ops/nixos: move gitlab-runner registration token to vault
This commit is contained in:
parent
bf601faa89
commit
13d51a7978
3 changed files with 26 additions and 16 deletions
|
@ -111,6 +111,16 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
my.vault.secrets.gitlab-runner-environment = {
|
||||||
|
restartUnits = ["gitlab-runner.service"];
|
||||||
|
group = "root";
|
||||||
|
template = ''
|
||||||
|
{{ with secret "kv/apps/gitlab-runner" }}
|
||||||
|
{{ .Data.data.environment }}
|
||||||
|
{{ end }}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
containers.deployer = {
|
containers.deployer = {
|
||||||
autoStart = true;
|
autoStart = true;
|
||||||
bindMounts = {
|
bindMounts = {
|
||||||
|
@ -118,6 +128,10 @@ in {
|
||||||
hostPath = "/var/lib/secrets/nix-daemon";
|
hostPath = "/var/lib/secrets/nix-daemon";
|
||||||
isReadOnly = true;
|
isReadOnly = true;
|
||||||
};
|
};
|
||||||
|
"/var/lib/secrets/gitlab-runner-environment" = {
|
||||||
|
hostPath = "/var/lib/secrets/gitlab-runner-environment";
|
||||||
|
isReadOnly = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
config = { config, pkgs, ... }: {
|
config = { config, pkgs, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
|
@ -131,19 +145,12 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
|
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
|
||||||
environment.etc."secrets/gitlab-runner-registration" = {
|
|
||||||
text = ''
|
|
||||||
CI_SERVER_URL=https://hg.lukegb.com
|
|
||||||
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
|
|
||||||
'';
|
|
||||||
mode = "0600";
|
|
||||||
};
|
|
||||||
services.gitlab-runner = {
|
services.gitlab-runner = {
|
||||||
enable = true;
|
enable = true;
|
||||||
concurrent = 16;
|
concurrent = 16;
|
||||||
services = {
|
services = {
|
||||||
deployer = {
|
deployer = {
|
||||||
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
|
registrationConfigFile = "/var/lib/secrets/gitlab-runner-environment/secret";
|
||||||
executor = "shell";
|
executor = "shell";
|
||||||
tagList = [ "deployer" ];
|
tagList = [ "deployer" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -235,20 +235,21 @@
|
||||||
(bindMountSvcDynamic "factorio" "factorio.service")
|
(bindMountSvcDynamic "factorio" "factorio.service")
|
||||||
];
|
];
|
||||||
|
|
||||||
|
my.vault.secrets.gitlab-runner-environment = {
|
||||||
environment.etc."secrets/gitlab-runner-registration" = {
|
restartUnits = ["gitlab-runner.service"];
|
||||||
text = ''
|
group = "root";
|
||||||
CI_SERVER_URL=https://hg.lukegb.com
|
template = ''
|
||||||
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
|
{{ with secret "kv/apps/gitlab-runner" }}
|
||||||
|
{{ .Data.data.environment }}
|
||||||
|
{{ end }}
|
||||||
'';
|
'';
|
||||||
mode = "0600";
|
|
||||||
};
|
};
|
||||||
services.gitlab-runner = {
|
services.gitlab-runner = {
|
||||||
enable = true;
|
enable = true;
|
||||||
concurrent = 1;
|
concurrent = 1;
|
||||||
services = {
|
services = {
|
||||||
deployer = {
|
deployer = {
|
||||||
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
|
registrationConfigFile = config.my.vault.secrets.gitlab-runner-environment.path;
|
||||||
executor = "shell";
|
executor = "shell";
|
||||||
tagList = [ "cacher" ];
|
tagList = [ "cacher" ];
|
||||||
};
|
};
|
||||||
|
|
|
@ -64,14 +64,16 @@
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
my.apps.authentik = {};
|
my.apps.authentik = {};
|
||||||
|
my.apps.gitlab-runner = {};
|
||||||
|
|
||||||
my.servers.etheroute-lon01.apps = [ "pomerium" ];
|
my.servers.etheroute-lon01.apps = [ "pomerium" ];
|
||||||
my.servers.porcorosso.apps = [ "quotesdb" ];
|
my.servers.porcorosso.apps = [ "quotesdb" ];
|
||||||
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ];
|
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ];
|
||||||
my.servers.clouvider-fra01.apps = [ "deluge" ];
|
my.servers.clouvider-fra01.apps = [ "deluge" ];
|
||||||
my.servers.clouvider-lon01.apps = [ "quotesdb" ];
|
my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ];
|
||||||
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
|
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
|
||||||
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
|
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
|
||||||
my.servers.bvm-prosody.apps = [ "turn" ];
|
my.servers.bvm-prosody.apps = [ "turn" ];
|
||||||
|
my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
|
||||||
my.servers.blade-tuvok.apps = [ "fup" ];
|
my.servers.blade-tuvok.apps = [ "fup" ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue