Remove legit container; Remove Hydra; setup GitLab; setup GitLab runner; add GitLab CI definitions

.gitlab-ci.yml

@@ -0,0 +1,19 @@
+stages:
+- generate
+- check
+
+generate-flake-ci:
+  stage: generate
+  before_script:
+  script: nix run "git+https://git.eversole.co/james/flake-to-gitlab-ci" > flake-ci.yml
+  artifacts:
+    paths:
+      - flake-ci.yml
+
+flake-ci:
+  stage: check
+  trigger:
+    include:
+      - artifact: flake-ci.yml
+        job: generate-flake-ci
+    strategy: depend

application/containers.nix

@@ -1,8 +1,28 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 {
   virtualisation.oci-containers = {
     containers = {
 
+      gitlab = {
+        image = "gitlab/gitlab-ce:latest";
+        ports = [ "26616:80" "26617:22" ];
+        volumes = [
+          "/home/sezycei/srv/containerdata/gitlab/config:/etc/gitlab"
+          "/home/sezycei/srv/containerdata/gitlab/log:/var/log/gitlab"
+          "/home/sezycei/srv/containerdata/gitlab/data:/var/opt/gitlab"
+        ];
+        environment = {
+          GITLAB_OMNIBUS_CONFIG = ''
+            external_url 'https://git.eversole.co'
+            nginx['listen_port'] = 80
+            nginx['listen_https'] = false
+            gitlab_rails['gitlab_shell_ssh_port'] = 26617
+          '';
+        };
+      };
+
+      # gitlab-runner = a service definition in this file.
+
       jellyfin = {
         image = "linuxserver/jellyfin";
         ports = [ "127.0.0.1:8096:8096" "127.0.0.1:8920:8920" ];
@@ -22,18 +42,6 @@
         };
       };
 
-      legit = {
-        image = "docker.matri.cx/legit";
-        ports = [ "127.0.0.1:5121:8080" ];
-        volumes = [
-          "/home/sezycei/srv/containerdata/legit/static:/static"
-          "/home/sezycei/srv/containerdata/legit/templates:/templates"
-          "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml"
-          "/home/sezycei/srv/containerdata/legit/repos:/var/www/git"
-        ];
-        environment = { };
-      };
-
       murmur = {
         image = "goofball222/murmur";
         ports = [ "127.0.0.1:64738:64738" "127.0.0.1:64738:64738/udp" ];
@@ -81,4 +89,46 @@
 
     };
   };
+
+  services.gitlab-runner = {
+    enable = true;
+    services = {
+      nix = with lib; {
+        registrationConfigFile = toString /run/agenix/gitlab-runner;
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-23.05 nixpkgs
+          ${pkgs.nix}/bin/nix-channel --update nixpkgs
+          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+          # Config
+          mkdir -p "$HOME/.config/nix"
+          echo "experimental-features = nix-command flakes" >> "$HOME/.config/nix/nix.conf"
+          echo "max-jobs = 8" >> "$HOME/.config/nix/nix.conf"
+          echo "build-cores = 8" >> "$HOME/.config/nix/nix.conf"
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        };
+      };
+    };
+  };
 }

application/nginx.nix

@@ -54,7 +54,7 @@
           target = "http://127.0.0.1:3001";
         };
         "eversole.co" = static { dir = "/var/www/jame.su"; };
-        "git.eversole.co" = proxied { target = "http://127.0.0.1:5121"; };
+        "git.eversole.co" = proxied { target = "http://127.0.0.1:26616"; };
         "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
         "hydra.matri.cx" = proxied {
           target = "http://127.0.0.1:3034";

flake.nix

@@ -18,19 +18,16 @@
 
   outputs = { self, nixpkgs, agenix, nix-serve-ng, ... }@attrs:
     let
-      forEachSystem = nixpkgs.lib.genAttrs system;
+      forEachSystem = nixpkgs.lib.genAttrs systems;
       pkgs = import nixpkgs { inherit system; };
       shell = import ./shell.nix { inherit agenix pkgs; };
       system = "x86_64-linux";
+      systems = [ system ];
     in
     {
       devShell.x86_64-linux = shell.dev;
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
 
-      hydraJobs = {
-        build = shell.packages.${system}.format;
-      };
-
       packages = shell.packages;
 
       nixosConfigurations = {
@@ -58,7 +55,6 @@
                 ./system/hardware.nix
                 ./system/nix-conf.nix
                 ./system/security.nix
-                ./system/build-services.nix
                 ./system/system.nix
                 ./system/virtualisation.nix
 

secrets.nix

@@ -7,6 +7,7 @@ let
 in
 {
   "secrets/cache-key.age" = { publicKeys = all; };
+  "secrets/gitlab-runner.age" = { publicKeys = all; };
   "secrets/graf-email.age" = { publicKeys = all; };
   "secrets/htpasswd-dock.age" = { publicKeys = all; };
   "secrets/keys.age" = { publicKeys = all; };

secrets/gitlab-runner.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dQ70Fw 1Y4XyvfewFemjm/3N6v2HKdO+kf3l9zWjR4gm+OL/Wo
+7G5Ipgr3ZjRBpQrKWQoqLhAGYk1lwyGZBLsbiGi5eNo
+-> ssh-ed25519 ZIoeGg pxNvqGCNvjT+6DrKIfZW0O28lKY7OKRtV5uvurhFWSk
+fGcCiYWChBAuHJ4764adKj+btYt410oaKtfDlJzfHR4
+-> A"-uU"q-grease p] \?3MHe D,
+xpBFoA2Gd3mh877T3WnAvfM6eaB4QF+PXltWXWb4vD28xAZCstZX7yFJ31W/ZUW1
+PcEj2vP/t4OpIRkjgBcrwi/iaaAOO4d1AH252iN9YlNVO0JJMWLcOxAB
+--- ewj86Tn8VoLJ44f8q8eKrtFvDLpLVmJfhPydTDsm5VY
+iräù<EFBFBD>RÔÂ>·v<ÓÉgÁxhñ>ÁØþ
jÓjgä
+ÂYÛ ‹£˜1—)R©ìx•C¨ë2¬'<02>î¾,d﯈s(’0¶ö¸ 'ä’öd©õLIÛflÉ`g&šå—ô3ˆhÆgñAêSˆ(<28>já

system/age.nix

@@ -2,6 +2,7 @@
   age = {
     secrets = {
       cache-key.file = ../secrets/cache-key.age;
+      gitlab-runner.file = ../secrets/gitlab-runner.age;
       graf-email = {
         file = ../secrets/graf-email.age;
         mode = "770";

system/build-services.nix

@@ -1,25 +0,0 @@
-{ config, ... }: {
-  services = {
-    hydra = {
-      enable = true;
-      hydraURL = "https://hydra.matri.cx";
-      listenHost = "127.0.0.1";
-      port = 3034;
-
-      extraConfig = ''
-        using_frontend_proxy = 1
-        base_uri = "https://hydra.matri.cx"
-      '';
-
-      useSubstitutes = true;
-
-      notificationSender = "hydra@matri.cx";
-      buildMachinesFiles = [ ];
-    };
-
-    nix-serve = {
-      enable = true;
-      secretKeyFile = config.age.secrets.cache-key.path;
-    };
-  };
-}

system/dns.nix

@@ -28,6 +28,12 @@
       		    }
       		  }
 
+            box.eversole.co {
+      		    template IN A  {
+      		        answer "{{ .Name }} 0 IN A 149.28.112.101"
+      		    }
+      		  }
+
       		  *.eversole.co {
       		    template IN A  {
       		        answer "{{ .Name }} 0 IN A 192.168.0.130"

system/system.nix

@@ -1,5 +1,6 @@
 { pkgs, ... }: {
   boot = {
+    kernel.sysctl."net.ipv4.ip_forward" = true;
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
   };
@@ -14,5 +15,16 @@
     };
   };
 
+  programs.ssh.knownHosts = {
+    selbeiskami = {
+      hostNames = [ "192.168.0.57" ];
+      publicKey = "192.168.0.57 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiTyWzAu7V2Jkk4rqEjBLu+lAhhkLTO8W/PGb8HkeqQ";
+    };
+    matricx = {
+      hostNames = [ "192.168.0.130" "matri.cx" ];
+      publicKey = "matri.cx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp";
+    };
+  };
+
   time.timeZone = "America/Chicago";
 }