diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml new file mode 100644 index 0000000..8eed7a3 --- /dev/null +++ b/.gitlab-ci.yml @@ -0,0 +1,19 @@ +stages: +- generate +- check + +generate-flake-ci: + stage: generate + before_script: + script: nix run "git+https://git.eversole.co/james/flake-to-gitlab-ci" > flake-ci.yml + artifacts: + paths: + - flake-ci.yml + +flake-ci: + stage: check + trigger: + include: + - artifact: flake-ci.yml + job: generate-flake-ci + strategy: depend diff --git a/application/containers.nix b/application/containers.nix index 2a36eed..286573f 100644 --- a/application/containers.nix +++ b/application/containers.nix @@ -1,8 +1,28 @@ -{ config, ... }: +{ config, lib, pkgs, ... }: { virtualisation.oci-containers = { containers = { + gitlab = { + image = "gitlab/gitlab-ce:latest"; + ports = [ "26616:80" "26617:22" ]; + volumes = [ + "/home/sezycei/srv/containerdata/gitlab/config:/etc/gitlab" + "/home/sezycei/srv/containerdata/gitlab/log:/var/log/gitlab" + "/home/sezycei/srv/containerdata/gitlab/data:/var/opt/gitlab" + ]; + environment = { + GITLAB_OMNIBUS_CONFIG = '' + external_url 'https://git.eversole.co' + nginx['listen_port'] = 80 + nginx['listen_https'] = false + gitlab_rails['gitlab_shell_ssh_port'] = 26617 + ''; + }; + }; + + # gitlab-runner = a service definition in this file. + jellyfin = { image = "linuxserver/jellyfin"; ports = [ "127.0.0.1:8096:8096" "127.0.0.1:8920:8920" ]; @@ -22,18 +42,6 @@ }; }; - legit = { - image = "docker.matri.cx/legit"; - ports = [ "127.0.0.1:5121:8080" ]; - volumes = [ - "/home/sezycei/srv/containerdata/legit/static:/static" - "/home/sezycei/srv/containerdata/legit/templates:/templates" - "/home/sezycei/srv/containerdata/legit/legit.yml:/legit.yml" - "/home/sezycei/srv/containerdata/legit/repos:/var/www/git" - ]; - environment = { }; - }; - murmur = { image = "goofball222/murmur"; ports = [ "127.0.0.1:64738:64738" "127.0.0.1:64738:64738/udp" ]; @@ -81,4 +89,46 @@ }; }; + + services.gitlab-runner = { + enable = true; + services = { + nix = with lib; { + registrationConfigFile = toString /run/agenix/gitlab-runner; + dockerImage = "alpine"; + dockerVolumes = [ + "/nix/store:/nix/store:ro" + "/nix/var/nix/db:/nix/var/nix/db:ro" + "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro" + ]; + preBuildScript = pkgs.writeScript "setup-container" '' + mkdir -p -m 0755 /nix/var/log/nix/drvs + mkdir -p -m 0755 /nix/var/nix/gcroots + mkdir -p -m 0755 /nix/var/nix/profiles + mkdir -p -m 0755 /nix/var/nix/temproots + mkdir -p -m 0755 /nix/var/nix/userpool + mkdir -p -m 1777 /nix/var/nix/gcroots/per-user + mkdir -p -m 1777 /nix/var/nix/profiles/per-user + mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root + mkdir -p -m 0700 "$HOME/.nix-defexpr" + . ${pkgs.nix}/etc/profile.d/nix-daemon.sh + ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-23.05 nixpkgs + ${pkgs.nix}/bin/nix-channel --update nixpkgs + ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [ nix cacert git openssh ])} + # Config + mkdir -p "$HOME/.config/nix" + echo "experimental-features = nix-command flakes" >> "$HOME/.config/nix/nix.conf" + echo "max-jobs = 8" >> "$HOME/.config/nix/nix.conf" + echo "build-cores = 8" >> "$HOME/.config/nix/nix.conf" + ''; + environmentVariables = { + ENV = "/etc/profile"; + USER = "root"; + NIX_REMOTE = "daemon"; + PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin"; + NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"; + }; + }; + }; + }; } diff --git a/application/nginx.nix b/application/nginx.nix index eaf8021..25482cb 100644 --- a/application/nginx.nix +++ b/application/nginx.nix @@ -54,7 +54,7 @@ target = "http://127.0.0.1:3001"; }; "eversole.co" = static { dir = "/var/www/jame.su"; }; - "git.eversole.co" = proxied { target = "http://127.0.0.1:5121"; }; + "git.eversole.co" = proxied { target = "http://127.0.0.1:26616"; }; "graf.matri.cx" = { root = "/var/www/graf.matri.cx"; }; # refer to /monitoring/nginx.nix "hydra.matri.cx" = proxied { target = "http://127.0.0.1:3034"; diff --git a/flake.nix b/flake.nix index 017bbd9..2852d9b 100644 --- a/flake.nix +++ b/flake.nix @@ -18,19 +18,16 @@ outputs = { self, nixpkgs, agenix, nix-serve-ng, ... }@attrs: let - forEachSystem = nixpkgs.lib.genAttrs system; + forEachSystem = nixpkgs.lib.genAttrs systems; pkgs = import nixpkgs { inherit system; }; shell = import ./shell.nix { inherit agenix pkgs; }; system = "x86_64-linux"; + systems = [ system ]; in { devShell.x86_64-linux = shell.dev; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; - hydraJobs = { - build = shell.packages.${system}.format; - }; - packages = shell.packages; nixosConfigurations = { @@ -58,7 +55,6 @@ ./system/hardware.nix ./system/nix-conf.nix ./system/security.nix - ./system/build-services.nix ./system/system.nix ./system/virtualisation.nix diff --git a/secrets.nix b/secrets.nix index 04cdd0b..d33c29f 100644 --- a/secrets.nix +++ b/secrets.nix @@ -7,6 +7,7 @@ let in { "secrets/cache-key.age" = { publicKeys = all; }; + "secrets/gitlab-runner.age" = { publicKeys = all; }; "secrets/graf-email.age" = { publicKeys = all; }; "secrets/htpasswd-dock.age" = { publicKeys = all; }; "secrets/keys.age" = { publicKeys = all; }; diff --git a/secrets/gitlab-runner.age b/secrets/gitlab-runner.age new file mode 100644 index 0000000..b591799 --- /dev/null +++ b/secrets/gitlab-runner.age @@ -0,0 +1,11 @@ +age-encryption.org/v1 +-> ssh-ed25519 dQ70Fw 1Y4XyvfewFemjm/3N6v2HKdO+kf3l9zWjR4gm+OL/Wo +7G5Ipgr3ZjRBpQrKWQoqLhAGYk1lwyGZBLsbiGi5eNo +-> ssh-ed25519 ZIoeGg pxNvqGCNvjT+6DrKIfZW0O28lKY7OKRtV5uvurhFWSk +fGcCiYWChBAuHJ4764adKj+btYt410oaKtfDlJzfHR4 +-> A"-uU"q-grease p] \?3MHe D, +xpBFoA2Gd3mh877T3WnAvfM6eaB4QF+PXltWXWb4vD28xAZCstZX7yFJ31W/ZUW1 +PcEj2vP/t4OpIRkjgBcrwi/iaaAOO4d1AH252iN9YlNVO0JJMWLcOxAB +--- ewj86Tn8VoLJ44f8q8eKrtFvDLpLVmJfhPydTDsm5VY +irR>vjjg +Y 1)RxC2',d﯈s(0 'dLIfl`g&—3hgAS(j \ No newline at end of file diff --git a/system/age.nix b/system/age.nix index 9b59db6..986756c 100644 --- a/system/age.nix +++ b/system/age.nix @@ -2,6 +2,7 @@ age = { secrets = { cache-key.file = ../secrets/cache-key.age; + gitlab-runner.file = ../secrets/gitlab-runner.age; graf-email = { file = ../secrets/graf-email.age; mode = "770"; diff --git a/system/build-services.nix b/system/build-services.nix deleted file mode 100644 index 577b0da..0000000 --- a/system/build-services.nix +++ /dev/null @@ -1,25 +0,0 @@ -{ config, ... }: { - services = { - hydra = { - enable = true; - hydraURL = "https://hydra.matri.cx"; - listenHost = "127.0.0.1"; - port = 3034; - - extraConfig = '' - using_frontend_proxy = 1 - base_uri = "https://hydra.matri.cx" - ''; - - useSubstitutes = true; - - notificationSender = "hydra@matri.cx"; - buildMachinesFiles = [ ]; - }; - - nix-serve = { - enable = true; - secretKeyFile = config.age.secrets.cache-key.path; - }; - }; -} diff --git a/system/dns.nix b/system/dns.nix index d7648b9..5fb3876 100644 --- a/system/dns.nix +++ b/system/dns.nix @@ -28,6 +28,12 @@ } } + box.eversole.co { + template IN A { + answer "{{ .Name }} 0 IN A 149.28.112.101" + } + } + *.eversole.co { template IN A { answer "{{ .Name }} 0 IN A 192.168.0.130" diff --git a/system/system.nix b/system/system.nix index c5af330..f002199 100644 --- a/system/system.nix +++ b/system/system.nix @@ -1,5 +1,6 @@ { pkgs, ... }: { boot = { + kernel.sysctl."net.ipv4.ip_forward" = true; loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; }; @@ -14,5 +15,16 @@ }; }; + programs.ssh.knownHosts = { + selbeiskami = { + hostNames = [ "192.168.0.57" ]; + publicKey = "192.168.0.57 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBiTyWzAu7V2Jkk4rqEjBLu+lAhhkLTO8W/PGb8HkeqQ"; + }; + matricx = { + hostNames = [ "192.168.0.130" "matri.cx" ]; + publicKey = "matri.cx ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMyaPYK0HcKAjrD1g+FPqPEU9FJ0I6+iKYmQlWKE0zHp"; + }; + }; + time.timeZone = "America/Chicago"; }