lelgenio/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests Projects 2 Releases Packages Wiki Activity Actions

wip

Browse source
This commit is contained in:
lelgenio 2025-09-09 18:15:48 -03:00
parent b8cd22e425
commit e0a8b9e791
5 changed files with 103 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

9
.sops.yaml
View file

@ -2,6 +2,7 @@ keys:
- &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B - &lelgenio-gpg 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
- &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h - &lelgenio-ssh age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
- &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw - &monolith-ssh age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
- &double-rainbow-ssh age1026d4c8nqyapcsy4jz57szt6zw3ejcgv3ecyvz0s89t7w7z964fqdqv52h
- &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y - &phantom-ssh age1m4mqcd2kmuhfr8a22rvh02c68jkakhdfmuqgtusuv0czk4jvna7sz79p3y
creation_rules: creation_rules:
@ -19,6 +20,14 @@ creation_rules:
age: age:
- *lelgenio-ssh - *lelgenio-ssh
- *monolith-ssh - *monolith-ssh
- path_regex: secrets/double-rainbow/[^/]+\.(yaml|json|env|ini|gpg)$
key_groups:
- pgp:
- *lelgenio-gpg
age:
- *lelgenio-ssh
- *monolith-ssh
- *double-rainbow-ssh
- path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini|gpg)$ - path_regex: secrets/phantom/[^/]+\.(yaml|json|env|ini|gpg)$
key_groups: key_groups:
- pgp: - pgp:

2
flake.nix
View file

@ -166,7 +166,7 @@
double-rainbow = lib.nixosSystem { double-rainbow = lib.nixosSystem {
inherit system specialArgs; inherit system specialArgs;
modules = [ modules = [
./hosts/double-rainbow.nix ./hosts/double-rainbow
] ]
++ common_modules; ++ common_modules;
}; };

5
hosts/double-rainbow.nix → hosts/double-rainbow/default.nix
View file

@ -17,7 +17,10 @@ let
]; ];
in in
{ {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; imports = [
(modulesPath + "/installer/scan/not-detected.nix")
./gitlab-runner.nix
];
my.nix-ld.enable = true; my.nix-ld.enable = true;

36
hosts/double-rainbow/gitlab-runner.nix Normal file
View file

@ -0,0 +1,36 @@
{
config,
pkgs,
...
}:
let
inherit (pkgs.callPackage ../../system/gitlab-runner.nix { }) mkNixRunnerFull;
in
{
boot.kernel.sysctl."net.ipv4.ip_forward" = true;
virtualisation.docker.enable = true;
services.gitlab-runner = {
enable = true;
settings.concurrent = 4;
services = {
wopus-gitlab-nix = mkNixRunnerFull {
authenticationTokenConfigFile = config.sops.secrets."gitlab-runners/wopus-gitlab-nix".path;
nixCacheSshPrivateKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pk".path;
nixCacheSshPublicKeyPath = config.sops.secrets."gitlab-runners/wopus-ssh-nix-cache-pub".path;
};
};
};
systemd.services.gitlab-runner.serviceConfig.Nice = 10;
sops.secrets = {
"gitlab-runners/wopus-gitlab-nix" = {
sopsFile = ../../secrets/double-rainbow/default.yaml;
};
"gitlab-runners/wopus-ssh-nix-cache-pk" = {
sopsFile = ../../secrets/double-rainbow/default.yaml;
};
"gitlab-runners/wopus-ssh-nix-cache-pub" = {
sopsFile = ../../secrets/double-rainbow/default.yaml;
};
};
}

53
secrets/double-rainbow/default.yaml Normal file
View file

@ -0,0 +1,53 @@
gitlab-runners:
wopus-gitlab-nix: ENC[AES256_GCM,data:n/bm5W5Q/h7MxMZX7yz4qeUBpfZDrI7A7/PlnLncMto5V5itVTXRvfd3+D/d2r9PVuJSogfMgMAh0cwuvPspjlm9ToPxrmgGdYbnAkhnFeTHdCfcF1x2DG2JkHe54wUhcQa9QEJkWZ5jJM//2jU=,iv:63lrYCCBMSr5toulba7Rni+iun0Bl2vMFbIsTVvOWQs=,tag:Z1GHj91q09sOWCaLPIKJ4Q==,type:str]
wopus-ssh-nix-cache-pk: ENC[AES256_GCM,data:+5I7INvMNfegjjC0xPNOSj+vFakXe6V4N/S5wvL64DOxfPXhSQAjVtdMslp/LlJXH4XWbkQ8ErLbySB3WMDMRDnDRY+6+UKXsP6MFpvEtho0lN+8ZeAGC25ehadYDSFTX43wz6cLRuoAqRQdhPKM96wcYif7nF40cStgaAQhkNemK7AenSA9LQ4J72dWovFuwfTZml8qH6W/O+YEqfOgZsyJ/LobcM1fiuN1S4NnCOJSWB2Ahsu0tiMOSRxKWeUS9+ewh+x1xnZL3y4vax5GgtS2KojtXq0U4qgNi4Gwnmef7HmH1tVgeMO2ykCsuCCZ9iJR0IOqTHU2l+U6hTzf5vehpgK5/tsthkXRsLUmVRnjUaQwaEq9JYltGpEdk6U0UnD+Mf0f5BsDw23lHgannLeduhrSFrPFj+BVodnPxjyYJTPXwXfbWrKIQ8s5kWfIq9x0VePsteIgEH4xLL0yFtyZzrYeCq9WF3j5xTvJsOlG0ehQzX22orrM4RzrFVmeLYOIc/V4bQeyIf1lWemr,iv:UNaUnlVayrzF7qpgIVi9gxPFGCzIP24jNUpO295JPog=,tag:a5OlD+AJH3u6y+Lo3lOQWw==,type:str]
wopus-ssh-nix-cache-pub: ENC[AES256_GCM,data:aknblYwAAGaso/Vhr9f1RX64tA3uOh3qxc1dBI7DQmk4TUlQn/AYrKF7wanIhhydrasRulDEam3CBiiyeW/ejcXG07wKIUyZ94TOYfcyRd1yo+PGkmb1yycU6PdjaP5/zwUPAnjMhR2quW+8iwADaUMYKXIJkdQaqUW9a845vBKIxgNgBskWMGMzldb+aUnr2eCb,iv:MQdEUrNugzv+QL6f/MNUqh9M+nFVsWI4VHlMrgQOTEg=,tag:olNTQyCSOhv3sgSjuIXKBA==,type:str]
sops:
age:
- recipient: age1zrgu7w8059xydagm60phnffghvfe9h2ca58cx8qwagqpyfuvs9fqw79c8h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0eTBFdVM5OFlQTi9JMmFw
QWpIU2dSdDMzQTVJOWJCUU03QXR1QVZoeXc4CkljdHNKQ0tUczMrNys5eXNGMnVa
K003QjdRaWY4RmNtaEw4cEsxSEJwZlEKLS0tIFZpbGUyaHh0RndkVlpQVlVucHJa
TndIUUhsY2xSR3E1WlJXV3ZFN0lIMncKjjf1yt4XhfguzYoCNmHYSmetMDnoz4cr
frbZdy4hl9w9EZO5JUeC/n7QMYTZLC2/Zk2PXRUvwyQglrGoUVK2Bg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ecyynwv93lfu7crjjp8l47defv07quzfzaktwurpep7jc9eha5pscg7lrw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHbHd4L0NEZW55OWd3SWlv
U3dEcDNKZUJid2VsZ1lQdy9NRnIyVDRPRm1VCnZDcCs0S1BLNjJLZTFpSHVpNVRj
OFpMK0ZjWTJkcWJoUFk2YnBCK3JKcFUKLS0tIEtqRkF4Q0FobXhPVTF6eWN2d0Nx
eVAwSi9LaVNEcHIvQnhhZmZLbHRPOUUK6A91L8YCpi/sM9FiXcJ1sLmW3U4KadYL
uw07mobP1Rf0RUdAuSK+42ErFgmS+OTDze/mT/PXg6Dfk+vhTjbfGA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1026d4c8nqyapcsy4jz57szt6zw3ejcgv3ecyvz0s89t7w7z964fqdqv52h
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEaUpLU1ZxQWNCNFNGeEpl
dEpVbzBFbk1XaVoxMXIzMWFmTkZWS05GOFFvCmJGamVGK2pCeTJROVloMGdYK3Mx
cGF1elFSbjJ3UmUyc1FsUkh6b2JNWTgKLS0tIFRzbHZIL25tK1dnWm90QVFueWZM
WUZrTkg0cklJSUg5MndsN0ZPcVk4U0kKPsj787kDFDMxsBt5qk4Bp121AMTE++99
m2X4lL6ona9fUe8e8wGhdgxZmqvJL2RCaVWJJy5SAbJ/skP3y7i2mw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-09-09T20:29:01Z"
mac: ENC[AES256_GCM,data:forfO9i1DJvf38Q2B6ETUuOmGB3XVNQEURlUH4h6+6qEZqpZb/c7yUlMpXTUk9kgXn+IcfUhymFN3lrS7KVhSG5SxOTqwpOLF39+XFXcam3X4jf1/H4uBVqmntWAFG2+SvPxvL5jUKw9j8O0xBPWlbnx6BOQU4ifjcoPMOWanBQ=,iv:wj6F/5AV4oieoASZXb6oBtDYA0cA+1ujPWkziMTAhQ0=,tag:29lR7wsFT3vhp2ztMHBlsA==,type:str]
pgp:
- created_at: "2025-09-09T20:27:32Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQEMAzy6JxafzLr5AQf/a5v/AIIsdE9WawM710HCLQwEJXskDXfN7UP055gDBJer
96qny8cKC833OhTPLqWCUpAVgJ1JQ8EDLvj2YvXLiq/NmMFs+mBwjPdzNIUKzK6E
QgtjRJuQfOGSW0i44b+nkmWLSi1PhxVbIFt27Nl4I+mrvkhztIZcTwht+be3mMrp
z1hEn/BbXsin6JOB6EuyFbsRZ3wYFUlr23NiKVI/JSo39ifbtGqgWn68GN+tYYYs
mZ5tJykyRZxTU6qEKBaW9veClxs0FW2shQpp6Go/u6u/ghhHeB99trauPFL2rypT
IaLGWruFwHMsd+rSTcw+YrTbL7bfkqx/4xj5dxJaFNJeAfo5F5ddr1odeAHeSQmh
pfStJmy83SHhyDw8wLKMeF9d7dPKIyU4cXbLjSv1w86bDpDw8LBJSYEjJPVjLONV
F6AXCJxNckDXmshGUejC09abAcMzzTsEJK7ocqEoMg==
=XAWM
-----END PGP MESSAGE-----
fp: 0FECE8316E74BA6F44EFC21A2F8F21CE8721456B
unencrypted_suffix: _unencrypted
version: 3.10.2