From e80b4d7c31a6bdd2f49928bbb3f6e83a75273af3 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Mallo Date: Thu, 5 Jun 2025 11:11:13 +0200 Subject: [PATCH] Add GitLab shell runner in tent for PM MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Aleix Boné Reviewed-by: Aleix Roca Nonell --- m/tent/configuration.nix | 1 + m/tent/gitlab-runner.nix | 41 +++++++++++++++++++ secrets/secrets.nix | 4 ++ secrets/tent-gitlab-runner-pm-shell-token.age | 13 ++++++ 4 files changed, 59 insertions(+) create mode 100644 m/tent/gitlab-runner.nix create mode 100644 secrets/tent-gitlab-runner-pm-shell-token.age diff --git a/m/tent/configuration.nix b/m/tent/configuration.nix index 8449b37..9a242ac 100644 --- a/m/tent/configuration.nix +++ b/m/tent/configuration.nix @@ -9,6 +9,7 @@ ./monitoring.nix ./nginx.nix ./nix-serve.nix + ./gitlab-runner.nix ]; # Select the this using the ID to avoid mismatches diff --git a/m/tent/gitlab-runner.nix b/m/tent/gitlab-runner.nix new file mode 100644 index 0000000..aa1dbd5 --- /dev/null +++ b/m/tent/gitlab-runner.nix @@ -0,0 +1,41 @@ +{ pkgs, lib, config, ... }: + +{ + age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age; + + services.gitlab-runner = let sec = config.age.secrets; in { + enable = true; + settings.concurrent = 5; + services = { + # For gitlab.pm.bsc.es + gitlab-pm-shell = { + executor = "shell"; + environmentVariables = { + SHELL = "${pkgs.bash}/bin/bash"; + }; + authenticationTokenConfigFile = sec.tent-gitlab-runner-pm-shell.path; + preGetSourcesScript = pkgs.writeScript "setup" '' + echo "This is the preGetSources script running, brace for impact" + env + ''; + }; + }; + }; + + systemd.services.gitlab-runner.serviceConfig = { + DynamicUser = lib.mkForce false; + User = "gitlab-runner"; + Group = "gitlab-runner"; + ExecStart = lib.mkForce + ''${pkgs.gitlab-runner}/bin/gitlab-runner run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}''; + }; + + users.users.gitlab-runner = { + uid = config.ids.uids.gitlab-runner; + home = "/var/lib/gitlab-runner"; + description = "Gitlab Runner"; + group = "gitlab-runner"; + createHome = true; + }; + users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 450c828..ad1a4d0 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,6 +3,7 @@ let adminsKeys = builtins.attrValues keys.admins; hut = [ keys.hosts.hut ] ++ adminsKeys; mon = [ keys.hosts.hut keys.hosts.tent ] ++ adminsKeys; + tent = [ keys.hosts.tent ] ++ adminsKeys; # Only expose ceph keys to safe nodes and admins safe = keys.hostGroup.safe ++ adminsKeys; in @@ -15,6 +16,9 @@ in "jungle-robot-password.age".publicKeys = mon; "ipmi.yml.age".publicKeys = mon; + "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent; + "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent; + "ceph-user.age".publicKeys = safe; "munge-key.age".publicKeys = safe; } diff --git a/secrets/tent-gitlab-runner-pm-shell-token.age b/secrets/tent-gitlab-runner-pm-shell-token.age new file mode 100644 index 0000000..1940789 --- /dev/null +++ b/secrets/tent-gitlab-runner-pm-shell-token.age @@ -0,0 +1,13 @@ +age-encryption.org/v1 +-> ssh-ed25519 G5LX5w V9bHLoGuY4stRwbzVS9Qa0L9yoY+UoCoXc+dJJQW/Ag +2ut9GfdJ3KBCqZRaloZCQsl8MLfaZAZxqj6JtPJzu2k +-> ssh-ed25519 CAWG4Q OAqnIfMECpKglZ7aF9tv/PQinG1Ou2+IEZ+nf4dtQjg +dANdMLe4iI0d6Xd/dIMpZK+mgw2+VmJFQScHaIxD7WI +-> ssh-ed25519 xA739A nVNF4Y6VSa5PP6FFBJpVmoFYYseoFx5F2wJU+Pwk+Xk +A5CiuTSNlX9Y76qhYgblBdJl3zPhtjWho2oL5/sIKu0 +-> ssh-ed25519 MSF3dg /WMsGnBGzquIMyw06gHKpSS4OUxheulT59kxi+/pxxU +ppwcv7RLzUbQUM7j0Tb9rRVT9XyPMhqYr2fr4S0nTJY +--- zOe0Ko0oxArbmxePMPDVAT0pDju7IeOAih7sNrDcoVs +ikA +hODVw! E݈+`C5LAtM^ E<HI_nno?j- +AnԔί>ZzdTb"(@{_ځC \ No newline at end of file