Add gitlab runner back to oracles

2022-09-05 20:52:22 -04:00 · 2022-09-05 20:52:22 -04:00 · 310008ca02
parent 607c186fc3
commit 310008ca02
4 changed files with 82 additions and 2 deletions
--- a/machines/oracles/configuration.nix
+++ b/machines/oracles/configuration.nix
@ -17,12 +17,17 @@
      owner = config.users.users.nathan.name;
      group = config.users.users.nathan.group;
    };
+    "nix-asuran" = {
+      format = "yaml";
+      sopsFile = ../../secrets/oracles/gitlab.yaml;
+    };
  };
  # Setup system configuration
  nathan = {
    programs = {
      utils = {
        devel = true;
+        binfmt = true;
      };
    };
    services = {
@ -55,6 +60,9 @@
      setupGrub = true;
      nix.autoUpdate = true;
      harden = false;
+      virtualization = {
+        docker = true;
+      };
    };
  };
  # Configure networking
@ -169,13 +177,16 @@
        }
      ];
    };
+
+  # Setup vhost for pack website
  services.nginx.virtualHosts."pack.forward-progress.net" = {
    enableACME = true;
    forceSSL = true;
    locations."/".root = "/var/www/pack.forward-progress.net";
    root = "/var/www/pack.forward-progress.net";
  };
-  # Backup postgres
+
+  # Backup postgres, as used by matrix
  services.postgresqlBackup = {
    #enable = true;
    compression = "none";
@ -183,4 +194,41 @@
    startAt = "OnCalendar=00/2:00";
  };

+  # Setup the gitlab runners
+  services.gitlab-runner =
+    let
+      nix-shared = with lib; {
+        dockerImage = "nixpkgs/nix-flakes";
+        dockerVolumes = [
+          "/var/sharedstore:/sharedstore"
+        ];
+        dockerDisableCache = true;
+        dockerPrivileged = true;
+      };
+    in
+    {
+      enable = true;
+      concurrent = 4;
+      checkInterval = 1;
+      services = {
+        # default-asuran = {
+        #   registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
+        #   dockerImage = "debian:stable";
+        #   dockerVolumes = [
+        #     "/var/run/docker.sock:/var/run/docker.sock"
+        #   ];
+        #   dockerPrivileged = true;
+        #   tagList = [ "linux-own" ];
+        # };
+
+        nix-asuran = nix-shared // {
+          registrationConfigFile = config.sops.secrets.nix-asuran.path;
+          tagList = [ "nix" ];
+          requestConcurrency = 8;
+          limit = 4;
+          runUntagged = true;
+        };
+      };
+    };
+
 }
--- a/modules/linux/linux/base.nix
+++ b/modules/linux/linux/base.nix
@ -44,7 +44,7 @@ with lib;
          enable = true;
          allowReboot = true;
          # Update from the flake
-          flake = "github:nathans-flakes/system";
+          flake = "github:nathans-flakes/system/rewrite";
          # Attempt to update daily at 2AM
          dates = "2:00";
        };
--- a/modules/linux/virtualization.nix
+++ b/modules/linux/virtualization.nix
@ -23,6 +23,8 @@ with lib;
        # Automatically prune to keep things lean
        autoPrune.enable = true;
      };
+      # Make sure our containers can reach the network
+      boot.kernel.sysctl."net.ipv4.ip_forward" = true;
    })
    (mkIf nc.virtualization.lxc {
      virtualisation.lxd = {
--- a/secrets/oracles/gitlab.yaml
+++ b/secrets/oracles/gitlab.yaml
@ -0,0 +1,30 @@
+nix-asuran: ENC[AES256_GCM,data:RXjgVChMgDP1YodyEZyUJejD8g/eXVvbBzZ7N1oUmkKEDgjjetHxZVt8h4BfCyymQaZA9wP2wtq4/jiWdOKrYuKsnCZ3SR4qJpxjkOe0W+hh,iv:pLmBWY6ZB4S4OrRJRiOhxBKGJvPsGQcJRarmZY6aFSw=,tag:uliGhjYATCn0qvpsG3Ux/A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkUkxDNzRaaXk5MjFSK3o2
+            aWhRamxEb3FFMGo3OUVDL25udVg5UDM3SHhFCnZEWmluYklvcjh2ZWk0K2kvSUZj
+            YzFMUHdaQlhhQi8ya3l5KzB4NzBDdlEKLS0tIHVLSlFkUEdoK3hzQ2V5VlZTSW9Q
+            MWw3OG9CN3BkanZsUEVPbjBRclVTLzAKYyjhfh/VZDx9RnlcS6palMaGDOSYPha0
+            i3bU8KvH0cc/FhSkv320Owwrwq4ocI3ZSWEWXVgmnwxLuXi2pNW3Qw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZSjFkRkpjcytHV1RCSEc1
+            TnlQR2c2cUtVT3dUZGQrb1JEWFFyNmNSekdBCjRYUHdDZGdQRWFkZHdISzgrNHdO
+            S2hlQThUckRDVE9RM1czcWFpVWMzczAKLS0tIGFrZFhVWk5SR3dtVUFwQjdCaEJ5
+            R3NHOS83TmIyaG1yYjdJODFuVmZ6aTAKF/PP60jU0JlN8TchHeTp0T5Fhg55kMHc
+            t9Dv+PBkscQxO3VxUD3Oqw9/c/C5Abm8KgcWmYrLa00+2zbMC0oZEA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-06T00:47:48Z"
+    mac: ENC[AES256_GCM,data:7LHqZlBtRw+dN5Ed2bSPl7onYbI6m3rpFSqJ2qJM7dLK0wLSrJoP9K0chfLKDthTtw21KRv9m0SyAOsjv1ek8uyD7PIE5hhmtWGWm/rrDMLtLt+NWxQWBdM2sMGughvzhRG0auLUF8WaWHaoRuQyG9qlmO8lXMspS7/dfDQUcdQ=,iv:ciThIEZv4nom9w6XQS2rtw+lAlPcpGMLeuUjfAkTiWg=,tag:G0C0d6+fRGZ0Bq/GeczIrg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3