nix
/
System
2
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Set backup gitlab runner

This commit is contained in:
Nathan McCarty 2022-05-27 23:22:12 -04:00
parent 27530c6f0f
commit 8302ab4c6d
Signed by: thatonelutenist
GPG Key ID: D70DA3DD4D1E9F96
3 changed files with 96 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@ -189,7 +189,7 @@
./applications/devel-rust.nix ./applications/devel-rust.nix
./modules/docker.nix ./modules/docker.nix
./system-specific/oracles/matrix.nix ./system-specific/oracles/matrix.nix
# ./system-specific/oracles/gitlab-runner.nix ./system-specific/oracles/gitlab-runner.nix
./system-specific/oracles/gitea.nix ./system-specific/oracles/gitea.nix
] ++ serverModules; ] ++ serverModules;
}; };

66
secrets/gitlab-runner.yaml Normal file
View File

@ -0,0 +1,66 @@
nix-asuran: ENC[AES256_GCM,data:g5rLx9e8+YRVSEGR/zz2cf3XQ79um7iQgK6/5CA/15Xx+KBaPFi0CRsTyXpbMiHAVGJEqruNxEa5AE8VfOtPCjFp0Qed4bkmN23mGHDFTeXZ,iv:sX7ZkCxU6CGCPF+dhdfaZSqk6ADfsNgeNINzfqhEblo=,tag:eTj5BGN86qPNuauI0C6+Bw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1ud80054jwf6ff7xx65ta6g7qxx2flc24r5gyyfjz43kvppjutqyskr2qm2
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3eHpicnMreWNUbEVBNHdm
bVBKekVVdng4V1RpNGdKK2ZtQXJrOU12Vno4CldBZFlaREhnVVBaTERCQ3cyY1Y2
WjdLa2I4QnBvZGJpV25ZQXF2MHJtS28KLS0tIC9Oa0NydXFtR0diNGRxbXZHYmdK
Z2h4U0VlTmJPa1BCay9SRmhJSlhURXcK/s3wwTnokpnYJ2q5/NIX2BnJnKwpzBt6
C/8os7EZ3IYinL5Joz4BgN67yzvWNqrputVKmf+/WnL8utiosZBC/A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1tsq68swufcjq6qavqpzrtse4474p5gs58v6qp6w7gum49yz45cgsegxhuw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVUVyZkZOK2pId3BxeEFl
RW9RSllmWklpZEp6Y0ZObGZZMGFZZ3Z3SHlZCkNPZzNWdTVCNkxEVmFtRW5uRFFT
WmNTUGVXYzdxUVBRK0pNMHVjeDdINVEKLS0tIDJyOTQzLy8rckR1Ui80VTYrR3gz
VmkxTlJTRDZYZEVrYklkSU1EZHdWdUkKLwlC83gkZmtmUF6wXyleSDJ1FvfUlDjo
iwkFo+SSOUVsFWJw2FB4sSCFyZ1qmH+57nQsw5JDrk15MZ3xd4g3dw==
-----END AGE ENCRYPTED FILE-----
- recipient: age12ayrv88xjt4r276fzc9du70x8q0r7xutt85vj627ykf4k8kgms4sc6wywn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORXhDU1NDQ3Q4cHhmMVlD
K2hnSWRtTGkybnlBajlFaU1vTnRSNFVTclRFClV5Y2dzTHZwOGpyM3NOZnppYUpp
OXVTZjFSMnd6WVRGakloRHd6NldFK28KLS0tIHJNditiZWxUclZuUVpqTi9DL2JG
T3FQWUJEbm9IZ2tvamtlNjBnQXVrb0EKQ8Bpa/DcIH55KoJFozOCZzOmMwtChbpk
X5sSK23aQdljSY8oLHaq4GxQVGkCukNPWDwRvcYKcS7N7e5pdXctFQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1r0aszjkyp4zlcw2w2vrk8hmcyvntshr8rew4ehlu5zad4eh6mspsatuczd
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpUHI3dUNRYld6RlhJdlZN
RGV1L3h4a3dHQ0JoQmRnUDRraVNrYmV3a2w4Cm9LK2lFMHJhOURld0tKS0NFT0NQ
WUZyQkNaUWhseHJ2djFxcFhzNkVXQlUKLS0tIEFxWlVFMWdha2VjQUhndWoraU1J
eG5QdkdFY2lRalZhTEJ1OVVXYU9RczgKGRBHEE4buclWmFEjAiMWFk8lYwNJkDdz
ssmH09J95uqKkdfob+mjBU4LVZqLzDRhw3s5xo6dHSAmjhkQSyHZxg==
-----END AGE ENCRYPTED FILE-----
- recipient: age10zd0y2zpty2z39sh2qe66yuu9jd6hrcd3ag2wqtjp8tc579nmphsymhdla
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYL0lZclU3Y2RCQ0pXclVv
akVvZ29iSlZSQ1lKWHp6bmZVaTVoaDVKU1JJCitLVjZJMm5VZzhXeEZWdkFpcFJv
Vnp6STNpdWE0eUxyZUhZcFBra0xsQzAKLS0tIFNlRW5nejBNTzU2R0ZJV0hHaHFX
V2swZ3dTcHBMVXlGZGkrWWNZVWZlZFEKmwky7MF79rTZRrDTKp+ODICV5Ag18vfL
SAdgpt3fJgwOuNIZpE3zO1tA1K/amk4LS9pGN1jq9sch3Nkk7R6TvQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pm647k04hhwm2dmqh07hnzflkurfevefcyf8xlhmc83a07n77e3sltyt0d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0bTl4aWNzUWVCSEdwR0wx
OWhLVmRYbWlwenpWTzRicEd3ZkdSZjdCRWhRCkxvbEhIVlRNRUZTNHM2RjFtazd6
MHRNejFJUnViUTF1Y3dqUFh5RjNuVnMKLS0tIE9UQ1lwRGpUT3JCb05iUnZCMFZB
R1BiNnFyUzhWcDhJd0JOV2xQRURUaWsKDZ8fr8YHgecqzZuMEGdXCe1MZHe5UP3x
C3CfnrprJWJCKh1EfVvycwcjSU66MdcoU3G12zdU1EiqlJdtfOzyqg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-05-28T03:19:17Z"
mac: ENC[AES256_GCM,data:pe8D02Uv4ALFmyZb52QZbPFLCYPddd1U3vGHmiPl1ZC/hiJcRZl5riB2GWrq5Eq/E6uoTl70Mbuk6FTT84iNkCPAOr/U95aPj/gUhP4B/7UGJiA49TI86gHRHBzvd5TPjpht6kQhlyU26Z/Z6JqYyCa1itTO2PAnzuaDYkxfpJc=,iv:83krP9E0ZWneX3e5YUS2srzNraU/vdQxKaO2RwNt810=,tag:g165SgajOR1tZmDmnACYtA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

92
system-specific/oracles/gitlab-runner.nix
View File

@ -1,31 +1,19 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
{ {
# setup sops for secrets
sops.secrets."nix-asuran" = {
format = "yaml";
sopsFile = ../../secrets/gitlab-runner.yaml;
};
# Make sure docker containers can reach the network # Make sure docker containers can reach the network
boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1 boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
# Make sure docker is enabled # Make sure docker is enabled
virtualisation.docker.enable = true; virtualisation.docker.enable = true;
# Enable binfmt-misc so we can run aarch64 containers # Enable binfmt-misc so we can run aarch64 containers
boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ]; boot.binfmt.emulatedSystems = [ "wasm32-wasi" "aarch64-linux" ];
services.gitlab-runner = { services.gitlab-runner =
enable = true; let
concurrent = 4; nix-shared = with lib; {
checkInterval = 1;
services = {
default-asuran = {
registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
dockerImage = "debian:stable";
dockerVolumes = [
"/var/run/docker.sock:/var/run/docker.sock"
];
dockerPrivileged = true;
tagList = [ "linux-own" ];
};
nix = with lib;{
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/var/lib/secret/gitlab-runner/rcm-nix"; # 2
dockerImage = "alpine"; dockerImage = "alpine";
dockerVolumes = [ dockerVolumes = [
"/nix/store:/nix/store:ro" "/nix/store:/nix/store:ro"
@ -56,52 +44,30 @@
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
}; };
tagList = [ "nix" ];
requestConcurrency = 8;
limit = 4;
runUntagged = true;
}; };
in
{
enable = true;
concurrent = 4;
checkInterval = 1;
services = {
# default-asuran = {
# registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-default";
# dockerImage = "debian:stable";
# dockerVolumes = [
# "/var/run/docker.sock:/var/run/docker.sock"
# ];
# dockerPrivileged = true;
# tagList = [ "linux-own" ];
# };
nix-asuran = with lib;{ nix-asuran = nix-shared // {
# File should contain at least these two variables: registrationConfigFile = config.sops.secrets.nix-asuran.path;
# `CI_SERVER_URL` tagList = [ "nix" ];
# `REGISTRATION_TOKEN` requestConcurrency = 8;
registrationConfigFile = "/var/lib/secret/gitlab-runner/asuran-nix"; # 2 limit = 4;
dockerImage = "alpine"; runUntagged = true;
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
"/var/lib/secret/cache:/var/lib/secret/cache"
];
dockerDisableCache = true;
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
. ${pkgs.nix}/etc/profile.d/nix.sh
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-21.05 nixpkgs # 3
${pkgs.nix}/bin/nix-channel --update nixpkgs
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nixUnstable cacert git openssh ])}
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
}; };
tagList = [ "nix" ];
requestConcurrency = 8;
limit = 4;
runUntagged = true;
}; };
}; };
};
} }