monolith: cleanup host-specific modules

2026-02-24 14:22:16 -03:00 · 2026-02-24 14:22:16 -03:00 · 5adec3b1d3
commit 5adec3b1d3
parent 52f5d725ea
5 changed files with 12 additions and 36 deletions
--- a/hosts/monolith/default.nix
+++ b/hosts/monolith/default.nix
@ -27,6 +27,8 @@ in
    ./factorio-server.nix
    ./nebula-vpn.nix
    ./minio.nix
+    ./monolith-forgejo-runner.nix
+    ./monolith-gitlab-runner.nix
  ];
  boot.initrd.availableKernelModules = [
    "nvme"
--- a/hosts/monolith/monolith-forgejo-runner.nix
+++ b/hosts/monolith/monolith-forgejo-runner.nix
@ -0,0 +1,22 @@
+{ pkgs, config, ... }:
+{
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.lelgenio.com";
+      tokenFile = config.sops.secrets."forgejo-runners/git.lelgenio.com-default".path;
+      labels = [
+        # provide a debian base with nodejs for actions
+        "debian-latest:docker://node:18-bullseye"
+        # fake the ubuntu name, because node provides no ubuntu builds
+        "ubuntu-latest:docker://node:18-bullseye"
+        # provide native execution on the host
+        #"native:host"
+      ];
+    };
+  };
+
+  sops.secrets."forgejo-runners/git.lelgenio.com-default" = { };
+}
--- a/hosts/monolith/monolith-gitlab-runner.nix
+++ b/hosts/monolith/monolith-gitlab-runner.nix
@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { inherit inputs; })
+    mkNixRunner
+    mkNixRunnerFull
+    ;
+in
+{
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+  virtualisation.docker.enable = true;
+  services.gitlab-runner = {
+    enable = true;
+    settings.concurrent = 3;
+    services = {
+      # runner for building in docker via host's nix-daemon
+      # nix store will be readable in runner, might be insecure
+      thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
+      thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
+
+      wopus-gitlab-nix = mkNixRunnerFull {
+        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
+        # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
+        # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
+      };
+
+      default = {
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `CI_SERVER_TOKEN`
+        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path;
+        dockerImage = "debian:stable";
+        dockerPullPolicy = "if-not-present";
+      };
+    };
+  };
+  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
+
+  sops.secrets = {
+    "gitlab-runners/thoreb-telemetria-nix" = { };
+    "gitlab-runners/thoreb-itinerario-nix" = { };
+    "gitlab-runners/docker-images-token" = { };
+    "gitlab-runners/wopus-gitlab-nix" = { };
+    "gitlab-runners/wopus-ssh-nix-cache-pk" = { };
+    "gitlab-runners/wopus-ssh-nix-cache-pub" = { };
+  };
+}