wip

hosts/double-rainbow/default.nix

@@ -17,7 +17,10 @@ let
   ];
 in
 {
-  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ./gitlab-runner.nix
+  ];
 
   my.nix-ld.enable = true;
 

hosts/double-rainbow/gitlab-runner.nix

@@ -0,0 +1,36 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+let
+  inherit (pkgs.callPackage ../../system/gitlab-runner.nix { }) mkNixRunnerFull;
+in
+{
+  boot.kernel.sysctl."net.ipv4.ip_forward" = true;
+  virtualisation.docker.enable = true;
+  services.gitlab-runner = {
+    enable = true;
+    settings.concurrent = 4;
+    services = {
+      wopus-gitlab-nix = mkNixRunnerFull {
+        authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
+        nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
+        nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
+      };
+    };
+  };
+  systemd.services.gitlab-runner.serviceConfig.Nice = 10;
+
+  sops.secrets = {
+    "gitlab-runners/wopus-gitlab-nix" = {
+      sopsFile = ../../secrets/double-rainbow/default.yaml;
+    };
+    "gitlab-runners/wopus-ssh-nix-cache-pk" = {
+      sopsFile = ../../secrets/double-rainbow/default.yaml;
+    };
+    "gitlab-runners/wopus-ssh-nix-cache-pub" = {
+      sopsFile = ../../secrets/double-rainbow/default.yaml;
+    };
+  };
+}