monolith: add declarative bitbucket runners

flake.nix

@@ -146,6 +146,7 @@
           modules = [
             ./hosts/monolith
             ./system/monolith-gitlab-runner.nix
+            ./system/monolith-bitbucket-runner.nix
             ./system/monolith-forgejo-runner.nix
             ./system/nix-serve.nix
           ] ++ common_modules;

secrets/monolith/default.yaml

@@ -4,6 +4,11 @@ gitlab-runners:
     thoreb-telemetria-nix: ENC[AES256_GCM,data:zrZvG4be08ulpo7itbrprKK5csCMLvzZjrszfMw1XiJP0FyRTUd9nHgHpbAzbjj2KyT7kKngoZAyengvaTEhkT9sUi1pdGnvajAH8BDDOD0g4LJIHFl4,iv:3bSsTzU7gHx+MchuPg9kmb5xEDugmGPje8Jw74NpRJI=,tag:zffRr77lWbyLt7o/mywb5A==,type:str]
     thoreb-itinerario-nix: ENC[AES256_GCM,data:UdAAD0V895sFoEYR56sCG2LlpZugJ0K/nwkTygzWOnbTSmBRAcIQ8qVFPZGw+K+XMSLiCyio6Jp7k8AYP0K1VYm+6aEP3OkqR9FCLQTJgXo=,iv:UGUby50BYkn13OzItk6zZmxc5+SnbZZa4bebQHIow2A=,tag:LjDg3deWwdH2T71EtPo6jA==,type:str]
     docker-images-token: ENC[AES256_GCM,data:GGB/KSkjdAyhFKEspAh91ItbqEDf7K/LZSGSn+Jp7SxRfXpDzHIiMD8XJ9PTkGLeQGN4ug1i2nTYPS7d/P5OALWDU+1NPiV9nPdG0w7GERfu4g==,iv:6roabdOKX9xFMf0hWlECd73+943R+hFLos0e2dOpzns=,tag:LrASFc4DtN7aQ+3oOW/p/w==,type:str]
+bitbucket-runners:
+    wopus-runner-1: ENC[AES256_GCM,data:gtH0T5n8qMYpvSv5ciN8+ScGlFDf9xE0FTxNP97vT/qsOCcaItTE+5P+DFcWw46onLED+1c+u0sArFbEsT3f8lyco9b+0l99uOQAxLZQzAXYH8zGye1UnwUtytkci2PHu5c8kTpIWHXyZ1IOYNGWkermeab57ANzOkM1LbkHyAjS6VTh0I60LfAOdHOw5FDFL8d1d9oWxLloOe9USLPqHjC023EpCUT2YuyHoPCTpBu8Kb/2HfV0wkAKaB3dvVrKwXCj+bfP6+bjQ3uMzVO/7jxPmnSGBfvyZ+Hlg5goJ6bSAqQWmnPPnQ96FgQfe8su5ML9qNIp9/7eNiL6Rv6Vhxe0hHbE5wsZ/58grcg/LrugeWJvUJ9THhwcTwO8Pkvwlq0XM9seUY2NV+LCK3bLQ4IWDjWkU1IHg6+nihTcvl1iD6UIGMgqGoB/v05WVzHb+GcE2fFuSuhVHfa5RMyboELOJoFrqZiXGhY=,iv:ZakLafxYQCDd1Zw8T83Xfj+YwAQKna9LC6ognJqtifA=,tag:bwBObfdMIvJfRrOG04NtxA==,type:str]
+    wopus-runner-2: ENC[AES256_GCM,data:gg8merZMFbf396hdJY7zmKQndT3GzB7NeGZAs3C0au8Zd7OFAg9vcQcFcxNA3kZGJZqmFTR/ycWJwhYr9fhlfFuPhDynVvgJAqoYtvC2MUDiOMD/d3DlfwFjQ6cOGTrvFuY1kkgSFb4OFdrVC1eiTDrGygFmYnYcqTKn/t5Ttqi+cHZNzFzVzdVLvaLCYxltM5g45zn+fXYxYwCfqyb32/M1XTnnwIGiataGxEX5oWhVV4zqeLO4ZIYPSby5AVvIMJ/zqvqaeVVY52GLDcTKrj3thbZxMQLWN3/lOA0uYhi3L/WM8Gx+JMEIbSICcuT7QXu4w4PA+opcx9GnsMCK2/egzS+cNPJ4vGZCdVD/jh6A9zVEJAgXdsHXNXFHmMPt7DcgrCQiub62og4kBY4G/Rcg4UN7sb3v3qyBpGbCGHGRjCFc+wdHpom0yDOG2cwcqfN49pC2R7Ag2BisFQ/5A+DPmKnvGG3kt9s=,iv:5g5XiDecYqi4JNRkZubgPJECBQdZ6rBeojgFe6Etebk=,tag:HRy5bFSbfxKTb5e13lGtgg==,type:str]
+    wopus-runner-3: ENC[AES256_GCM,data:f9pLYR8t51HtPpLyXysIVaDAhxDrmktJH93E7rb7imtKwK7hRhR8usnvHTcknLfD7BMvStAIYefdGt19u7PrQu6vqc19bEcNbnK5OH4KBP6+X47oMgBYtbIGXH+t3dSDt22fSIoppTwdX7/Kf4vqesfN8K7EunETvFR86oyyKdy15mvXr0XUO4us4HZjnIOBEnOm1P/V8hk5JcCpRuo+8ZYmBe5gzq5pTnqnYlPE1EovM7eDMg72J7ev07h50qvySrAqmNiqDcXfTPQ2TzuHx3XxAYqFybf1L6P9OnLB6RDAlpoFJ0h8dSg2tzC2+amYsBP0UIBK/ZhWvvAjpX+MZrTASjenh/tefDcNdbsXDOr7A4i/261z4rC0r+97INglCN1N/SZg51iBHiRAVV1zibDLfioR5+eBIykWAtjILMoYU+zOcr0E8K0I9jQGMtpnYmvHJqV0DVcdfZpJptrPUUy+lQ/iZVcPpLs=,iv:grzvVsfpUzywjNE4jvTxXKG3TYajrvSsQgfOgtafvIo=,tag:K1B6crN0ckLk0EYBtGHDkw==,type:str]
+    wopus-runner-4: ENC[AES256_GCM,data:D1Zq0BtPuACnutAbUcj3gYSMLuIZcMuqc/1mEFmitEG0tBFMWhkabS+8lXcp8sb1DM0LTDMEwgMB9FVyFb670MKQNEncqQtaNJtY1BxS3SolovDAM/I+i6YGvd4X8jX99d+7ZNR6xGBWJ/dW8rz4QnIM8Eh3FDOqaFa/ltfyPKP9IZ2uZi67C/n8Q/OSdgMQkt+QxhgJfSghE1iruPwxyGlqv+E4SZNI/fQQMjX0Lh7z02ms58yyMtjO71YbukV/JXFRsdJrqY2wfH/6NlZbsKideoSxluBRVqmbW6KQd7dUT819KbOSu9CFdgThtVCU8qiv3jbAbn8D5xRy4AAOEfSqRLXJoj7otCqr47R/8+0BdS3aztFBjL3lDmprMWZ4+LD55fvczfpxUF9ox1mhcjIvCvZJJL06XsST1XRXa7i2fr4/a/XhCmQgIzar5IYxSC9OjuHp6jLsTaY3ZUgid5W1L1n8uWSmA98=,iv:O9caRG//brERiIhuMrsFdTz6TnPY0rdQnvHEu0P42yM=,tag:hrmwLX/CRhZfammJ2nfTPw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -38,8 +43,8 @@ sops:
             TGNwNUQxN0VQMHErMGVZbG5CZW9kSGMK9TRcgSJQT73dYoQxrrqFW/FkKExLGT4T
             Xagi6Eq4rhT7pvaL4h3vglwbqkLPsHrWRSyhh0sAEIJ1WpvD+cFEMA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-07T16:48:32Z"
-    mac: ENC[AES256_GCM,data:vyO1MMSRCoc8CK1wqXdgvvAiNP4NUXxpF1MPNsz2z9ioeu15ue2AYV+kWH3I94qUOZ93UM+Nbfx1sqN+JKpkbQ7iS8vY1NNwovEYtrp4FInr6esYOIJXSvvf/3wlWoquSaNACQnbjKJKgV05m24+hu/meIXMYs9sn2SxlnetTmg=,iv:W1jokO9Shhle0cWZpR5bonVdLPZAOo76h8sClMUYZbE=,tag:1Pg5f6q6TmBrAmYWuhKaKQ==,type:str]
+    lastmodified: "2025-03-07T21:28:04Z"
+    mac: ENC[AES256_GCM,data:4lOafZQ6PP38CByulzA/J86sw+TpQhj40s1lTRXqUtpt72yH8nQK8dXpw0dNYvDBtDpKRvNTHZubzalEua6n2lCQL7rsZ2+fo6FJ4ht2Kb70dddDcWEyrfyZQ2FaKC5L/QjqM0SbIfPszNvyQ8wIaOoMfNJBis5QOjRSGDAcJm8=,iv:LLT0oJW+3KNe1nKphCK0c5FPIuh8GfnDrvNDCFhP4NM=,tag:rPbVY7L1qxNc3aCfv77FAg==,type:str]
     pgp:
         - created_at: "2025-03-07T14:42:24Z"
           enc: |-

system/monolith-bitbucket-runner.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  mkRunner = secret: {
+    image = "docker-public.packages.atlassian.com/sox/atlassian/bitbucket-pipelines-runner:latest";
+    volumes = [
+      "/tmp:/tmp"
+      "/var/run/docker.sock:/var/run/docker.sock"
+      "/var/lib/docker/containers:/var/lib/docker/containers:ro"
+    ];
+    environmentFiles = [ secret ];
+  };
+
+  secretConf = {
+    sopsFile = ../secrets/monolith/default.yaml;
+  };
+in
+{
+  virtualisation.docker = {
+    enable = true;
+    daemon.settings = {
+      # needed by bitbucket runner ???
+      log-driver = "json-file";
+      log-opts = {
+        max-size = "10m";
+        max-file = "3";
+      };
+    };
+  };
+
+  virtualisation.oci-containers.backend = "docker";
+
+  virtualisation.oci-containers.containers = {
+    bitbucket-runner-1 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-1".path;
+    bitbucket-runner-2 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-2".path;
+    bitbucket-runner-3 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-3".path;
+    bitbucket-runner-4 = mkRunner config.sops.secrets."bitbucket-runners/wopus-runner-4".path;
+  };
+
+  sops.secrets = {
+    "bitbucket-runners/wopus-runner-1" = secretConf;
+    "bitbucket-runners/wopus-runner-2" = secretConf;
+    "bitbucket-runners/wopus-runner-3" = secretConf;
+    "bitbucket-runners/wopus-runner-4" = secretConf;
+  };
+}