rarias/bscpkgs
rarias/bscpkgs
Archived
2
0
Fork 3
Code Issues 2 Pull Requests 4 Actions Packages Projects Releases Wiki Activity

Add new GitLab runner for gitlab.bsc.es

Browse Source 
It uses docker based on alpine and the host nix store, so we can perform
builds but isolate them from the system.

Reviewed-by: Aleix Boné <abonerib@bsc.es>
This commit is contained in:
Rodrigo Arias 2025-01-24 13:00:54 +01:00
parent 2c7211ffa3
commit 3f4b4fb810
3 changed files with 87 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

81
m/hut/gitlab-runner.nix
View File

@ -1,8 +1,9 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age; age.secrets.gitlab-pm-shell.file = ../../secrets/gitlab-runner-shell-token.age;
age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age; age.secrets.gitlab-pm-docker.file = ../../secrets/gitlab-runner-docker-token.age;
age.secrets.gitlab-bsc-docker.file = ../../secrets/gitlab-bsc-docker-token.age;
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
@ -21,20 +22,88 @@
"--docker-network-mode host" "--docker-network-mode host"
]; ];
environmentVariables = { environmentVariables = {
https_proxy = "http://localhost:23080"; https_proxy = "http://hut:23080";
http_proxy = "http://localhost:23080"; http_proxy = "http://hut:23080";
}; };
}; };
in { in {
# For pm.bsc.es/gitlab # For pm.bsc.es/gitlab
gitlab-pm-shell = common-shell // { gitlab-pm-shell = common-shell // {
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path; authenticationTokenConfigFile = config.age.secrets.gitlab-pm-shell.path;
}; };
gitlab-pm-docker = common-docker // { gitlab-pm-docker = common-docker // {
authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path; authenticationTokenConfigFile = config.age.secrets.gitlab-pm-docker.path;
};
gitlab-bsc-docker = {
# gitlab.bsc.es still uses the old token mechanism
registrationConfigFile = config.age.secrets.gitlab-bsc-docker.path;
tagList = [ "docker" "hut" ];
environmentVariables = {
# We cannot access the hut local interface from docker, so we connect
# to hut directly via the ethernet one.
https_proxy = "http://hut:23080";
http_proxy = "http://hut:23080";
};
executor = "docker";
dockerImage = "alpine";
dockerVolumes = [
"/nix/store:/nix/store:ro"
"/nix/var/nix/db:/nix/var/nix/db:ro"
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
];
dockerExtraHosts = [
# Required to pass the proxy via hut
"hut:10.0.40.7"
];
dockerDisableCache = true;
registrationFlags = [
# Increase build log length to 64 MiB
"--output-limit 65536"
];
preBuildScript = pkgs.writeScript "setup-container" ''
mkdir -p -m 0755 /nix/var/log/nix/drvs
mkdir -p -m 0755 /nix/var/nix/gcroots
mkdir -p -m 0755 /nix/var/nix/profiles
mkdir -p -m 0755 /nix/var/nix/temproots
mkdir -p -m 0755 /nix/var/nix/userpool
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
mkdir -p -m 0700 "$HOME/.nix-defexpr"
mkdir -p -m 0700 "$HOME/.ssh"
cat > "$HOME/.ssh/config" << EOF
Host bscpm04.bsc.es gitlab-internal.bsc.es
User git
ProxyCommand nc -X connect -x hut:23080 %h %p
Host amdlogin1.bsc.es armlogin1.bsc.es hualogin1.bsc.es glogin1.bsc.es glogin2.bsc.es fpgalogin1.bsc.es
ProxyCommand nc -X connect -x hut:23080 %h %p
EOF
cat >> "$HOME/.ssh/known_hosts" << EOF
bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
EOF
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
# Required to load SSL certificate paths
. ${pkgs.cacert}/nix-support/setup-hook
'';
environmentVariables = {
ENV = "/etc/profile";
USER = "root";
NIX_REMOTE = "daemon";
PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
}; };
}; };
}; };
};
# DOCKER* chains are useless, override at FORWARD
networking.firewall.extraCommands = ''
# Allow docker to use our proxy
iptables -I FORWARD 1 -p tcp -i docker0 -d hut --dport 23080 -j nixos-fw-accept
# Block anything else coming from docker
iptables -I FORWARD 2 -p all -i docker0 -j nixos-fw-log-refuse
'';
#systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash"; #systemd.services.gitlab-runner.serviceConfig.Shell = "${pkgs.bash}/bin/bash";
systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false; systemd.services.gitlab-runner.serviceConfig.DynamicUser = lib.mkForce false;

11
secrets/gitlab-bsc-docker-token.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 HY2yRg WSdjyQPzBJ4JbzQpGeq1AAYpWKoXmLI1ZtmNmM5QOzs
qGDlDT31DQF1DdHen0+5+52DdsQlabJdA2pOB5O1I6g
-> ssh-ed25519 CAWG4Q wioWMDxQjN+d4JdIbCwZg0DLQu1OH2mV6gukRprjuAs
670fE61hidOEh20hHiQAhP0+CjDF0WMBNzgwkGT8Yqg
-> ssh-ed25519 MSF3dg DN19uvAEtqq4708P6HpuX9i/o/qAvHX6dj69dCF2H1o
4Lu9GnjiFLMeXJ2C7aVPJsCHCQVlhylNWJi896Av92s
--- 7cKBwOYNOUZ2h3/kAY09aSMASZSxX7hZIT4kvlIiT6w
³6—çà•äfQF5=¦bX+‡v e`Ï7ªA~PÎÖѦ7<15>Ì
´ÖA÷)·h³ù=oZ¸ ^´V0ñ/Ü…µr
k¸uœbĶ:R<52>>^gŒõ¼ik_*% <0B>a7ùKGæ<47>ÐÖçâ&­PI¶£n

1
secrets/secrets.nix
View File

@ -9,6 +9,7 @@ in
"gitea-runner-token.age".publicKeys = hut; "gitea-runner-token.age".publicKeys = hut;
"gitlab-runner-docker-token.age".publicKeys = hut; "gitlab-runner-docker-token.age".publicKeys = hut;
"gitlab-runner-shell-token.age".publicKeys = hut; "gitlab-runner-shell-token.age".publicKeys = hut;
"gitlab-bsc-docker-token.age".publicKeys = hut;
"nix-serve.age".publicKeys = hut; "nix-serve.age".publicKeys = hut;
"jungle-robot-password.age".publicKeys = hut; "jungle-robot-password.age".publicKeys = hut;
"ipmi.yml.age".publicKeys = hut; "ipmi.yml.age".publicKeys = hut;