nixos-config/system/gitlab-runner.nix

{
  pkgs,
  lib,
  inputs ? null,
  ...
}:
let
  installNixScript =
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
      nixCacheSshPublicKeyPath ? null,
      ...
    }:
    pkgs.writeScriptBin "install-nix" ''
      mkdir -p -m 0755 /nix/var/log/nix/drvs
      mkdir -p -m 0755 /nix/var/nix/gcroots
      mkdir -p -m 0755 /nix/var/nix/profiles
      mkdir -p -m 0755 /nix/var/nix/temproots
      mkdir -p -m 0755 /nix/var/nix/userpool
      mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
      mkdir -p -m 1777 /nix/var/nix/profiles/per-user
      mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
      mkdir -p -m 0700 "$HOME/.nix-defexpr"

      . ${pkgs.nix}/etc/profile.d/nix.sh

      ${pkgs.nix}/bin/nix-env -i ${
        lib.concatStringsSep " " (
          with pkgs;
          [
            nix
            cacert
            git
            openssh
            docker
          ]
        )
      }

      ${lib.optionalString (nixCacheSshPrivateKeyPath != null && nixCacheSshPublicKeyPath != null) ''
        NIX_CACHE_SSH_PRIVATE_KEY_PATH="${nixCacheSshPrivateKeyPath}"
        NIX_CACHE_SSH_PUBLIC_KEY_PATH="${nixCacheSshPublicKeyPath}"
        . ${./gitlab-runner/nix-cache-start}
      ''}
    '';
in
rec {
  mkNixRunnerFull =
    {
      authenticationTokenConfigFile,
      nixCacheSshPrivateKeyPath ? null,
      nixCacheSshPublicKeyPath ? null,
      ...
    }@args:
    {
      # File should contain at least these two variables:
      # `CI_SERVER_URL`
      # `REGISTRATION_TOKEN`
      inherit authenticationTokenConfigFile; # 2
      dockerImage = "alpine:3.18.2";
      dockerPullPolicy = "if-not-present";
      dockerVolumes = [
        "/etc/nix/nix.conf:/etc/nix/nix.conf:ro"
        "/nix/store:/nix/store:ro"
        "/nix/var/nix/db:/nix/var/nix/db:ro"
        "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
        "/tmp:/tmp"
        "/var/run/docker.sock:/var/run/docker.sock"
        "/var/lib/docker/containers:/var/lib/docker/containers"
        "/cache"
      ]
      ++ lib.optionals (nixCacheSshPrivateKeyPath != null) [
        "${nixCacheSshPrivateKeyPath}:${nixCacheSshPrivateKeyPath}"
      ]
      ++ lib.optionals (nixCacheSshPublicKeyPath != null) [
        "${nixCacheSshPublicKeyPath}:${nixCacheSshPublicKeyPath}"
      ];
      # dockerDisableCache = true;
      preBuildScript = "\". ${lib.getExe (installNixScript args)}\"";
      environmentVariables = {
        ENV = "/etc/profile";
        USER = "root";
        NIX_REMOTE = "daemon";
        NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
        NIX_PATH = if inputs != null then "nixpkgs=${inputs.nixpkgs}" else "";
      };
    };

  mkNixRunner =
    authenticationTokenConfigFile:
    mkNixRunnerFull {
      inherit authenticationTokenConfigFile;
    };
}