2023-07-01 14:59:05 -05:00
parent 18d718a870
commit c34c7ca635
10 changed files with 116 additions and 45 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -0,0 +1,19 @@
+stages:
+- generate
+- check
+
+generate-flake-ci:
+  stage: generate
+  before_script:
+  script: nix run "git+https://git.eversole.co/james/flake-to-gitlab-ci" > flake-ci.yml
+  artifacts:
+    paths:
+      - flake-ci.yml
+
+flake-ci:
+  stage: check
+  trigger:
+    include:
+      - artifact: flake-ci.yml
+        job: generate-flake-ci
+    strategy: depend
--- a/application/containers.nix
+++ b/application/containers.nix
@ -1,8 +1,28 @@
-{ config, ... }:
+{ config, lib, pkgs, ... }:
 {
  virtualisation.oci-containers = {
    containers = {

+      gitlab = {
+        image = "gitlab/gitlab-ce:latest";
+        ports = [ "26616:80" "26617:22" ];
+        volumes = [
+          "/home/sezycei/srv/containerdata/gitlab/config:/etc/gitlab"
+          "/home/sezycei/srv/containerdata/gitlab/log:/var/log/gitlab"
+          "/home/sezycei/srv/containerdata/gitlab/data:/var/opt/gitlab"
+        ];
+        environment = {
+          GITLAB_OMNIBUS_CONFIG = ''
+            external_url 'https://git.eversole.co'
+            nginx['listen_port'] = 80
+            nginx['listen_https'] = false
+            gitlab_rails['gitlab_shell_ssh_port'] = 26617
+          '';
+        };
+      };
+
+      # gitlab-runner = a service definition in this file.
+
      jellyfin = {
        image = "linuxserver/jellyfin";
        ports = [ "127.0.0.1:8096:8096" "127.0.0.1:8920:8920" ];
@ -22,18 +42,6 @@
        };
      };

-      legit = {
-        image = "docker.matri.cx/legit";
-        ports = [ "127.0.0.1:5121:8080" ];
-        volumes = [
-          "/home/sezycei/srv/containerdata/legit/static:/static"
-          "/home/sezycei/srv/containerdata/legit/templates:/templates"
-          "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml"
-          "/home/sezycei/srv/containerdata/legit/repos:/var/www/git"
-        ];
-        environment = { };
-      };
-
      murmur = {
        image = "goofball222/murmur";
        ports = [ "127.0.0.1:64738:64738" "127.0.0.1:64738:64738/udp" ];
@ -81,4 +89,46 @@

    };
  };
+
+  services.gitlab-runner = {
+    enable = true;
+    services = {
+      nix = with lib; {
+        registrationConfigFile = toString /run/agenix/gitlab-runner;
+        dockerImage = "alpine";
+        dockerVolumes = [
+          "/nix/store:/nix/store:ro"
+          "/nix/var/nix/db:/nix/var/nix/db:ro"
+          "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+        ];
+        preBuildScript = pkgs.writeScript "setup-container" ''
+          mkdir -p -m 0755 /nix/var/log/nix/drvs
+          mkdir -p -m 0755 /nix/var/nix/gcroots
+          mkdir -p -m 0755 /nix/var/nix/profiles
+          mkdir -p -m 0755 /nix/var/nix/temproots
+          mkdir -p -m 0755 /nix/var/nix/userpool
+          mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+          mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+          mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+          mkdir -p -m 0700 "$HOME/.nix-defexpr"
+          . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+          ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-23.05 nixpkgs
+          ${pkgs.nix}/bin/nix-channel --update nixpkgs
+          ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])}
+          # Config
+          mkdir -p "$HOME/.config/nix"
+          echo "experimental-features = nix-command flakes" >> "$HOME/.config/nix/nix.conf"
+          echo "max-jobs = 8" >> "$HOME/.config/nix/nix.conf"
+          echo "build-cores = 8" >> "$HOME/.config/nix/nix.conf"
+        '';
+        environmentVariables = {
+          ENV = "/etc/profile";
+          USER = "root";
+          NIX_REMOTE = "daemon";
+          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+          NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
+        };
+      };
+    };
+  };
 }
--- a/application/nginx.nix
+++ b/application/nginx.nix
@ -54,7 +54,7 @@
          target = "http://127.0.0.1:3001";
        };
        "eversole.co" = static { dir = "/var/www/jame.su"; };
-        "git.eversole.co" = proxied { target = "http://127.0.0.1:5121"; };
+        "git.eversole.co" = proxied { target = "http://127.0.0.1:26616"; };
        "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix
        "hydra.matri.cx" = proxied {
          target = "http://127.0.0.1:3034";
--- a/flake.nix
+++ b/flake.nix
@ -18,19 +18,16 @@

  outputs = { self, nixpkgs, agenix, nix-serve-ng, ... }@attrs:
    let
-      forEachSystem = nixpkgs.lib.genAttrs system;
+      forEachSystem = nixpkgs.lib.genAttrs systems;
      pkgs = import nixpkgs { inherit system; };
      shell = import ./shell.nix { inherit agenix pkgs; };
      system = "x86_64-linux";
+      systems = [ system ];
    in
    {
      devShell.x86_64-linux = shell.dev;
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;

-      hydraJobs = {
-        build = shell.packages.${system}.format;
-      };
-
      packages = shell.packages;

      nixosConfigurations = {
@ -58,7 +55,6 @@
                ./system/hardware.nix
                ./system/nix-conf.nix
                ./system/security.nix
-                ./system/build-services.nix
                ./system/system.nix
                ./system/virtualisation.nix

--- a/secrets.nix
+++ b/secrets.nix
@ -7,6 +7,7 @@ let
 in
 {
  "secrets/cache-key.age" = { publicKeys = all; };
+  "secrets/gitlab-runner.age" = { publicKeys = all; };
  "secrets/graf-email.age" = { publicKeys = all; };
  "secrets/htpasswd-dock.age" = { publicKeys = all; };
  "secrets/keys.age" = { publicKeys = all; };
--- a/secrets/gitlab-runner.age
+++ b/secrets/gitlab-runner.age
@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dQ70Fw 1Y4XyvfewFemjm/3N6v2HKdO+kf3l9zWjR4gm+OL/Wo
+7G5Ipgr3ZjRBpQrKWQoqLhAGYk1lwyGZBLsbiGi5eNo
+-> ssh-ed25519 ZIoeGg pxNvqGCNvjT+6DrKIfZW0O28lKY7OKRtV5uvurhFWSk
+fGcCiYWChBAuHJ4764adKj+btYt410oaKtfDlJzfHR4
+-> A"-uU"q-grease p] \?3MHe D,
+xpBFoA2Gd3mh877T3WnAvfM6eaB4QF+PXltWXWb4vD28xAZCstZX7yFJ31W/ZUW1
+PcEj2vP/t4OpIRkjgBcrwi/iaaAOO4d1AH252iN9YlNVO0JJMWLcOxAB
+--- ewj86Tn8VoLJ44f8q8eKrtFvDLpLVmJfhPydTDsm5VY
+ir<EFBFBD><EFBFBD><EFBFBD>R<EFBFBD><EFBFBD>><3E>v<<3C><>g<EFBFBD>xh<78>><3E><><EFBFBD>j<>jg<6A>
+<EFBFBD>Y<EFBFBD> <20><><EFBFBD>1<EFBFBD>)R<><52>x<EFBFBD>C<EFBFBD><43>2<EFBFBD>'<02><><EFBFBD>,d﯈s(<28>0<EFBFBD><30><EFBFBD> '<27><><15>d<EFBFBD><64>LI<4C>fl<66>`g&<14><><EFBFBD>3<EFBFBD>h<EFBFBD>g<EFBFBD>A<EFBFBD>S<EFBFBD>(<28>j<EFBFBD>
--- a/system/age.nix
+++ b/system/age.nix
@ -2,6 +2,7 @@
  age = {
    secrets = {
      cache-key.file = ../secrets/cache-key.age;
+      gitlab-runner.file = ../secrets/gitlab-runner.age;
      graf-email = {
        file = ../secrets/graf-email.age;
        mode = "770";
--- a/system/build-services.nix
+++ b/system/build-services.nix
@ -1,25 +0,0 @@
-{ config, ... }: {
-  services = {
-    hydra = {
-      enable = true;
-      hydraURL = "https://hydra.matri.cx";
-      listenHost = "127.0.0.1";
-      port = 3034;
-
-      extraConfig = ''
-        using_frontend_proxy = 1
-        base_uri = "https://hydra.matri.cx"
-      '';
-
-      useSubstitutes = true;
-
-      notificationSender = "hydra@matri.cx";
-      buildMachinesFiles = [ ];
-    };
-
-    nix-serve = {
-      enable = true;
-      secretKeyFile = config.age.secrets.cache-key.path;
-    };
-  };
-}
--- a/system/dns.nix
+++ b/system/dns.nix
@ -28,6 +28,12 @@
      		    }
      		  }

+            box.eversole.co {
+      		    template IN A  {
+      		        answer "{{ .Name }} 0 IN A 149.28.112.101"
+      		    }
+      		  }
+
      		  *.eversole.co {
      		    template IN A  {
      		        answer "{{ .Name }} 0 IN A 192.168.0.130"
--- a/system/system.nix
+++ b/system/system.nix
@ -1,5 +1,6 @@
 { pkgs, ... }: {
  boot = {
+    kernel.sysctl."net.ipv4.ip_forward" = true;
    loader.systemd-boot.enable = true;
    loader.efi.canTouchEfiVariables = true;
  };
@ -14,5 +15,16 @@
    };
  };

+  programs.ssh.knownHosts = {
+    selbeiskami = {
+      hostNames = [ "192.168.0.57" ];
+      publicKey = "192.168.0.57 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiTyWzAu7V2Jkk4rqEjBLu+lAhhkLTO8W/PGb8HkeqQ";
+    };
+    matricx = {
+      hostNames = [ "192.168.0.130" "matri.cx" ];
+      publicKey = "matri.cx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp";
+    };
+  };
+
  time.timeZone = "America/Chicago";
 }