From 7b192929127609920300bdcf900a475014f867aa Mon Sep 17 00:00:00 2001
From: Rodrigo Arias Mallo <rodrigo.arias@bsc.es>
Date: Thu, 12 Jun 2025 13:49:51 +0200
Subject: [PATCH] Add docker GitLab runner for BSC GitLab
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed-by: Aleix Boné <abonerib@bsc.es>
Reviewed-by: Aleix Roca Nonell <aleix.rocanonell@bsc.es>
---
 m/tent/gitlab-runner.nix                      |  44 ++++++++++++++++++
 secrets/secrets.nix                           |   1 +
 .../tent-gitlab-runner-bsc-docker-token.age   | Bin 0 -> 628 bytes
 3 files changed, 45 insertions(+)
 create mode 100644 secrets/tent-gitlab-runner-bsc-docker-token.age

diff --git a/m/tent/gitlab-runner.nix b/m/tent/gitlab-runner.nix
index aa1dbd55..447c5837 100644
--- a/m/tent/gitlab-runner.nix
+++ b/m/tent/gitlab-runner.nix
@@ -2,6 +2,7 @@
 
 {
   age.secrets.tent-gitlab-runner-pm-shell.file = ../../secrets/tent-gitlab-runner-pm-shell-token.age;
+  age.secrets.tent-gitlab-runner-bsc-docker.file = ../../secrets/tent-gitlab-runner-bsc-docker-token.age;
 
   services.gitlab-runner = let sec = config.age.secrets; in {
     enable = true;
@@ -19,6 +20,48 @@
           env
         '';
       };
+      gitlab-bsc-docker = {
+        # gitlab.bsc.es still uses the old token mechanism
+        registrationConfigFile = sec.tent-gitlab-runner-bsc-docker.path;
+        tagList = [ "docker" "tent" "nix" ];
+        executor = "docker";
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        dockerDisableCache = true;
+        registrationFlags = [
+          # Increase build log length to 64 MiB
+          "--output-limit 65536"
+        ];
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          mkdir -p -m 0700 "$HOME/.ssh"
+          cat >> "$HOME/.ssh/known_hosts" << EOF
+          bscpm04.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPx4mC0etyyjYUT2Ztc/bs4ZXSbVMrogs1ZTP924PDgT
+          gitlab-internal.bsc.es ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF9arsAOSRB06hdy71oTvJHG2Mg8zfebADxpvc37lZo3
+          EOF
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          # Required to load SSL certificate paths
+          . ${pkgs.cacert}/nix-support/setup-hook
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "${config.system.path}/bin:/bin:/sbin:/usr/bin:/usr/sbin";
+        };
+      };
     };
   };
 
@@ -35,6 +78,7 @@
     home = "/var/lib/gitlab-runner";
     description = "Gitlab Runner";
     group = "gitlab-runner";
+    extraGroups = [ "docker" ];
     createHome = true;
   };
   users.groups.gitlab-runner.gid = config.ids.gids.gitlab-runner;
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index ad1a4d0f..791a3aca 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,6 +18,7 @@ in
 
   "tent-gitlab-runner-pm-docker-token.age".publicKeys = tent;
   "tent-gitlab-runner-pm-shell-token.age".publicKeys = tent;
+  "tent-gitlab-runner-bsc-docker-token.age".publicKeys = tent;
 
   "ceph-user.age".publicKeys = safe;
   "munge-key.age".publicKeys = safe;
diff --git a/secrets/tent-gitlab-runner-bsc-docker-token.age b/secrets/tent-gitlab-runner-bsc-docker-token.age
new file mode 100644
index 0000000000000000000000000000000000000000..8c69121a61468287707e6ec89d75db7b18a628c2
GIT binary patch
literal 628
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCT4H}#1yEmugd%y5qg
zDR(sXFVpr;F35~X%5e2@^-C_abk;Y~cTUsKaxTp-k2ET)@a0PN^v`lJ%P&v%3Np_O
zH#V*EFbp?JweWFDaY=IuNDK2VH!~_NGLEV$EJwG^*)iPRBv2tcGOO65tlZ4VGAA;^
zB+4()J1eEqJkvSdB+c2!KR49GpfWwPEZEW9&6UeI#JMmr!bdy9Gt@uC(J?A2$IH0b
z-6`L>+$Z1JB+9YO(=gdD%fmR-uo&I83P*EeOGky&#JsA+D0j2MWOwsQpTh8vqVOEA
zl)ONbGK-?(EN%bt0@vig%F;p?Cs(e33LlRWPtR1#(x9-!yx=IusERV9{FKCU6SpWg
zk1P|jaL1%X<J9yh7YlUTe1qMLQ_>au%{+1pDt*lZtK9wEEu71p43eS>D+<%ntAdRZ
zEA!H_@(g^<JdDFqoRYZ$O)UeBjFLhNU7cJ#&3(-C9COlKjEqYoopX#*O7xwKEmBHN
zw2O>=!^^pJb#)ageGDCoirmYSGAq2RLQN{eB7?k)JQ7{Q&C)yrs*=s~Jq^r5wGGmP
zK(4!|aX~7rd#{7@y_}lZGe2tV89w;x%W0_JHaKoORe!ol#JUXal)_k%t%X^i7GGx#
zTUy`DC6M@Rg3+gCQrt|1oRz7Qn?G;b%k8ACxa<F6;jHDS+oggSm+cpSx^uT|MfH{Z
ZHCz1|g)-l2nDgHAUw_gfp~!#bD*)vb)dK(k

literal 0
HcmV?d00001