Add gitlab runner back to oracles

machines/oracles/configuration.nix

@@ -17,12 +17,17 @@
       owner = config.users.users.nathan.name;
       group = config.users.users.nathan.group;
     };
+    "nix-asuran" = {
+      format = "yaml";
+      sopsFile = ../../secrets/oracles/gitlab.yaml;
+    };
   };
   # Setup system configuration
   nathan = {
     programs = {
       utils = {
         devel = true;
+        binfmt = true;
       };
     };
     services = {
@@ -55,6 +60,9 @@
       setupGrub = true;
       nix.autoUpdate = true;
       harden = false;
+      virtualization = {
+        docker = true;
+      };
     };
   };
   # Configure networking
@@ -169,13 +177,16 @@
         }
       ];
     };
+
+  # Setup vhost for pack website
   services.nginx.virtualHosts."pack.forward-progress.net" = {
     enableACME = true;
     forceSSL = true;
     locations."/".root = "/var/www/pack.forward-progress.net";
     root = "/var/www/pack.forward-progress.net";
   };
-  # Backup postgres
+
+  # Backup postgres, as used by matrix
   services.postgresqlBackup = {
     #enable = true;
     compression = "none";
@@ -183,4 +194,41 @@
     startAt = "OnCalendar=00/2:00";
   };
 
+  # Setup the gitlab runners
+  services.gitlab-runner =
+    let
+      nix-shared = with lib; {
+        dockerImage = "nixpkgs/nix-flakes";
+        dockerVolumes = [
+          "/var/sharedstore:/sharedstore"
+        ];
+        dockerDisableCache = true;
+        dockerPrivileged = true;
+      };
+    in
+    {
+      enable = true;
+      concurrent = 4;
+      checkInterval = 1;
+      services = {
+        # default-asuran = {
+        #   registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
+        #   dockerImage = "debian:stable";
+        #   dockerVolumes = [
+        #     "/var/run/docker.sock:/var/run/docker.sock"
+        #   ];
+        #   dockerPrivileged = true;
+        #   tagList = [ "linux-own" ];
+        # };
+
+        nix-asuran = nix-shared // {
+          registrationConfigFile = config.sops.secrets.nix-asuran.path;
+          tagList = [ "nix" ];
+          requestConcurrency = 8;
+          limit = 4;
+          runUntagged = true;
+        };
+      };
+    };
+
 }

modules/linux/linux/base.nix

@@ -44,7 +44,7 @@ with lib;
           enable = true;
           allowReboot = true;
           # Update from the flake
-          flake = "github:nathans-flakes/system";
+          flake = "github:nathans-flakes/system/rewrite";
           # Attempt to update daily at 2AM
           dates = "2:00";
         };

modules/linux/virtualization.nix

@@ -23,6 +23,8 @@ with lib;
         # Automatically prune to keep things lean
         autoPrune.enable = true;
       };
+      # Make sure our containers can reach the network
+      boot.kernel.sysctl."net.ipv4.ip_forward" = true;
     })
     (mkIf nc.virtualization.lxc {
       virtualisation.lxd = {

secrets/oracles/gitlab.yaml

@@ -0,0 +1,30 @@
+nix-asuran: ENC[AES256_GCM,data:RXjgVChMgDP1YodyEZyUJejD8g/eXVvbBzZ7N1oUmkKEDgjjetHxZVt8h4BfCyymQaZA9wP2wtq4/jiWdOKrYuKsnCZ3SR4qJpxjkOe0W+hh,iv:pLmBWY6ZB4S4OrRJRiOhxBKGJvPsGQcJRarmZY6aFSw=,tag:uliGhjYATCn0qvpsG3Ux/A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUkxDNzRaaXk5MjFSK3o2
+            aWhRamxEb3FFMGo3OUVDL25udVg5UDM3SHhFCnZEWmluYklvcjh2ZWk0K2kvSUZj
+            YzFMUHdaQlhhQi8ya3l5KzB4NzBDdlEKLS0tIHVLSlFkUEdoK3hzQ2V5VlZTSW9Q
+            MWw3OG9CN3BkanZsUEVPbjBRclVTLzAKYyjhfh/VZDx9RnlcS6palMaGDOSYPha0
+            i3bU8KvH0cc/FhSkv320Owwrwq4ocI3ZSWEWXVgmnwxLuXi2pNW3Qw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjFkRkpjcytHV1RCSEc1
+            TnlQR2c2cUtVT3dUZGQrb1JEWFFyNmNSekdBCjRYUHdDZGdQRWFkZHdISzgrNHdO
+            S2hlQThUckRDVE9RM1czcWFpVWMzczAKLS0tIGFrZFhVWk5SR3dtVUFwQjdCaEJ5
+            R3NHOS83TmIyaG1yYjdJODFuVmZ6aTAKF/PP60jU0JlN8TchHeTp0T5Fhg55kMHc
+            t9Dv+PBkscQxO3VxUD3Oqw9/c/C5Abm8KgcWmYrLa00+2zbMC0oZEA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-06T00:47:48Z"
+    mac: ENC[AES256_GCM,data:7LHqZlBtRw+dN5Ed2bSPl7onYbI6m3rpFSqJ2qJM7dLK0wLSrJoP9K0chfLKDthTtw21KRv9m0SyAOsjv1ek8uyD7PIE5hhmtWGWm/rrDMLtLt+NWxQWBdM2sMGughvzhRG0auLUF8WaWHaoRuQyG9qlmO8lXMspS7/dfDQUcdQ=,iv:ciThIEZv4nom9w6XQS2rtw+lAlPcpGMLeuUjfAkTiWg=,tag:G0C0d6+fRGZ0Bq/GeczIrg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3