monolith: add docker-images gitlab runner

This commit is contained in:
Leonardo Eugênio 2025-03-07 13:11:42 -03:00
parent 553ea251fa
commit 0bc125c944
5 changed files with 121 additions and 15 deletions

View file

@ -12,7 +12,17 @@ creation_rules:
age:
- *lelgenio-ssh
- *monolith-ssh
- path_regex: secrets/monolith/[^/]+\.(yaml|json|env|ini)$
key_groups:
- pgp:
- *lelgenio-gpg
age:
- *lelgenio-ssh
- *monolith-ssh
- path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- pgp:
- *lelgenio-gpg
age:
- *lelgenio-ssh
- *phantom-ssh

View file

@ -0,0 +1,56 @@
gitlab-runners:
docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCldST3lPZXBV
cTVNK3R3RjlFcDQ4UldRT0tsSVJ2N2FkN0hiOVllT2Rrc2NjVWtMbnMrWHVMN1k5
dExsVHFhMHMKRVVzR1pzeG01Y2FidWNrQ0xjK1FUZktnWTZaWWlWalM5cWhZWE9U
TFU3ZXV3aGp6QkRIZkl4MDFJN2RRQVkrdwpqQlE5ajFTVW15MVVyTkNaS3JiOFph
cGthWWZ4R3Rldjh0a2lnd1dSbUcvSVpDdHJKVk5GVy8vR05WbmhUWFhuCkZsaWk5
L2dnNE4rNTV6VWpIZlNIMENzZVlKS2NEOFdmSFhsYkFNSHRlTENYeGNtekpDaUN4
V3l2VWtta3hSVFIKblVDZ1hOdzZQbWswTDB5MXd3dXpXQW44MFhFR0hGZkxjbzlU
WkR5dFhhbVpTUGZwQVR3WXNCUjJWYlAyTU1VeQpkWEdXQjVUemlRdXVxZVE4SGVU
TFlPS0FEV1dRRWU0K1d1ZTRrZGU1MHVKQ0lCemJmcUhOaWtON3ZDbUtad2lXCklt
aFREN3BmdEo1TUw2V2NtQ0QvbE1EQ25OeW5ZaldOY04zQjFQbWRnWjhJaWZKWXJn
UlBTTjV0VkpEY0FhZjQKTURjT004dHEvS24rNGVBSE1KK0ZabTBKb0Z4QTJvS2Fi
czdnWEpUTXJsRVMvdWFzVlJLT281a3JwQi9PMGVDcQoKLS0tIFgvSE14blgvVkxQ
b3N5WWlzdG5hajZaVFVkWVlhOXNZKytmZEZrZVprRHMKXqPgDpKG42KsfKfIAflT
1meea416Af+WeFhWnw8fBBhApKrMMmYMMjDi1lIOGDz57ydNqtlFqdFtkiQsUC0f
wA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTWVYNXNQcHhHSzVBQmhU
ejlOQzJMZ0xEVFVkbzNPQ0hMVHBQWEgzQTFJCkF6ZDNaZ29UM29vWGZqVW10dmlQ
YjNFNXJVMlcxT1ZsMU55cE8vc3VjaXMKLS0tIDZYQTRjMWp5a3hKc2N4alZKZHFt
TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T
Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-07T14:47:44Z"
mac: ENC[AES256_GCM,data:k0yhfVhDmtU8wOZIylaxmmd+8TIXCzCbGhlaQnyeLplH2BDHVnpzAxBJVizS/VtVpAkjMAESndXqW7N6pnGnRWdZPtCxE8KNtz/nUxCZA44cn+mjC+ghKgsgaLuxe4smu0f4u4TK2uFsJqw5J0VGFgMtyKe4AaHujoXWL80zTR0=,iv:xiDrOtto246oPjMw5+ny0qB8HjdMpkzZyPNi3csgMVE=,tag:2xioMXxERDSePdIwPpP7hg==,type:str]
pgp:
- created_at: "2025-03-07T14:42:24Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAzy6JxafzLr5AQf/Y0QIIBN0uY3RUj88u5L0tJqypnKOAlfLOMYPkZ0oomAd
ZowogLWJgWyFC6NTdZRj84GoF2EAMDZqDAwh7shrZSpuhr0rwT7bGMQ4/VSx/Sxs
uCgkzXGMT0DsGjDOw6h17dDLNAnnvViamL1Br3ZXG7gZJXmUhPavL1YXeQciPqjh
FyJLAKeb9sQAFUp0Aexo4fKZSJh//O8jTiz7vl5klpQnDHWzpkcuxqIajIoYFdcL
ioP1GnrsUDfyXh2zfLcggxs/WHU24/C8DZqWai9WqRA08kJpw+aj1835vmUIWM0W
E5TF9h/tOEGw+PGhvwNiEvONhv/tpyLpjoXylbisjtJeAY6Fntxcrssw2cKMimFV
UjBuf2vSmQlNBqU+LE0JOICmRsmnLZTEPXnPqpqBTRV4gj4kTLCJYcaEIFP7uSEd
WlCyyX28ACGThorQEoQ/W2bFfNT/Mi7CNQ8EOckmKg==
=6Qin
-----END PGP MESSAGE-----
fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
unencrypted_suffix: _unencrypted
version: 3.9.4-unstable

View file

@ -14,17 +14,51 @@ sops:
azure_kv: []
hc_vault: []
age:
- recipient: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCxR/w+38b2lX90yNBqhq3mUmkn1WGu6GAPhN1tVp2ZjYRJNV/+5gWCnTtOWYtDx35HmK/spQ2Qy8X9ttkzORa24fysNx1Iqn/TiXhD7eIJjbGPnrOpIKTkW5/uB3SD/P5NBSa06//BaqJU4sBlG79hoXRpod052hQtdpTVDiMCIV+iboWPKqopmJJfWdBtVnHXs9rep0htPRExxGslImFk7Z6xjcaHyCpIQZPlOGf+sGsmUU7jRqzvZFV8ucIdbnAlMHrU4pepNFhuraESyZVTa/bi9sw0iozXp5Q5+5thMebEslmT1Z771kI4sieDy+O4r8c0Sx2/VY1UAzcpq1faggc3YB01MTh+tiEC6xdMvZLrQGL1NBWjHleMyL53GU5ERluC0vXJF3Hv3BGGBDfXWbrEm5n06DHr2apRVJGC0LwiQ7Woud1X4V4X1pKSusxCVMjT2lmcOwV6YhKhB2sowJc1OdMx4+tL0UWE+YKSZgBHfolwk6ml0F4EO9nnUHc= lelgenio@i15
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1yc2EgQnd3eEhnCm9xWXdTQjZU
Znpiak1xdE1kTm56NWI3bUNlQXBFcjhNNFlwbDVUcGhrS2J4Y1M3aXFydjVGYmVI
UmNKVmkrb3cKWHNsa2FZaE4zbnJWYVo1SDhTOEZxM0JMRWJ0ckpySk11V09LMkd5
bjhQRkpSZG0xYko3aTFqQmVFU3JhSWo1Ugo2Nk0rNzJBNzJvbVJkU0VhSmRRWE5B
RUt4S3h1cFZkZHkxOU5VUTcxN1JBNFlaYTkyZTNSM3JVUjhCUStNODRMCjdJRWlv
d0g4bnlQMzhWSGUxY04vRnUvbTlyWVQ0eWsvbnk4UmxxOHVZblM3bVFETXJiVjRE
b2s1ZFVHaEFNc3EKSDJTYUVSNWtKQS81bUdOcDA0SnZGeE4vQkt6bFZWY1dxNm9S
YVhRdjVCb3RGaC94djZZeFhXaTZSVVYzaUJ6KwoxQXNKcU9Dbk8xYWRvaGJwSXdu
Zzk4Y09zbW54elJHdjJ6OTNyeURwZ3JJL0gvaFVRUmgyRnNBbXFJU1l5U2FwCm56
bzc0TkVWdnNoWnBMMjlKbnZicmRxdXIwd2hCZGp5dEQ2TnBtdTZCdnJRbzIyZFhV
L1ZpVW9nZmNqQW45c0cKYnIxQTc2aEowTUprZ1pYVCt3L2NsVHJ5SWF1aHZUR1E5
eGVrcUphWk1vVURBL2J4UlZLQXluNC82YnNhQUFOQgoKLS0tICtOTXVyUzZldUJO
QkN0eUVRSDlDWmthU0VrRUZDb0VBTVFhL24raHJDcGsKcspICwz+f6y21yogiXO3
Qp7evIuOzfWe6pMtge5BjxWTlzIdi2btFTzuTjgZaOiQd8FIB3iTqBkepUVD49jN
RQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxQkRWWmYweUNpcDRNbzRW
NnQ4R3JPK0oydm9iL0owS0d6Nm92eTFJZldFCnZpUVUvWi9FYTBDSGNvUUJRZHNz
QStPT0hCc08xUmh4dEdJdmVPRm01V2cKLS0tIEZPMmNKdGUvNnVWYXZNTHA3SkE3
ZTNJbW9EWktPb2M5TVBNekUrZXVoUFkKLEsQVYVp7fTBRDA7RO8Kjpc5MUPb5U7I
WKZtNhsMZsP+SLgZWBF1PpvcjlDlNA2Z+Hqsrw6vsq6DYpnxToxfZQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TklEaUl2QkVtVVN5UXlC
cW9RaHNoSnRkV0lKTmtYS0VZQnhyM0o0cUFNCmZWemJuOFVyK1ZFbkR1RUZOTEVB
WmJFemRrd0xIUW43cElkdVJOM052N2cKLS0tIFJpRTNtQ1hjWGJwSFJLRDNRSm4z
WW9MbmZoTllLalpWcFdOa3JpaThPMjQKa5vVGp+L1V2/ScyUe0EaOVw4TB8paS2w
79VgplKN6HL+f6bL/0rIUOwJ6PDW944bOioKDYvbUCpBnSRYIHnYoQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-03-05T22:27:18Z"
mac: ENC[AES256_GCM,data:WSopSnWZ+uOllywd7difaZtJcfxkL7eIf9Kr3GajZKO0+rP6pEHIS+5AbXZy6oKRlCLUPecY/WXFvk3//akpvvXHbf6Jp4fQ/YSuTcYKRQupbDBpOXSlc33QyRl6oEyiMOjxMxa2N2tmq8dmA0NbF9wSDMa5a4eNDoiL5T/sUZ8=,iv:QqbVRApzFF6q24rk8KfKuthj656nEczD9Si4INj+N9A=,tag:tMRNYo+u/jIQ6iX3KqKJdA==,type:str]
pgp: []
pgp:
- created_at: "2025-03-07T16:05:59Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAzy6JxafzLr5AQf/djnT5hse11QoFPbmuu5rmc/0vpOQ79G6MYZtHlXL/HbP
hx0r25yTI6ICayFiO7luovz58saN0BY5K1dCbGB7+nZ8lrKoGE4GhX4k5Cc/KJIO
BTEbTqMJLezkb34FsuXgD9o2udNysC3Bpi/3NbPCYsJkVeCmx1wyEWzWhz51RO4M
WEyKkE0DyJfOpTuY2fofGhaA866firFDrS2SeiU4Dox4au3iR4VYqt6IITmgZdDE
M9LRp3AzOPOUZzpeRcer4ksh8WVDIWPEEL+w+OGo8QpUL3kqHIMVPgXY0kBOR+5s
tVTCLVe7yoimK/oSYkEx9Z3TYRwKV6ggJWahX7VHaNJeAVxIon8Qs8W2L+f1gclK
tPbaE+jCg6AH3apD3ICisxCj0Vvm+NsWMo2skeN2YGyWBCOoeGcG5OhgJtD0cQiw
QxCzywMXujxYYAXJEvhk4YRhaCOMkTTMGNoloWMugg==
=CHH0
-----END PGP MESSAGE-----
fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
unencrypted_suffix: _unencrypted
version: 3.9.4-unstable

View file

@ -29,14 +29,6 @@
zramSwap.enable = true;
sops = {
secrets.hello = { };
};
environment.etc."teste-sops" = {
text = config.sops.secrets.hello.path;
};
# Enable touchpad support (enabled default in most desktopManager).
services.libinput.enable = true;

View file

@ -18,7 +18,21 @@ in
# nix store will be readable in runner, might be insecure
thoreb-telemetria-nix = mkNixRunner config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path;
thoreb-itinerario-nix = mkNixRunner config.age.secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.path;
default = {
# File should contain at least these two variables:
# `CI_SERVER_URL`
# `CI_SERVER_TOKEN`
authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path;
dockerImage = "debian:stable";
};
};
};
systemd.services.gitlab-runner.serviceConfig.Nice = 10;
sops.secrets = {
"gitlab-runners/docker-images-token" = {
sopsFile = ../secrets/monolith/default.yaml;
};
};
}