diff --git a/.sops.yaml b/.sops.yaml index b93a6e2..d72a625 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -4,6 +4,7 @@ keys: - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw - &double-rainbow-ssh age1026d4c8nqyapcsy4jz57szt6zw3ejcgv3ecyvz0s89t7w7z964fqdqv52h - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y + - &stonehenge-ssh age13y65zemwlfnf5pszspeh87utv5jrfm35varxjdsh78xhfhs7la3scm9l9g creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini|gpg)$ @@ -35,3 +36,10 @@ creation_rules: age: - *lelgenio-ssh - *phantom-ssh + - path_regex: secrets/stonehenge/[^/]+\.(yaml|json|env|ini|gpg)$ + key_groups: + - pgp: + - *lelgenio-gpg + age: + - *lelgenio-ssh + - *stonehenge-ssh diff --git a/hosts/stonehenge/default.nix b/hosts/stonehenge/default.nix index 2717816..3c80bd4 100644 --- a/hosts/stonehenge/default.nix +++ b/hosts/stonehenge/default.nix @@ -8,6 +8,7 @@ imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix + ./gitlab-runner.nix ]; # Bootloader. @@ -92,6 +93,8 @@ ]; }; + security.sudo.wheelNeedsPassword = false; + # Install firefox. programs.firefox.enable = true; diff --git a/hosts/stonehenge/gitlab-runner.nix b/hosts/stonehenge/gitlab-runner.nix new file mode 100644 index 0000000..65498fc --- /dev/null +++ b/hosts/stonehenge/gitlab-runner.nix @@ -0,0 +1,36 @@ +{ + config, + pkgs, + ... +}: +let + inherit (pkgs.callPackage ../../system/gitlab-runner.nix { }) mkNixRunnerFull; +in +{ + boot.kernel.sysctl."net.ipv4.ip_forward" = true; + virtualisation.docker.enable = true; + services.gitlab-runner = { + enable = true; + settings.concurrent = 4; + services = { + wopus-gitlab-nix = mkNixRunnerFull { + authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path; + # nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path; + # nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path; + }; + }; + }; + systemd.services.gitlab-runner.serviceConfig.Nice = 10; + + sops.secrets = { + "gitlab-runners/wopus-gitlab-nix" = { + sopsFile = ../../secrets/stonehenge/default.yaml; + }; + "gitlab-runners/wopus-ssh-nix-cache-pk" = { + sopsFile = ../../secrets/stonehenge/default.yaml; + }; + "gitlab-runners/wopus-ssh-nix-cache-pub" = { + sopsFile = ../../secrets/stonehenge/default.yaml; + }; + }; +} diff --git a/secrets/stonehenge/default.yaml b/secrets/stonehenge/default.yaml new file mode 100644 index 0000000..b8310ab --- /dev/null +++ b/secrets/stonehenge/default.yaml @@ -0,0 +1,44 @@ +gitlab-runners: + wopus-gitlab-nix: ENC[AES256_GCM,data:u+FYWx3yluA+zFk8VV7RB4TW1AP81K8Ntgd7QDHwb2w0bzQH7URmfF1PrQgZGu/r5Q4zOFgmyUkL6EML9KFFu+3QpilIOTXitiEoi/McOn0DnAOTLhW1Fbg42jKd3gTU9OyLDijlQs3ktyRRSg+1TIEsYNc=,iv:LjRyav0YVKtG79roC8KRS99cVVfu8IJRpAQ9w79PFa0=,tag:K2rjIn823sER+zHezFyAZw==,type:str] + wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:hAAMdGvTduLQe+e6g0BVrvDATsVuRX5LxLQA2LqFPrdeNVPNzlWt5dNY4PjDuGKKeOyIjfTP2a4R2tLhjzQzSmoUZZVCEijohIsoDLbTfXgDDSOwXiTTr2nj3Hw4+TiuMH/VRgpIzZVjJSweuDK2UmwhbJ3wtahE7iNYD0gZet9Ibnu3iHVW4NdZs0K9joVxJoAaY8ZQi95QC0NYV/8RZ3GQFm2sQK/I1XKEAZGZ9GK5TbRUxGh3HihX68xsxBv5avpXwURp4K/CXW6VCyhAiU21+kpTPxV1x6ZiUfmPqDUmqqV57HL6+z1g6bLb+XGBNU15L0xqItmGpc3ENV2MpTP79MXA8C2eXgkBr0ylnsoFjlrkff+oJbDtHUkWaRHEQvkQtD3JKPgi97PtuBt0qWlpXRsCXnKwH565pfgKu6SGZHZ+VHpAGI3fjtroLhnoCeV6tBpibHk/ADr826IicVJWAVzxTSRfiMA7o4wji7MJxLYf2p3PRixSpQ9oXCsUPykQ1a2jfDs+J0ov+p0u,iv:AXNYaZS6fGz/Jr2zNhvmKOYKj010wtwcatItB8hRs+c=,tag:DixvP6ZaqX9l8Z8KegkvUw==,type:str] + wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:5G+qIs/J8mwZxGyWkK0nts9E+iqbCe8Or4C4+HHuSr3dyJTmKxmA3a+DpxmbyQ0IKjKQgiz+uJbbRGR7ptzmJr7JvpNhaJO2/CR3MKvsoCpmgynenO2QIqsEidU1h1gqMV6OEDI3pDY3OE6K2M8D2jdYLqMXo5RRa7emEQhXhdQZ98OFgVrLFtrB72Fi/rTJE/tP,iv:JAopM5dwItYl68GDAQublg+C1S0Md3S3G/7GJ11azxQ=,tag:WAqEju2azXgerpIBrk+krw==,type:str] +sops: + age: + - recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXWXZkSWUwZ0t0ekhBckxS + M0lIQ1FpWkY2dXhTVmZuYjJxeXhQSW85Ulg0Cm9GV1BqS29wU2FkaEVzazcwbCs1 + Zy9tV0ZxcFBwbFFaMzRwUWFHWUZadDAKLS0tIFdoMkVkZitjNmJhTUVMUjBQdjdi + TjFMZnZDelY2NWtwd1dETFUrUE44eGsKdRVF1QWlhO3obls8Fm+PSs/yzJOUbQ80 + GoWMqeD8qPVhO99Cy9DT0GWOk3DJQNQ55I7w6ctrhJ3XuZHzTyAqlg== + -----END AGE ENCRYPTED FILE----- + - recipient: age13y65zemwlfnf5pszspeh87utv5jrfm35varxjdsh78xhfhs7la3scm9l9g + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5TEIyU1dtK0ZWQmJLY0Z0 + cThwbTdmUkF5ZGgraFBSMjZRUmpiSkxZUFdJCnhBTDd2THlmczk1SE1qZ2VnRk5a + ejZGY2U1L1IxZ3BrdURNTURwRUJCaWsKLS0tIFdEUW5Kcmw5eGE5cFJYejRXTDYr + dC9MaDUvcG96djVFU1Fpb1NKZThNaUEKkxPikf5+veTmrXHU4sxtJO/LsQ3YB4j+ + vkIWWw4qV8zRrh+XxFXrFUURhDp11m/nlpzPERxjNzRs13VS2tXTrw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-01-01T21:41:02Z" + mac: ENC[AES256_GCM,data:VItjDJ1zVRc8qGty9651o1ZlHjPne98JrKeUT/2WAElK+A29IY+UVIlUtooOwwvSPC7kphoGfFSYK5+4emd4EyVbWovPyeYp04tV5/JGdj/3cVaSiXCD3HPM/v2BeiDy3aDAkaqeIg54PueddiSVU0snobCWB2/+DXU8Xly/+sM=,iv:x/3nXue1HkeZt9hKqk2Y9ciU2GK0Bbcp5zcJQdAiO58=,tag:OCKaxQQfTgfVvzYgqaqvsA==,type:str] + pgp: + - created_at: "2026-01-01T21:36:47Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQEMAzy6JxafzLr5AQf+I8mDQ00zcPxP4GJh5ldaVJSZ95OF7Pk0TmNmtQLaBHqE + Gj8MPa3CE8MyZBtFrWjt52yKcg0wIznd1Uo0HGteW2cMxGezCqioTIqNgXSQ+h/V + T751kH0MBOVscJUoEx3D7sdCsvk70WwnN2FdkFpA1NIDqsoHCT4MXGzcAMVTv/+K + Y630VFguV0Fcmy16Kry1EFVDSorio6BxwBnK2PG/uAQOEjTA8fLTVutc+h7glqjU + iiNPsv6MtB5gTp/Q+IPHgGmPpyCP2vN7i0ArVNFRQ2tf9tIeo/5FfgmWCH8CTcr5 + deK/UPwJ3u2o4OsVLQryx9TBVnBcFG31f+/kwIG4CNJcAZxl1w0DbS+zHtIu1Bo5 + oRAxj00EeM8Vp7FFA70Z38HSzFyvawomSrtzRNhRPoLOPemG59WH4621BL1HC9Rz + 8lhSEVRdw/BjmtNRRcLsw9NrAjGsHkkhkEluY1U= + =bhCO + -----END PGP MESSAGE----- + fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B + unencrypted_suffix: _unencrypted + version: 3.11.0