ops/nixos: move gitlab-runner registration token to vault

This commit is contained in:
Luke Granger-Brown 2022-05-13 21:45:36 +00:00
parent bf601faa89
commit 13d51a7978
3 changed files with 26 additions and 16 deletions

View file

@ -111,6 +111,16 @@ in {
}; };
}; };
my.vault.secrets.gitlab-runner-environment = {
restartUnits = ["gitlab-runner.service"];
group = "root";
template = ''
{{ with secret "kv/apps/gitlab-runner" }}
{{ .Data.data.environment }}
{{ end }}
'';
};
containers.deployer = { containers.deployer = {
autoStart = true; autoStart = true;
bindMounts = { bindMounts = {
@ -118,6 +128,10 @@ in {
hostPath = "/var/lib/secrets/nix-daemon"; hostPath = "/var/lib/secrets/nix-daemon";
isReadOnly = true; isReadOnly = true;
}; };
"/var/lib/secrets/gitlab-runner-environment" = {
hostPath = "/var/lib/secrets/gitlab-runner-environment";
isReadOnly = true;
};
}; };
config = { config, pkgs, ... }: { config = { config, pkgs, ... }: {
imports = [ imports = [
@ -131,19 +145,12 @@ in {
}; };
}; };
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret"; systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
environment.etc."secrets/gitlab-runner-registration" = {
text = ''
CI_SERVER_URL=https://hg.lukegb.com
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
'';
mode = "0600";
};
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
concurrent = 16; concurrent = 16;
services = { services = {
deployer = { deployer = {
registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; registrationConfigFile = "/var/lib/secrets/gitlab-runner-environment/secret";
executor = "shell"; executor = "shell";
tagList = [ "deployer" ]; tagList = [ "deployer" ];
}; };

View file

@ -235,20 +235,21 @@
(bindMountSvcDynamic "factorio" "factorio.service") (bindMountSvcDynamic "factorio" "factorio.service")
]; ];
my.vault.secrets.gitlab-runner-environment = {
environment.etc."secrets/gitlab-runner-registration" = { restartUnits = ["gitlab-runner.service"];
text = '' group = "root";
CI_SERVER_URL=https://hg.lukegb.com template = ''
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} {{ with secret "kv/apps/gitlab-runner" }}
{{ .Data.data.environment }}
{{ end }}
''; '';
mode = "0600";
}; };
services.gitlab-runner = { services.gitlab-runner = {
enable = true; enable = true;
concurrent = 1; concurrent = 1;
services = { services = {
deployer = { deployer = {
registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; registrationConfigFile = config.my.vault.secrets.gitlab-runner-environment.path;
executor = "shell"; executor = "shell";
tagList = [ "cacher" ]; tagList = [ "cacher" ];
}; };

View file

@ -64,14 +64,16 @@
} }
''; '';
my.apps.authentik = {}; my.apps.authentik = {};
my.apps.gitlab-runner = {};
my.servers.etheroute-lon01.apps = [ "pomerium" ]; my.servers.etheroute-lon01.apps = [ "pomerium" ];
my.servers.porcorosso.apps = [ "quotesdb" ]; my.servers.porcorosso.apps = [ "quotesdb" ];
my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ]; my.servers.totoro.apps = [ "sslrenew-raritan" "deluge" "quotesdb" "authentik" ];
my.servers.clouvider-fra01.apps = [ "deluge" ]; my.servers.clouvider-fra01.apps = [ "deluge" ];
my.servers.clouvider-lon01.apps = [ "quotesdb" ]; my.servers.clouvider-lon01.apps = [ "quotesdb" "gitlab-runner" ];
my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ]; my.servers.bvm-twitterchiver.apps = [ "twitterchiver" ];
my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ]; my.servers.bvm-matrix.apps = [ "turn" "matrix-synapse" ];
my.servers.bvm-prosody.apps = [ "turn" ]; my.servers.bvm-prosody.apps = [ "turn" ];
my.servers.bvm-heptapod.apps = [ "gitlab-runner" ];
my.servers.blade-tuvok.apps = [ "fup" ]; my.servers.blade-tuvok.apps = [ "fup" ];
} }