ops/nixos: move gitlab-runner registration token to vault

2022-05-13 21:45:36 +00:00 · 2022-05-13 21:45:36 +00:00 · 13d51a7978
commit 13d51a7978
parent bf601faa89
3 changed files with 26 additions and 16 deletions
--- a/ops/nixos/bvm-heptapod/default.nix
+++ b/ops/nixos/bvm-heptapod/default.nix
@ -111,6 +111,16 @@ in {
    };
  };

+  my.vault.secrets.gitlab-runner-environment = {
+    restartUnits = ["gitlab-runner.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/gitlab-runner" }}
+      {{ .Data.data.environment }}
+      {{ end }}
+    '';
+  };
+
  containers.deployer = {
    autoStart = true;
    bindMounts = {
@ -118,6 +128,10 @@ in {
        hostPath = "/var/lib/secrets/nix-daemon";
        isReadOnly = true;
      };
+      "/var/lib/secrets/gitlab-runner-environment" = {
+        hostPath = "/var/lib/secrets/gitlab-runner-environment";
+        isReadOnly = true;
+      };
    };
    config = { config, pkgs, ... }: {
      imports = [
@ -131,19 +145,12 @@ in {
        };
      };
      systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
-      environment.etc."secrets/gitlab-runner-registration" = {
-        text = ''
-          CI_SERVER_URL=https://hg.lukegb.com
-          REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
-        '';
-        mode = "0600";
-      };
      services.gitlab-runner = {
        enable = true;
        concurrent = 16;
        services = {
          deployer = {
-            registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
+            registrationConfigFile = "/var/lib/secrets/gitlab-runner-environment/secret";
            executor = "shell";
            tagList = [ "deployer" ];
          };
--- a/ops/nixos/clouvider-lon01/default.nix
+++ b/ops/nixos/clouvider-lon01/default.nix
@ -235,20 +235,21 @@
    (bindMountSvcDynamic "factorio" "factorio.service")
  ];

-
-  environment.etc."secrets/gitlab-runner-registration" = {
-    text = ''
-      CI_SERVER_URL=https://hg.lukegb.com
-      REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
+  my.vault.secrets.gitlab-runner-environment = {
+    restartUnits = ["gitlab-runner.service"];
+    group = "root";
+    template = ''
+      {{ with secret "kv/apps/gitlab-runner" }}
+      {{ .Data.data.environment }}
+      {{ end }}
    '';
-    mode = "0600";
  };
  services.gitlab-runner = {
    enable = true;
    concurrent = 1;
    services = {
      deployer = {
-        registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
+        registrationConfigFile = config.my.vault.secrets.gitlab-runner-environment.path;
        executor = "shell";
        tagList = [ "cacher" ];
      };
--- a/ops/vault/cfg/config.nix
+++ b/ops/vault/cfg/config.nix
@ -64,14 +64,16 @@
    }
  '';
  my.apps.authentik = {};
+  my.apps.gitlab-runner = {};

  my.servers.etheroute-lon01.apps = [ "pomerium" ];
  my.servers.porcorosso.apps = [ "quotesdb" ];
  my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ];
  my.servers.clouvider-fra01.apps = [ "deluge" ];
-  my.servers.clouvider-lon01.apps = [ "quotesdb" ];
+  my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ];
  my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
  my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
  my.servers.bvm-prosody.apps = [ "turn" ];
+  my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
  my.servers.blade-tuvok.apps = [ "fup" ];
 }