Add nix gitlab runner
This commit is contained in:
parent
e81357e233
commit
ab8b3d4a87
|
@ -0,0 +1,16 @@
|
|||
age-encryption.org/v1
|
||||
-> ssh-rsa BwwxHg
|
||||
KuJIQzvERsM1zAF4iikbaIMsi4e/vnyx1yq6h9Mzxf6FnXyFRcUgLPVe05krQhJX
|
||||
0wjv18bI0jxRb8742Ww9i2nU5Tlrok9ol458iye5CPl63fAlVih4/Rkl3IkUIiIz
|
||||
q/VayGVaIHmpRD2xiEa4L+NXS9N69vVXoubX0oZrB0nPdYJ83gFU9u+CBqqG2EWr
|
||||
PBjyIvT5i5MDBnPZGOudadIoyeWGfjXEPsQWhQhL9ssi5QOzLXBnTDlxT53bNvHX
|
||||
2yOFprLDZ+ZONedkxy8OXZpPDYNcgPAIHiqx1E87ftqPIucdeU49AqlPh46wrPC3
|
||||
79E2hgSoPvn4poTlJtAD0tIADRGkcEV6wLCylN2lTOUJenUfhLNQ7ok4ITx8MOv3
|
||||
IkbWiD9yTMExVBlhc+us+XfBHM8mlWs/zu+18YTy21RM03gzY6lHVZCQPxay2Rof
|
||||
A505SeZ4Tyhoy0+oLaYv9b+7DJdlhUo/XMaKSibtgJ/2MCtRqmV5ZsnuUIWn1Qsc
|
||||
|
||||
-> Vg-grease `tLg-(2z
|
||||
4EPuRnZmXpoB32r/0GCtskU3HU3h5ic
|
||||
--- QmKr+zAXnMpWBBBqNm2u954fOu2Zt8Y/kPPdq4UHgZc
|
||||
¤ì{çu|õæu´Ó€]OmXÝP3µÆ²•4_±½Â_
|
||||
q4›<EFBFBD>Ð6mþm©<‚pLH+d.hî‹’C<RDµ‘q<1F>Oø}öô3ÁZ¤KJ¤DÉàj]ÈýÒ¯Ù
ìá‚ØûCROË¥F;>‡
|
|
@ -4,6 +4,7 @@ in
|
|||
{
|
||||
"rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
|
||||
"monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
|
||||
"gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
|
||||
"lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
|
||||
"monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
|
||||
}
|
||||
|
|
|
@ -15,6 +15,48 @@
|
|||
dockerImage = "debian";
|
||||
dockerPrivileged = true;
|
||||
};
|
||||
|
||||
# runner for building in docker via host's nix-daemon
|
||||
# nix store will be readable in runner, might be insecure
|
||||
nix = with lib;{
|
||||
# File should contain at least these two variables:
|
||||
# `CI_SERVER_URL`
|
||||
# `REGISTRATION_TOKEN`
|
||||
registrationConfigFile = config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path; # 2
|
||||
dockerImage = "alpine";
|
||||
dockerVolumes = [
|
||||
"/nix/store:/nix/store:ro"
|
||||
"/nix/var/nix/db:/nix/var/nix/db:ro"
|
||||
"/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
|
||||
];
|
||||
dockerDisableCache = true;
|
||||
preBuildScript = pkgs.writeScript "setup-container" ''
|
||||
mkdir -p -m 0755 /nix/var/log/nix/drvs
|
||||
mkdir -p -m 0755 /nix/var/nix/gcroots
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles
|
||||
mkdir -p -m 0755 /nix/var/nix/temproots
|
||||
mkdir -p -m 0755 /nix/var/nix/userpool
|
||||
mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
|
||||
mkdir -p -m 1777 /nix/var/nix/profiles/per-user
|
||||
mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
|
||||
mkdir -p -m 0700 "$HOME/.nix-defexpr"
|
||||
. ${pkgs.nix}/etc/profile.d/nix-daemon.sh
|
||||
${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
|
||||
${pkgs.nix}/bin/nix-channel --update nixpkgs
|
||||
${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
|
||||
'';
|
||||
environmentVariables = {
|
||||
ENV = "/etc/profile";
|
||||
USER = "root";
|
||||
NIX_REMOTE = "daemon";
|
||||
PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
|
||||
NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
|
||||
};
|
||||
tagList = [ "nix" ];
|
||||
};
|
||||
|
||||
|
||||
|
||||
};
|
||||
};
|
||||
systemd.services.gitlab-runner.serviceConfig.Nice = 10;
|
||||
|
|
|
@ -4,6 +4,8 @@
|
|||
secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
|
||||
secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
|
||||
../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
|
||||
secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file =
|
||||
../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
|
||||
secrets.rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
|
||||
../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
|
||||
secrets.monolith-nix-serve-privkey.file =
|
||||
|
|
Loading…
Reference in a new issue