From 8302ab4c6dca3da952661e7cb10e51d5ecba4270 Mon Sep 17 00:00:00 2001
From: Nathan McCarty <nathan@mccarty.io>
Date: Fri, 27 May 2022 23:22:12 -0400
Subject: [PATCH] Set backup gitlab runner

---
 flake.nix                                 |  2 +-
 secrets/gitlab-runner.yaml                | 66 ++++++++++++++++
 system-specific/oracles/gitlab-runner.nix | 92 +++++++----------------
 3 files changed, 96 insertions(+), 64 deletions(-)
 create mode 100644 secrets/gitlab-runner.yaml

diff --git a/flake.nix b/flake.nix
index 0de8e92..6e1990c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -189,7 +189,7 @@
             ./applications/devel-rust.nix
             ./modules/docker.nix
             ./system-specific/oracles/matrix.nix
-            # ./system-specific/oracles/gitlab-runner.nix
+            ./system-specific/oracles/gitlab-runner.nix
             ./system-specific/oracles/gitea.nix
           ] ++ serverModules;
         };
diff --git a/secrets/gitlab-runner.yaml b/secrets/gitlab-runner.yaml
new file mode 100644
index 0000000..de6dd44
--- /dev/null
+++ b/secrets/gitlab-runner.yaml
@@ -0,0 +1,66 @@
+nix-asuran: ENC[AES256_GCM,data:g5rLx9e8+YRVSEGR/zz2cf3XQ79um7iQgK6/5CA/15Xx+KBaPFi0CRsTyXpbMiHAVGJEqruNxEa5AE8VfOtPCjFp0Qed4bkmN23mGHDFTeXZ,iv:sX7ZkCxU6CGCPF+dhdfaZSqk6ADfsNgeNINzfqhEblo=,tag:eTj5BGN86qPNuauI0C6+Bw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHpicnMreWNUbEVBNHdm
+            bVBKekVVdng4V1RpNGdKK2ZtQXJrOU12Vno4CldBZFlaREhnVVBaTERCQ3cyY1Y2
+            WjdLa2I4QnBvZGJpV25ZQXF2MHJtS28KLS0tIC9Oa0NydXFtR0diNGRxbXZHYmdK
+            Z2h4U0VlTmJPa1BCay9SRmhJSlhURXcK/s3wwTnokpnYJ2q5/NIX2BnJnKwpzBt6
+            C/8os7EZ3IYinL5Joz4BgN67yzvWNqrputVKmf+/WnL8utiosZBC/A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUVyZkZOK2pId3BxeEFl
+            RW9RSllmWklpZEp6Y0ZObGZZMGFZZ3Z3SHlZCkNPZzNWdTVCNkxEVmFtRW5uRFFT
+            WmNTUGVXYzdxUVBRK0pNMHVjeDdINVEKLS0tIDJyOTQzLy8rckR1Ui80VTYrR3gz
+            VmkxTlJTRDZYZEVrYklkSU1EZHdWdUkKLwlC83gkZmtmUF6wXyleSDJ1FvfUlDjo
+            iwkFo+SSOUVsFWJw2FB4sSCFyZ1qmH+57nQsw5JDrk15MZ3xd4g3dw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORXhDU1NDQ3Q4cHhmMVlD
+            K2hnSWRtTGkybnlBajlFaU1vTnRSNFVTclRFClV5Y2dzTHZwOGpyM3NOZnppYUpp
+            OXVTZjFSMnd6WVRGakloRHd6NldFK28KLS0tIHJNditiZWxUclZuUVpqTi9DL2JG
+            T3FQWUJEbm9IZ2tvamtlNjBnQXVrb0EKQ8Bpa/DcIH55KoJFozOCZzOmMwtChbpk
+            X5sSK23aQdljSY8oLHaq4GxQVGkCukNPWDwRvcYKcS7N7e5pdXctFQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUHI3dUNRYld6RlhJdlZN
+            RGV1L3h4a3dHQ0JoQmRnUDRraVNrYmV3a2w4Cm9LK2lFMHJhOURld0tKS0NFT0NQ
+            WUZyQkNaUWhseHJ2djFxcFhzNkVXQlUKLS0tIEFxWlVFMWdha2VjQUhndWoraU1J
+            eG5QdkdFY2lRalZhTEJ1OVVXYU9RczgKGRBHEE4buclWmFEjAiMWFk8lYwNJkDdz
+            ssmH09J95uqKkdfob+mjBU4LVZqLzDRhw3s5xo6dHSAmjhkQSyHZxg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL0lZclU3Y2RCQ0pXclVv
+            akVvZ29iSlZSQ1lKWHp6bmZVaTVoaDVKU1JJCitLVjZJMm5VZzhXeEZWdkFpcFJv
+            Vnp6STNpdWE0eUxyZUhZcFBra0xsQzAKLS0tIFNlRW5nejBNTzU2R0ZJV0hHaHFX
+            V2swZ3dTcHBMVXlGZGkrWWNZVWZlZFEKmwky7MF79rTZRrDTKp+ODICV5Ag18vfL
+            SAdgpt3fJgwOuNIZpE3zO1tA1K/amk4LS9pGN1jq9sch3Nkk7R6TvQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTl4aWNzUWVCSEdwR0wx
+            OWhLVmRYbWlwenpWTzRicEd3ZkdSZjdCRWhRCkxvbEhIVlRNRUZTNHM2RjFtazd6
+            MHRNejFJUnViUTF1Y3dqUFh5RjNuVnMKLS0tIE9UQ1lwRGpUT3JCb05iUnZCMFZB
+            R1BiNnFyUzhWcDhJd0JOV2xQRURUaWsKDZ8fr8YHgecqzZuMEGdXCe1MZHe5UP3x
+            C3CfnrprJWJCKh1EfVvycwcjSU66MdcoU3G12zdU1EiqlJdtfOzyqg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-05-28T03:19:17Z"
+    mac: ENC[AES256_GCM,data:pe8D02Uv4ALFmyZb52QZbPFLCYPddd1U3vGHmiPl1ZC/hiJcRZl5riB2GWrq5Eq/E6uoTl70Mbuk6FTT84iNkCPAOr/U95aPj/gUhP4B/7UGJiA49TI86gHRHBzvd5TPjpht6kQhlyU26Z/Z6JqYyCa1itTO2PAnzuaDYkxfpJc=,iv:83krP9E0ZWneX3e5YUS2srzNraU/vdQxKaO2RwNt810=,tag:g165SgajOR1tZmDmnACYtA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
diff --git a/system-specific/oracles/gitlab-runner.nix b/system-specific/oracles/gitlab-runner.nix
index 6fb4007..0f7f971 100644
--- a/system-specific/oracles/gitlab-runner.nix
+++ b/system-specific/oracles/gitlab-runner.nix
@@ -1,31 +1,19 @@
 { config, pkgs, lib, ... }:
 {
+  # setup sops for secrets
+  sops.secrets."nix-asuran" = {
+    format = "yaml";
+    sopsFile = ../../secrets/gitlab-runner.yaml;
+  };
   # Make sure docker containers can reach the network
   boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
   # Make sure docker is enabled
   virtualisation.docker.enable = true;
   # Enable binfmt-misc so we can run aarch64 containers
   boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ];
-  services.gitlab-runner = {
-    enable = true;
-    concurrent = 4;
-    checkInterval = 1;
-    services = {
-      default-asuran = {
-        registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
-        dockerImage = "debian:stable";
-        dockerVolumes = [
-          "/var/run/docker.sock:/var/run/docker.sock"
-        ];
-        dockerPrivileged = true;
-        tagList = [ "linux-own" ];
-      };
-
-      nix = with lib;{
-        # File should contain at least these two variables:
-        # `CI_SERVER_URL`
-        # `REGISTRATION_TOKEN`
-        registrationConfigFile = "/var/lib/secret/gitlab-runner/rcm-nix"; # 2
+  services.gitlab-runner =
+    let
+      nix-shared = with lib; {
         dockerImage = "alpine";
         dockerVolumes = [
           "/nix/store:/nix/store:ro"
@@ -56,52 +44,30 @@
           PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
           NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
         };
-        tagList = [ "nix" ];
-        requestConcurrency = 8;
-        limit = 4;
-        runUntagged = true;
       };
+    in
+    {
+      enable = true;
+      concurrent = 4;
+      checkInterval = 1;
+      services = {
+        # default-asuran = {
+        #   registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
+        #   dockerImage = "debian:stable";
+        #   dockerVolumes = [
+        #     "/var/run/docker.sock:/var/run/docker.sock"
+        #   ];
+        #   dockerPrivileged = true;
+        #   tagList = [ "linux-own" ];
+        # };
 
-      nix-asuran = with lib;{
-        # File should contain at least these two variables:
-        # `CI_SERVER_URL`
-        # `REGISTRATION_TOKEN`
-        registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-nix"; # 2
-        dockerImage = "alpine";
-        dockerVolumes = [
-          "/nix/store:/nix/store:ro"
-          "/nix/var/nix/db:/nix/var/nix/db:ro"
-          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
-          "/var/lib/secret/cache:/var/lib/secret/cache"
-        ];
-        dockerDisableCache = true;
-        preBuildScript = pkgs.writeScript "setup-container" ''
-          mkdir -p -m 0755 /nix/var/log/nix/drvs
-          mkdir -p -m 0755 /nix/var/nix/gcroots
-          mkdir -p -m 0755 /nix/var/nix/profiles
-          mkdir -p -m 0755 /nix/var/nix/temproots
-          mkdir -p -m 0755 /nix/var/nix/userpool
-          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
-          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
-          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
-          mkdir -p -m 0700 "$HOME/.nix-defexpr"
-          . ${pkgs.nix}/etc/profile.d/nix.sh
-          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3
-          ${pkgs.nix}/bin/nix-channel --update nixpkgs
-          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])}
-        '';
-        environmentVariables = {
-          ENV = "/etc/profile";
-          USER = "root";
-          NIX_REMOTE = "daemon";
-          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
-          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        nix-asuran = nix-shared // {
+          registrationConfigFile = config.sops.secrets.nix-asuran.path;
+          tagList = [ "nix" ];
+          requestConcurrency = 8;
+          limit = 4;
+          runUntagged = true;
         };
-        tagList = [ "nix" ];
-        requestConcurrency = 8;
-        limit = 4;
-        runUntagged = true;
       };
     };
-  };
 }