From ab8b3d4a8712b212daee3a4e336bfdf1453d687b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Leonardo=20Eug=C3=AAnio?= <lelgenio@disroot.org>
Date: Fri, 24 Feb 2023 12:37:35 -0300
Subject: [PATCH] Add nix gitlab runner

---
 ...oreb-telemetria-registrationConfigFile.age | 16 +++++++
 secrets/secrets.nix                           |  1 +
 system/monolith-gitlab-runner.nix             | 42 +++++++++++++++++++
 system/secrets.nix                            |  2 +
 4 files changed, 61 insertions(+)
 create mode 100644 secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age

diff --git a/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age b/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
new file mode 100644
index 0000000..1d7d3ff
--- /dev/null
+++ b/secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age
@@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> ssh-rsa BwwxHg
+KuJIQzvERsM1zAF4iikbaIMsi4e/vnyx1yq6h9Mzxf6FnXyFRcUgLPVe05krQhJX
+0wjv18bI0jxRb8742Ww9i2nU5Tlrok9ol458iye5CPl63fAlVih4/Rkl3IkUIiIz
+q/VayGVaIHmpRD2xiEa4L+NXS9N69vVXoubX0oZrB0nPdYJ83gFU9u+CBqqG2EWr
+PBjyIvT5i5MDBnPZGOudadIoyeWGfjXEPsQWhQhL9ssi5QOzLXBnTDlxT53bNvHX
+2yOFprLDZ+ZONedkxy8OXZpPDYNcgPAIHiqx1E87ftqPIucdeU49AqlPh46wrPC3
+79E2hgSoPvn4poTlJtAD0tIADRGkcEV6wLCylN2lTOUJenUfhLNQ7ok4ITx8MOv3
+IkbWiD9yTMExVBlhc+us+XfBHM8mlWs/zu+18YTy21RM03gzY6lHVZCQPxay2Rof
+A505SeZ4Tyhoy0+oLaYv9b+7DJdlhUo/XMaKSibtgJ/2MCtRqmV5ZsnuUIWn1Qsc
+
+-> Vg-grease `tLg-(2z
+4EPuRnZmXpoB32r/0GCtskU3HU3h5ic
+--- QmKr+zAXnMpWBBBqNm2u954fOu2Zt8Y/kPPdq4UHgZc
+¤ì{çu|õæu´Ó€]OmXÝP3µÆ²•4_±½Â_
+q4›Ð6mþm©<‚pLH+d.hî‹’C<RDµ‘qOø}öô3ÁZ¤KJ¤DÉàj]ÈýÒ¯Ùìá‚ØûCROË¥F;>‡
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index cb4c4a0..28c42a9 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,6 +4,7 @@ in
 {
   "rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
   "monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
+  "gitlab-runner-thoreb-telemetria-registrationConfigFile.age".publicKeys = [ main_ssh_public_key ];
   "lelgenio-cachix.age".publicKeys = [ main_ssh_public_key ];
   "monolith-nix-serve-privkey.age".publicKeys = [ main_ssh_public_key ];
 }
diff --git a/system/monolith-gitlab-runner.nix b/system/monolith-gitlab-runner.nix
index f27eb9c..88aed45 100644
--- a/system/monolith-gitlab-runner.nix
+++ b/system/monolith-gitlab-runner.nix
@@ -15,6 +15,48 @@
         dockerImage = "debian";
         dockerPrivileged = true;
       };
+
+      # runner for building in docker via host's nix-daemon
+      # nix store will be readable in runner, might be insecure
+      nix = with lib;{
+        # File should contain at least these two variables:
+        # `CI_SERVER_URL`
+        # `REGISTRATION_TOKEN`
+        registrationConfigFile = config.age.secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.path; # 2
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        dockerDisableCache = true;
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs # 3
+          ${pkgs.nix}/bin/nix-channel --update nixpkgs
+          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        };
+        tagList = [ "nix" ];
+      };
+
+
+
     };
   };
   systemd.services.gitlab-runner.serviceConfig.Nice = 10;
diff --git a/system/secrets.nix b/system/secrets.nix
index 437325c..776ee6e 100644
--- a/system/secrets.nix
+++ b/system/secrets.nix
@@ -4,6 +4,8 @@
     secrets.lelgenio-cachix.file = ../secrets/lelgenio-cachix.age;
     secrets.monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
       ../secrets/monolith-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
+    secrets.gitlab-runner-thoreb-telemetria-registrationConfigFile.file =
+      ../secrets/gitlab-runner-thoreb-telemetria-registrationConfigFile.age;
     secrets.rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.file =
       ../secrets/rainbow-gitlab-runner-thoreb-itinerario-registrationConfigFile.age;
     secrets.monolith-nix-serve-privkey.file =