Add GitLab shell runner in tent for PM

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>

m/tent/configuration.nix

@@ -9,6 +9,7 @@
     ./monitoring.nix
     ./nginx.nix
     ./nix-serve.nix
+    ./gitlab-runner.nix
   ];
 
   # Select the this using the ID to avoid mismatches

m/tent/gitlab-runner.nix

@@ -0,0 +1,41 @@
+{ pkgs, lib, config, ... }:
+
+{
+  age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age;
+
+  services.gitlab-runner = let sec = config.age.secrets; in {
+    enable = true;
+    settings.concurrent = 5;
+    services = {
+      # For gitlab.pm.bsc.es
+      gitlab-pm-shell = {
+        executor = "shell";
+        environmentVariables = {
+          SHELL = "${pkgs.bash}/bin/bash";
+        };
+        authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path;
+        preGetSourcesScript = pkgs.writeScript "setup" ''
+          echo "This is the preGetSources script running, brace for impact"
+          env
+        '';
+      };
+    };
+  };
+
+  systemd.services.gitlab-runner.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "gitlab-runner";
+    Group = "gitlab-runner";
+    ExecStart = lib.mkForce
+      ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
+  };
+
+  users.users.gitlab-runner = {
+    uid = config.ids.uids.gitlab-runner;
+    home = "/var/lib/gitlab-runner";
+    description = "Gitlab Runner";
+    group = "gitlab-runner";
+    createHome = true;
+  };
+  users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
+}

secrets/secrets.nix

@@ -3,6 +3,7 @@ let
   adminsKeys = builtins.attrValues keys.admins;
   hut = [ keys.hosts.hut ] ++ adminsKeys;
   mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys;
+  tent = [ keys.hosts.tent ] ++ adminsKeys;
   # Only expose ceph keys to safe nodes and admins
   safe = keys.hostGroup.safe ++ adminsKeys;
 in
@@ -15,6 +16,9 @@ in
   "jungle-robot-password.age".publicKeys = mon;
   "ipmi.yml.age".publicKeys = mon;
 
+  "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
+  "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
+
   "ceph-user.age".publicKeys = safe;
   "munge-key.age".publicKeys = safe;
 }

secrets/tent-gitlab-runner-pm-shell-token.age

@@ -0,0 +1,13 @@
+age-encryption.org/v1
+-> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag
+2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k
+-> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg
+dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI
+-> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk
+A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0
+-> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU
+ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY
+--- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs
+iÜkªA
+hODV‹w!ËÕØE݈ƒÔ+±§`í¬<C3AD>ÅCî©5<C2A9>L<EFBFBD>A‹t<1A>M^
˜E<ÏHI–_ÍnnàÃÕoÁ?ój-ö
+A³nԔίË>ZÕòzšë…dT½Ìb"‘(@‹§{_Ú<5F>C