monolith: cleanup host-specific modules

hosts/monolith/monolith-gitlab-runner.nix

@@ -0,0 +1,51 @@
+{
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+let
+  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { inherit inputs; })
+    mkNixRunner
+    mkNixRunnerFull
+    ;
+in
+{
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+  virtualisation.docker.enable = true;
+  services.gitlab-runner = {
+    enable = true;
+    settings.concurrent = 3;
+    services = {
+      # runner for building in docker via host's nix-daemon
+      # nix store will be readable in runner, might be insecure
+      thoreb-telemetria-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-telemetria-nix".path;
+      thoreb-itinerario-nix = mkNixRunner config.sops.secrets."gitlab-runners/thoreb-itinerario-nix".path;
+
+      wopus-gitlab-nix = mkNixRunnerFull {
+        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
+        # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
+        # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
+      };
+
+      default = {
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `CI_SERVER_TOKEN`
+        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/docker-images-token".path;
+        dockerImage = "debian:stable";
+        dockerPullPolicy = "if-not-present";
+      };
+    };
+  };
+  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
+
+  sops.secrets = {
+    "gitlab-runners/thoreb-telemetria-nix" = { };
+    "gitlab-runners/thoreb-itinerario-nix" = { };
+    "gitlab-runners/docker-images-token" = { };
+    "gitlab-runners/wopus-gitlab-nix" = { };
+    "gitlab-runners/wopus-ssh-nix-cache-pk" = { };
+    "gitlab-runners/wopus-ssh-nix-cache-pub" = { };
+  };
+}