Add Gitea act-runner and test actions for the repo

.gitea/workflows/ci.yml

@@ -0,0 +1,31 @@
+name: CI
+
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+jobs:
+  terraform-validate:
+    name: Terraform fmt + validate
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: hashicorp/setup-terraform@v3
+
+      - name: fmt check — 1-nixos-node
+        run: terraform fmt -check -recursive
+        working-directory: 1-nixos-node
+
+      - name: fmt check — 2-nomad-config
+        run: terraform fmt -check -recursive
+        working-directory: 2-nomad-config
+
+      - name: validate — 2-nomad-config (no backend)
+        run: |
+          terraform init -backend=false
+          terraform validate
+        working-directory: 2-nomad-config

1-nixos-node/configuration.nix

@@ -64,6 +64,7 @@
           cni_path = "$${pkgs.cni-plugins}/bin";
         };
         plugin.docker.config.allow_privileged = true;
+        plugin.docker.config.volumes.enabled = true;
       };
       extraPackages = with pkgs; [
         cni-plugins

2-nomad-config/act-runner.nomad.hcl

@@ -0,0 +1,66 @@
+job "act-runner" {
+  group "act-runner" {
+    network {
+      mode = "bridge"
+    }
+
+    # Consul Connect upstream to Gitea so the runner can register and receive jobs
+    service {
+      name = "act-runner"
+      connect {
+        sidecar_service {
+          proxy {
+            upstreams {
+              destination_name = "code-connect"
+              local_bind_port  = 3000
+            }
+          }
+        }
+      }
+    }
+
+    task "act-runner" {
+      driver = "docker"
+
+      config {
+        image   = "gitea/act_runner:latest"
+        volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
+      }
+
+      env = {
+        GITEA_INSTANCE_URL = "http://localhost:3000"
+        CONFIG_FILE        = "/secrets/runner-config.yml"
+      }
+
+      # Required SOPS key:
+      #   act-runner.registration_token — runner registration token from Gitea
+      #   Admin → Settings → Actions → Runners → Create new runner
+      template {
+        data        = <<EOF
+GITEA_RUNNER_REGISTRATION_TOKEN={{ with nomadVar "nomad/jobs/act-runner" }}{{ .registration_token }}{{ end }}
+EOF
+        destination = "secrets/runner.env"
+        env         = true
+      }
+
+      # Limit which images/labels the runner will accept so it doesn't pick up
+      # unrelated workloads if more runners are added later.
+      template {
+        data        = <<EOF
+runner:
+  labels:
+    - "ubuntu-latest:docker://node:20-bookworm"
+    - "ubuntu-22.04:docker://node:20-bookworm"
+    - "ubuntu-24.04:docker://node:20-bookworm"
+EOF
+        destination = "secrets/runner-config.yml"
+      }
+
+      resources {
+        cpu        = 200
+        memory     = 256
+        memory_max = 1024
+      }
+    }
+  }
+}

2-nomad-config/act-runner.tf

@@ -0,0 +1,10 @@
+resource "nomad_job" "act_runner" {
+  jobspec = file("act-runner.nomad.hcl")
+}
+
+resource "nomad_variable" "act_runner" {
+  path = "nomad/jobs/act-runner"
+  items = {
+    registration_token = data.sops_file.secrets.data["act-runner.registration_token"]
+  }
+}

2-nomad-config/secrets/secrets.enc.json

@@ -56,6 +56,9 @@
 		"gitea_token": "ENC[AES256_GCM,data:/J3CDMgWZLe20oQ+ENKBMi8fs/+jgsARV7xihMq0OLmRk8C8ae/IXg==,iv:e7WYOanSOCZ/LhN6SKrH0VrR3xLPTTppOKpGpSl+oAc=,tag:XBAilRdK3jL7WtM+92Fsmg==,type:str]",
 		"github_token": "ENC[AES256_GCM,data:omZpdsTV1aFgQ9PjIApITEyIRKk6Z8QyvD2Kp5tJnBWzFCm4v2lRAg==,iv:cKL7z+CSChzF9eZEcske2lbmx9KV6CrWw0tn7rmP/10=,tag:gon3Sc1d3ntNSbWwenHuOw==,type:str]"
 	},
+	"act-runner": {
+		"registration_token": "ENC[AES256_GCM,data:RnDvcNh69lLlL/ms+sMPKhhc+ECtc5hUHSkAQZv8e77iTD/QPd356Q==,iv:sl2Aua8rTe6cKYQAUC7O4UyHajGy1LgG/ZNLTVP4SyE=,tag:JjdaQqZ4PaWjfoiVmBl6lQ==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -63,8 +66,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2026-04-18T06:30:49Z",
-		"mac": "ENC[AES256_GCM,data:ZqT+lJxFOxbRaDkex8URHRRoNSoHVkB9tbMCDVWoln0otMUBFDnxa1Fqwzl77G+JxD/I7W5QX5qUx+oSoDxhyCvC97tjBfTZ+nlqTos25wLddSKwOfbvRNS7oZrzMt5AepgauApucNDjjUWtZB55mTV497PzESLBrZeI/4zpCU0=,iv:AVvlyJLyLJup2PtLt8NzZO+uCbuQKmUV0S2swwl6nME=,tag:HxywCeG6NQotrsN7ovDfrw==,type:str]",
+		"lastmodified": "2026-04-18T07:41:42Z",
+		"mac": "ENC[AES256_GCM,data:+HhhsiZXok4BZI05tG3p9veZaj51kELSQlWFYMSInv7bGfEadmOrJqCxaGrFcNkMmgVPx80jWQFrILfVLW5MUvEsHAhD4Vza2TSWeUq1HuL9DbMxsK2G9Y1fbthd12r/++dDcXxVnTUf/rCD70in/+g/zRObocAnUcFEcIqx1JE=,iv:pS+aj+47J4bYZYGlMVniQVTlLt4jtCLUT7oROJLUkZo=,tag:+lznxDhs2C3bcz5quxfHjA==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}