Use authentication tokens for PM GitLab runner
Starting with GitLab 16, there is a new mechanism to authenticate the runners via authentication tokens, so use it instead. Older tokens and runners are also removed, as they are no longer used. With the new way of managing tokens, both the tags and the locked state are managed from the GitLab web page. See: https://docs.gitlab.com/ee/ci/runners/new_creation_workflow.html Reviewed-by: Aleix Boné <abonerib@bsc.es>
This commit is contained in:
		
							parent
							
								
									7ed74931cf
								
							
						
					
					
						commit
						b86798cd69
					
				| @ -1,9 +1,8 @@ | |||||||
| { pkgs, lib, config, ... }: | { pkgs, lib, config, ... }: | ||||||
| 
 | 
 | ||||||
| { | { | ||||||
|   age.secrets.ovniToken.file = ../../secrets/ovni-token.age; |   age.secrets.gitlabRunnerShellToken.file = ../../secrets/gitlab-runner-shell-token.age; | ||||||
|   age.secrets.gitlabToken.file = ../../secrets/gitlab-bsc-es-token.age; |   age.secrets.gitlabRunnerDockerToken.file = ../../secrets/gitlab-runner-docker-token.age; | ||||||
|   age.secrets.nosvToken.file = ../../secrets/nosv-token.age; |  | ||||||
| 
 | 
 | ||||||
|   services.gitlab-runner = { |   services.gitlab-runner = { | ||||||
|     enable = true; |     enable = true; | ||||||
| @ -11,20 +10,14 @@ | |||||||
|     services = let |     services = let | ||||||
|       common-shell = { |       common-shell = { | ||||||
|         executor = "shell"; |         executor = "shell"; | ||||||
|         tagList = [ "nix" "xeon" ]; |  | ||||||
|         registrationFlags = [ |  | ||||||
|           # Using space doesn't work, and causes it to misread the next flag |  | ||||||
|           "--locked='false'" |  | ||||||
|         ]; |  | ||||||
|         environmentVariables = { |         environmentVariables = { | ||||||
|           SHELL = "${pkgs.bash}/bin/bash"; |           SHELL = "${pkgs.bash}/bin/bash"; | ||||||
|         }; |         }; | ||||||
|       }; |       }; | ||||||
|       common-docker = { |       common-docker = { | ||||||
|  |         executor = "docker"; | ||||||
|         dockerImage = "debian:stable"; |         dockerImage = "debian:stable"; | ||||||
|         tagList = [ "docker" "xeon" ]; |  | ||||||
|         registrationFlags = [ |         registrationFlags = [ | ||||||
|           "--locked='false'" |  | ||||||
|           "--docker-network-mode host" |           "--docker-network-mode host" | ||||||
|         ]; |         ]; | ||||||
|         environmentVariables = { |         environmentVariables = { | ||||||
| @ -33,19 +26,12 @@ | |||||||
|         }; |         }; | ||||||
|       }; |       }; | ||||||
|     in { |     in { | ||||||
|       # For gitlab.bsc.es |  | ||||||
|       gitlab-bsc-es-shell = common-shell // { |  | ||||||
|         registrationConfigFile = config.age.secrets.gitlabToken.path; |  | ||||||
|       }; |  | ||||||
|       gitlab-bsc-es-docker = common-docker // { |  | ||||||
|         registrationConfigFile = config.age.secrets.gitlabToken.path; |  | ||||||
|       }; |  | ||||||
|       # For pm.bsc.es/gitlab |       # For pm.bsc.es/gitlab | ||||||
|       gitlab-pm-shell = common-shell // { |       gitlab-pm-shell = common-shell // { | ||||||
|         registrationConfigFile = config.age.secrets.ovniToken.path; |         authenticationTokenConfigFile = config.age.secrets.gitlabRunnerShellToken.path; | ||||||
|       }; |       }; | ||||||
|       gitlab-pm-docker = common-docker // { |       gitlab-pm-docker = common-docker // { | ||||||
|         registrationConfigFile = config.age.secrets.ovniToken.path; |         authenticationTokenConfigFile = config.age.secrets.gitlabRunnerDockerToken.path; | ||||||
|       }; |       }; | ||||||
|     }; |     }; | ||||||
|   }; |   }; | ||||||
|  | |||||||
| @ -1,11 +0,0 @@ | |||||||
| age-encryption.org/v1 |  | ||||||
| -> ssh-ed25519 HY2yRg caTbx0NBmsTSmZH4HtBaxhsauWqWUDTesJqT08UsoEQ |  | ||||||
| 8ND31xuco+H8d5SKg8xsCFRPVDhU4d8UKwV1BnmKVjQ |  | ||||||
| -> ssh-ed25519 CAWG4Q 4ETYuhCwHHECkut4DWDknMMgpAvFqtzLWVC2Wi2L8FM |  | ||||||
| BGMvRnAfd8qZG5hzLefmk32FkGvwzE9pqBUyx4JY0co |  | ||||||
| -> ssh-ed25519 MSF3dg hj5QL4ZfylN8/W/MXQHvVqtI7mRvlQOYr8HsaQEmPB0 |  | ||||||
| kvB7sljmmkswSGZDQnrwdTbTsN78EAwH3pz1pPe0Hu0 |  | ||||||
| -> )Q-grease vHF} [8p1> @7z;C"/ |  | ||||||
| tgSUKFyyrf2jLXZp+pakigwB2fRO/WFj2Qnt1aPjtVPEK92JbJ4 |  | ||||||
| --- xzM0AhV4gTQE0Q7inJNo9vFj+crJQxWeI7u9pl7bqAI |  | ||||||
| á6nGJÖ0Bˆ’7F° –bßÙ½2®L³äÇ]²2zl<7A>À&e†KÄx®àé9SWNàV"MfŽ€ëÙKHUC:1b;9St‰ëõ±Duѧç‹Ï¢žÌŸ¡<02>èÐéîÀ–<C380>ÔfÕ7¨î1§I(õdÓþô‡ïó |  | ||||||
							
								
								
									
										9
									
								
								secrets/gitlab-runner-docker-token.age
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										9
									
								
								secrets/gitlab-runner-docker-token.age
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,9 @@ | |||||||
|  | age-encryption.org/v1 | ||||||
|  | -> ssh-ed25519 HY2yRg WvKK6U1wQtx2pbUDfuaUIXTQiCulDkz7hgUCSwMfMzQ | ||||||
|  | jLktUMqKuVxukqzz++pHOKvmucUQqeKYy5IwBma7KxY | ||||||
|  | -> ssh-ed25519 CAWG4Q XKGuNNoYFl9bdZzsqYYTY7GsEt5sypLW4R+1uk78NmU | ||||||
|  | 8dIA2GzRAwTGM5CDHSM2BUBsbXzEAUssWUz2PY2PaTg | ||||||
|  | -> ssh-ed25519 MSF3dg T630RsKuZIF/bp+KITnIIWWHsg6M/VQGqbWQZxqT+AA | ||||||
|  | SraZcgZJVtmUzHF/XR9J7aK5t5EDNpkC/av/WJUT/G8 | ||||||
|  | --- /12G8pj9sbs591OM/ryhoLnSWWmzYcoqprk9uN/3g18 | ||||||
|  | ä·ù¼Â‡%å]yi"ô<>»LÓâùH`ªa$Æþ)¦9ve<76>.0úmÉK<EFBFBD>vƒÀïu"|1cÞ-%ÔÕ"åWFï¡ÞA«<41>hº$•ºj<eñ¶xÅLx«ç.?œÈâ:L…¬–ƒ,ëu»|³‹F|Õi²äÔ | ||||||
							
								
								
									
										
											BIN
										
									
								
								secrets/gitlab-runner-shell-token.age
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										
											BIN
										
									
								
								secrets/gitlab-runner-shell-token.age
									
									
									
									
									
										Normal file
									
								
							
										
											Binary file not shown.
										
									
								
							| @ -1,11 +0,0 @@ | |||||||
| age-encryption.org/v1 |  | ||||||
| -> ssh-ed25519 HY2yRg hrdS7Dl/j+u3XVfM79ZJpZSlre9TcD7DTQ+EEAT6kEE |  | ||||||
| avUO96P1h7w2BYWgrQ7GpUgdaCV9AZL7eOTTcF9gfro |  | ||||||
| -> ssh-ed25519 CAWG4Q A5raRY1CAgFYZgoQ92GMyNejYNdHx/7Y6uTS+EjLPWA |  | ||||||
| FRFqT2Jz7qRcybaxkQTKHGl797LVXoHpYG4RZSrX/70 |  | ||||||
| -> ssh-ed25519 MSF3dg D+R80Bg7W9AuiOMAqtGFZQl994dRBIegYRLmmTaeZ3o |  | ||||||
| BHvZsugRiuZ91b4jk91h30o3eF3hadSnVCwxXge95T8 |  | ||||||
| -> BT/El`a-grease W{nq|Vm )bld 2Nl}4 N$#JGB4t |  | ||||||
| oLG+0S1aGfO/ohCfgGmhDhwwLi4H |  | ||||||
| --- 2I5C+FvBG/K1ZHh7C5QD39feTSLoFGwcTeZAmeILNsI |  | ||||||
| ¹õW©o÷ ÙÄd;ËÐC¾.¹¡_(“u
G¡€‰#ìvâœgÉ<67>†õõy¹Y‰žl9ŒÈ¡Ïµ.Œé0x<30>Þ½úN. /ü<>tB×b‡ü¼K¼ì:Q×—È\¹ÀÍT_´»Átxïm’——_JñÞž-š |  | ||||||
										
											Binary file not shown.
										
									
								
							| @ -6,10 +6,9 @@ let | |||||||
|   safe = keys.hostGroup.safe ++ adminsKeys; |   safe = keys.hostGroup.safe ++ adminsKeys; | ||||||
| in | in | ||||||
| { | { | ||||||
|   "gitlab-bsc-es-token.age".publicKeys = hut; |  | ||||||
|   "gitea-runner-token.age".publicKeys = hut; |   "gitea-runner-token.age".publicKeys = hut; | ||||||
|   "ovni-token.age".publicKeys = hut; |   "gitlab-runner-docker-token.age".publicKeys = hut; | ||||||
|   "nosv-token.age".publicKeys = hut; |   "gitlab-runner-shell-token.age".publicKeys = hut; | ||||||
|   "nix-serve.age".publicKeys = hut; |   "nix-serve.age".publicKeys = hut; | ||||||
|   "jungle-robot-password.age".publicKeys = hut; |   "jungle-robot-password.age".publicKeys = hut; | ||||||
| 
 | 
 | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user