Use authentication tokens for PM GitLab runner

Starting with GitLab 16, there is a new mechanism to authenticate the
runners via authentication tokens, so use it instead.  Older tokens and
runners are also removed, as they are no longer used.

With the new way of managing tokens, both the tags and the locked state
are managed from the GitLab web page.

See: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html
Reviewed-by: Aleix Boné <abonerib@bsc.es>

m/hut/gitlab-runner.nix

@@ -1,9 +1,8 @@
 { pkgs, lib, config, ... }:
 
 {
-  age.secrets.ovniToken.file = ../../secrets/ovni-token.age;
+  age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age;
-  age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age;
+  age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age;
-  age.secrets.nosvToken.file = ../../secrets/nosv-token.age;
 
   services.gitlab-runner = {
     enable = true;
@@ -11,20 +10,14 @@
     services = let
       common-shell = {
         executor = "shell";
-        tagList = [ "nix" "xeon" ];
-        registrationFlags = [
-          # Using space doesn't work, and causes it to misread the next flag
-          "--locked='false'"
-        ];
         environmentVariables = {
           SHELL = "${pkgs.bash}/bin/bash";
         };
       };
       common-docker = {
+        executor = "docker";
         dockerImage = "debian:stable";
-        tagList = [ "docker" "xeon" ];
         registrationFlags = [
-          "--locked='false'"
           "--docker-network-mode host"
         ];
         environmentVariables = {
@@ -33,19 +26,12 @@
         };
       };
     in {
-      # For gitlab.bsc.es
-      gitlab-bsc-es-shell = common-shell // {
-        registrationConfigFile = config.age.secrets.gitlabToken.path;
-      };
-      gitlab-bsc-es-docker = common-docker // {
-        registrationConfigFile = config.age.secrets.gitlabToken.path;
-      };
       # For pm.bsc.es/gitlab
       gitlab-pm-shell = common-shell // {
-        registrationConfigFile = config.age.secrets.ovniToken.path;
+        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path;
       };
       gitlab-pm-docker = common-docker // {
-        registrationConfigFile = config.age.secrets.ovniToken.path;
+        authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path;
       };
     };
   };

secrets/gitlab-bsc-es-token.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ
-8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ
--> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM
-BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co
--> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0
-kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0
--> )Q-grease vHF} [8p1> @7z;C"/
-tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4
---- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI
-á6nGJÖ0Bˆ’7F° –bßÙ½2®L³äÇ]²2zl<7A>À&e†KÄx®àé9SWNàV"MfŽ€ëÙKHUC:1b;9St‰ëõ±Duѧç‹Ï¢žÌŸ¡<02>èÐéîÀ–<C380>ÔfÕ7¨î1§I(õdÓþô‡ïó

secrets/gitlab-runner-docker-token.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ
+jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY
+-> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU
+8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg
+-> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA
+SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8
+--- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18
+ä·ù
¼Â‡%å]yi"ô<>»LÓâùH`ªa$Æþ)¦9ve<76>.0úmÉK<EFBFBD>vƒÀïu"|1cÞ-%ÔÕ"åWFï¡ÞA«<41>hº$•ºj<eñ¶xÅLx«ç.?œÈâ:L…¬–ƒ,ëu»|³‹F|Õi²äÔ

secrets/nosv-token.age

@@ -1,11 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE
-avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro
--> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA
-FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70
--> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o
-BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8
--> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t
-oLG+0S1aGfO/ohCfgGmhDhwwLi4H
---- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI
-¹õW©o÷ ÙÄd;ËÐC¾.¹¡_(“u
G¡€‰#ìvâœgÉ<67>†õõy¹Y‰žl9ŒÈ
¡Ïµ.Œé0x<30>Þ½úN. /ü<>tB×b‡ü¼K¼ì:Q×—È\¹ÀÍT_´»Átxïm’——_JñÞž-š

secrets/secrets.nix

@@ -6,10 +6,9 @@ let
   safe = keys.hostGroup.safe ++ adminsKeys;
 in
 {
-  "gitlab-bsc-es-token.age".publicKeys = hut;
   "gitea-runner-token.age".publicKeys = hut;
-  "ovni-token.age".publicKeys = hut;
+  "gitlab-runner-docker-token.age".publicKeys = hut;
-  "nosv-token.age".publicKeys = hut;
+  "gitlab-runner-shell-token.age".publicKeys = hut;
   "nix-serve.age".publicKeys = hut;
   "jungle-robot-password.age".publicKeys = hut;