFHnvhAOcaC7H";
# USERS
m3tam3re = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
users = [
m3tam3re
];
m3tam3re =
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC3YEmpYbM+cpmyD10tzNRHEn526Z3LJOzYpWEKdJg8DaYyPbDn9iyVX30Nja2SrW4Wadws0Y8DW+Urs25/wVB6mKl7jgPJVkMi5hfobu3XAz8gwSdjDzRSWJrhjynuaXiTtRYED2INbvjLuxx3X8coNwMw58OuUuw5kNJp5aS2qFmHEYQErQsGT4MNqESe3jvTP27Z5pSneBj45LmGK+RcaSnJe7hG+KRtjuhjI7RdzMeDCX73SfUsal+rHeuEw/mmjYmiIItXhFTDn8ZvVwpBKv7xsJG90DkaX2vaTk0wgJdMnpVIuIRBa4EkmMWOQ3bMLGkLQeK/4FUkNcvQ/4+zcZsg4cY9Q7Fj55DD41hAUdF6SYODtn5qMPsTCnJz44glHt/oseKXMSd556NIw2HOvihbJW7Rwl4OEjGaO/dF4nUw4c9tHWmMn9dLslAVpUuZOb7ykgP0jk79ldT3Dv+2Hj0CdAWT2cJAdFX58KQ9jUPT3tBnObSF1lGMI7t77VU=";
users = [ m3tam3re ];
systems = [
m3-atlas
m3-ares
m3-helios
m3-kratos
];
systems = [ m3-atlas m3-ares m3-helios m3-kratos ];
in {
"secrets/anytype-key.age".publicKeys = systems ++ users;
"secrets/anytype-key-ares.age".publicKeys = systems ++ users;
@@ -31,6 +29,7 @@ in {
"secrets/paperless-key.age".publicKeys = systems ++ users;
"secrets/ref-key.age".publicKeys = systems ++ users;
"secrets/exa-key.age".publicKeys = systems ++ users;
"secrets/gitea-runner-token.age".publicKeys = systems ++ users;
"secrets/restreamer-env.age".publicKeys = systems ++ users;
"secrets/searx.age".publicKeys = systems ++ users;
"secrets/tailscale-key.age".publicKeys = systems ++ users;

5
secrets/gitea-runner-token.age Normal file
View File

@@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 4NLKrw yQsk1NS2ujPzm4WJLl/CYi0EZRCIFvgJP2aLG09KJQE
H2QT+huNTEpE2ndSeyL38e1JW1Z+UEHObqhZQ66E28M
--- 1lhPBj02CB6BsouveThOL4pyTKXQhrUro59YXz0+fRk
qœË=÷¼V<C2BC>×Ü®1A<31>½ß²uš!óI(ÏÄ?¤CC"ßÞ3.ëÎåŽãsŒô :"úÔº|¦ÑæÆçY2”þ\ï<>ýˆÍ¨ «