rarias/jungle
rarias/jungle
1
0
Fork 0
Code Issues 27 Pull Requests Packages Projects Releases Wiki Activity

Add gitlab-runner secrets using agenix

Browse Source
This commit is contained in:
Rodrigo Arias 2023-04-11 12:47:52 +02:00
parent 40b9beb86b
commit 9310a7b0b9
3 changed files with 25 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
gitlab-runner.nix
View File

@ -1,30 +1,21 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
{ {
age.secrets."secrets/ovni-token".file = ./secrets/ovni-token.age;
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
services = { services = {
# runner for executing stuff on host system (very insecure!) ovni-shell = {
# make sure to add required packages (including git!) registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
# to `environment.systemPackages`
shell = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
executor = "shell"; executor = "shell";
tagList = [ "nix" "xeon" ]; tagList = [ "nix" "xeon" ];
environmentVariables = { environmentVariables = {
SHELL = "${pkgs.bash}/bin/bash"; SHELL = "${pkgs.bash}/bin/bash";
}; };
}; };
ovni-docker = {
# runner for everything else registrationConfigFile = config.age.secrets."secrets/ovni-token".path;
default = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `REGISTRATION_TOKEN`
registrationConfigFile = "/run/secrets/gitlab-runner-registration";
dockerImage = "debian:stable"; dockerImage = "debian:stable";
tagList = [ "docker" "xeon" ]; tagList = [ "docker" "xeon" ];
registrationFlags = [ "--docker-network-mode host" ]; registrationFlags = [ "--docker-network-mode host" ];
@ -43,12 +34,6 @@
systemd.services.gitlab-runner.serviceConfig.ExecStart = lib.mkForce systemd.services.gitlab-runner.serviceConfig.ExecStart = lib.mkForce
''${pkgs.gitlab-runner}/bin/gitlab-runner --debug run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}''; ''${pkgs.gitlab-runner}/bin/gitlab-runner --debug run --config ''${HOME}/.gitlab-runner/config.toml --listen-address "127.0.0.1:9252" --working-directory ''${HOME}'';
# TODO https://docs.gitlab.com/runner/configuration/proxy.html
#systemd.services.docker.environment = {
# HTTP_PROXY="http://localhost:23080/";
# HTTPS_PROXY="http://localhost:23080/";
#};
users.users.gitlab-runner = { users.users.gitlab-runner = {
uid = config.ids.uids.gitlab-runner; uid = config.ids.uids.gitlab-runner;
#isNormalUser = true; #isNormalUser = true;

8
secrets.nix Normal file
View File

@ -0,0 +1,8 @@
let
root = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIII/1TNArcwA6D47mgW4TArwlxQRpwmIGiZDysah40Gb";
system = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICO7jIp6JRnRWTMDsTB/aiaICJCl4x8qmKMPSs4lCqP1";
systems = [ root system ];
in
{
"secrets/ovni-token.age".publicKeys = systems;
}

11
secrets/ovni-token.age Normal file
View File

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 MSF3dg Ivlduky3TjzCthY9RB/Jb0+MouX2FYW06hoNdQ+f818
NKnuQrTQBXjTArXG6/5KV5cdg/9JUk/l3vVdYq0fXOE
-> ssh-ed25519 HY2yRg 1ZCKpZ7sXNPgllHoozCgyW8NqK2TCoyCYZdug6YeJkM
BEeThDkjfaK9S5a81HcyaZv9zobKANVMEimduc/IO54
-> &eB%}y-grease o;.XY Yirz }Xh\DG
CkLRClqWRkCr7n8o5UV9+kdCik2iTG/dI1s666CKcgxbAPohmryJzOKdgRLyzCf0
CSPMUfrixmuQtuShigtmY6Pm2A
--- GEuNMnWZ3+B6QNXv7s7bfJdJ2bJAAW+jbfHQZ0UQB+k
¦²3‡Ã.¦-ãÓ®ÒÆ¿D£€{\¹ìÔ%ªÜR0¤ß·°þ¶±æ°|ÖP¿Fñxžs_P°¯x`4Ä,<2C>z35üL˜Ëdrj½2¬ï^Õ
ëÿ]Àhç4~APÍÂäe3fTàEÃl*ù8z.û÷Õx2<78>0ª7