From 9310a7b0b9dba45c9b1eb36ff2fea44afc38b625 Mon Sep 17 00:00:00 2001 From: Rodrigo Arias Date: Tue, 11 Apr 2023 12:47:52 +0200 Subject: [PATCH] Add gitlab-runner secrets using agenix --- gitlab-runner.nix | 27 ++++++--------------------- secrets.nix | 8 ++++++++ secrets/ovni-token.age | 11 +++++++++++ 3 files changed, 25 insertions(+), 21 deletions(-) create mode 100644 secrets.nix create mode 100644 secrets/ovni-token.age diff --git a/gitlab-runner.nix b/gitlab-runner.nix index a0f45a1..0f9c3ba 100644 --- a/gitlab-runner.nix +++ b/gitlab-runner.nix @@ -1,30 +1,21 @@ { pkgs, lib, config, ... }: { + age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age; + services.gitlab-runner = { enable = true; services = { - # runner for executing stuff on host system (very insecure!) - # make sure to add required packages (including git!) - # to `environment.systemPackages` - shell = { - # File should contain at least these two variables: - # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + ovni-shell = { + registrationConfigFile = config.age.secrets."secrets/ovni-token".path; executor = "shell"; tagList = [ "nix" "xeon" ]; environmentVariables = { SHELL = "${pkgs.bash}/bin/bash"; }; }; - - # runner for everything else - default = { - # File should contain at least these two variables: - # `CI_SERVER_URL` - # `REGISTRATION_TOKEN` - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; + ovni-docker = { + registrationConfigFile = config.age.secrets."secrets/ovni-token".path; dockerImage = "debian:stable"; tagList = [ "docker" "xeon" ]; registrationFlags = [ "--docker-network-mode host" ]; @@ -43,12 +34,6 @@ systemd.services.gitlab-runner.serviceConfig.ExecStart = lib.mkForce ''${pkgs.gitlab-runner}/bin/gitlab-runner --debug run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}''; - # TODO https://docs.gitlab.com/runner/configuration/proxy.html - #systemd.services.docker.environment = { - # HTTP_PROXY="http://localhost:23080/"; - # HTTPS_PROXY="http://localhost:23080/"; - #}; - users.users.gitlab-runner = { uid = config.ids.uids.gitlab-runner; #isNormalUser = true; diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..425f8c8 --- /dev/null +++ b/secrets.nix @@ -0,0 +1,8 @@ +let + root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb"; + system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1"; + systems = [ root system ]; +in +{ + "secrets/ovni-token.age".publicKeys = systems; +} diff --git a/secrets/ovni-token.age b/secrets/ovni-token.age new file mode 100644 index 0000000..8241b6d --- /dev/null +++ b/secrets/ovni-token.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 MSF3dg Ivlduky3TjzCthY9RB/Jb0+MouX2FYW06hoNdQ+f818 +NKnuQrTQBXjTArXG6/5KV5cdg/9JUk/l3vVdYq0fXOE +-> ssh-ed25519 HY2yRg 1ZCKpZ7sXNPgllHoozCgyW8NqK2TCoyCYZdug6YeJkM +BEeThDkjfaK9S5a81HcyaZv9zobKANVMEimduc/IO54 +-> &eB%}y-grease o;.XY Yirz }Xh\DG +CkLRClqWRkCr7n8o5UV9+kdCik2iTG/dI1s666CKcgxbAPohmryJzOKdgRLyzCf0 +CSPMUfrixmuQtuShigtmY6Pm2A +--- GEuNMnWZ3+B6QNXv7s7bfJdJ2bJAAW+jbfHQZ0UQB+k +3.-ӮƿD{\%R0߷|PFxs_Px`4,z35Ldrj2^ +]h4~AP‹e3fTEl*8z.x207 \ No newline at end of file