From 13d51a797807dc8b2587fac0230a1046d30d674e Mon Sep 17 00:00:00 2001 From: Luke Granger-Brown Date: Fri, 13 May 2022 21:45:36 +0000 Subject: [PATCH] ops/nixos: move gitlab-runner registration token to vault --- ops/nixos/bvm-heptapod/default.nix | 23 +++++++++++++++-------- ops/nixos/clouvider-lon01/default.nix | 15 ++++++++------- ops/vault/cfg/config.nix | 4 +++- 3 files changed, 26 insertions(+), 16 deletions(-) diff --git a/ops/nixos/bvm-heptapod/default.nix b/ops/nixos/bvm-heptapod/default.nix index 6242979830..0d41b0fee1 100644 --- a/ops/nixos/bvm-heptapod/default.nix +++ b/ops/nixos/bvm-heptapod/default.nix @@ -111,6 +111,16 @@ in { }; }; + my.vault.secrets.gitlab-runner-environment = { + restartUnits = ["gitlab-runner.service"]; + group = "root"; + template = '' + {{ with secret "kv/apps/gitlab-runner" }} + {{ .Data.data.environment }} + {{ end }} + ''; + }; + containers.deployer = { autoStart = true; bindMounts = { @@ -118,6 +128,10 @@ in { hostPath = "/var/lib/secrets/nix-daemon"; isReadOnly = true; }; + "/var/lib/secrets/gitlab-runner-environment" = { + hostPath = "/var/lib/secrets/gitlab-runner-environment"; + isReadOnly = true; + }; }; config = { config, pkgs, ... }: { imports = [ @@ -131,19 +145,12 @@ in { }; }; systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret"; - environment.etc."secrets/gitlab-runner-registration" = { - text = '' - CI_SERVER_URL=https://hg.lukegb.com - REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} - ''; - mode = "0600"; - }; services.gitlab-runner = { enable = true; concurrent = 16; services = { deployer = { - registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; + registrationConfigFile = "/var/lib/secrets/gitlab-runner-environment/secret"; executor = "shell"; tagList = [ "deployer" ]; }; diff --git a/ops/nixos/clouvider-lon01/default.nix b/ops/nixos/clouvider-lon01/default.nix index d2d64197c5..b1e8056889 100644 --- a/ops/nixos/clouvider-lon01/default.nix +++ b/ops/nixos/clouvider-lon01/default.nix @@ -235,20 +235,21 @@ (bindMountSvcDynamic "factorio" "factorio.service") ]; - - environment.etc."secrets/gitlab-runner-registration" = { - text = '' - CI_SERVER_URL=https://hg.lukegb.com - REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} + my.vault.secrets.gitlab-runner-environment = { + restartUnits = ["gitlab-runner.service"]; + group = "root"; + template = '' + {{ with secret "kv/apps/gitlab-runner" }} + {{ .Data.data.environment }} + {{ end }} ''; - mode = "0600"; }; services.gitlab-runner = { enable = true; concurrent = 1; services = { deployer = { - registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; + registrationConfigFile = config.my.vault.secrets.gitlab-runner-environment.path; executor = "shell"; tagList = [ "cacher" ]; }; diff --git a/ops/vault/cfg/config.nix b/ops/vault/cfg/config.nix index a42b5094b8..5f1d0b7fb0 100644 --- a/ops/vault/cfg/config.nix +++ b/ops/vault/cfg/config.nix @@ -64,14 +64,16 @@ } ''; my.apps.authentik = {}; + my.apps.gitlab-runner = {}; my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.servers.porcorosso.apps = [ "quotesdb" ]; my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ]; my.servers.clouvider-fra01.apps = [ "deluge" ]; - my.servers.clouvider-lon01.apps = [ "quotesdb" ]; + my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ]; my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-prosody.apps = [ "turn" ]; + my.servers.bvm-heptapod.apps = [ "gitlab-runner" ]; my.servers.blade-tuvok.apps = [ "fup" ]; }