# Runs two services on the host: # - act_runner — polls Gitea, spawns one job container per workflow # run via the host docker socket. Job image built reproducibly from # runner/flake.nix (`nix run .#load-image`). # - caddy — HTTPS-fronts the binary cache (./cache/store) so # consumers' substituter config can read it. Custom ports because # the router does PAT (port-forwarding 80→CADDY_HTTP_PORT, # 443→CADDY_HTTPS_PORT). Set those in .env. services: runner: image: docker.io/gitea/act_runner:nightly restart: unless-stopped environment: CONFIG_FILE: /config.yaml GITEA_INSTANCE_URL: "${GITEA_INSTANCE_URL}" GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}" GITEA_RUNNER_NAME: "${GITEA_RUNNER_NAME:-cargoxx-pkgs-runner}" GITEA_RUNNER_LABELS: "${GITEA_RUNNER_LABELS:-self-hosted}" volumes: - ./config.yaml:/config.yaml:ro - ./data:/data - /var/run/docker.sock:/var/run/docker.sock # Binary cache — `validate-pr.yml`'s push step writes `$out` NAR # archives here. Named volumes (defined below) make the same # storage reachable from this runner container AND every job # container act_runner spawns AND the caddy frontend below. - cargoxx-cache-store:/srv/cargoxx-cache/store - cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro caddy: image: docker.io/caddy:2 restart: unless-stopped ports: - "${CADDY_HTTP_PORT:-8080}:${CADDY_HTTP_PORT:-8080}" - "${CADDY_HTTPS_PORT:-8443}:${CADDY_HTTPS_PORT:-8443}" environment: CADDY_HTTP_PORT: "${CADDY_HTTP_PORT:-8080}" CADDY_HTTPS_PORT: "${CADDY_HTTPS_PORT:-8443}" volumes: - ./Caddyfile:/etc/caddy/Caddyfile:ro - cargoxx-cache-store:/srv/cache:ro - caddy-data:/data - caddy-config:/config volumes: cargoxx-cache-store: # Explicit name disables compose's project-prefix so spawned job # containers (which don't know about compose) can reference the # same volume by the same name. name: cargoxx-cache-store driver: local driver_opts: type: none o: bind device: "${PWD}/cache/store" cargoxx-cache-keys: name: cargoxx-cache-keys driver: local driver_opts: type: none o: bind device: "${PWD}/cache/keys" caddy-data: # Caddy's own state: ACME account, issued certificates, OCSP # staples. Persist so we don't re-issue certs every restart. name: caddy-data driver: local driver_opts: type: none o: bind device: "${PWD}/caddy/data" caddy-config: name: caddy-config driver: local driver_opts: type: none o: bind device: "${PWD}/caddy/config"