diff --git a/ops/nixos/bvm-heptapod/default.nix b/ops/nixos/bvm-heptapod/default.nix index eeadf3bafa..e8268c0c6f 100644 --- a/ops/nixos/bvm-heptapod/default.nix +++ b/ops/nixos/bvm-heptapod/default.nix @@ -111,5 +111,65 @@ in { }; }; + containers.deployer = { + config = { config, pkgs, ... }: { + imports = [ + ../lib/low-space.nix + ]; + networking.hosts = depot.ops.nixos.tailscaleIPs; + nix = { + binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; + trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; + envVars = { + AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"; + AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"; + }; + }; + environment.etc."secrets/gitlab-runner-registration" = { + text = '' + CI_SERVER_URL=https://hg.lukegb.com + REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} + ''; + mode = "0600"; + }; + services.gitlab-runner = { + enable = true; + concurrent = 16; + services = { + deployer = { + registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; + executor = "shell"; + tagList = [ "deployer" ]; + }; + }; + gracefulTermination = true; + gracefulTimeout = "4min"; + package = depot.nix.pkgs.heptapod-runner; + }; + users.users.gitlab-runner = { + isNormalUser = true; + group = "nogroup"; + createHome = true; + home = "/srv/gitlab-runner"; + }; + system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] '' + mkdir -p /srv/gitlab-runner/.ssh + chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh + chmod -R u=rwX,go= /srv/gitlab-runner/.ssh + cp "${pkgs.writeTextFile { + name = "gitlab-runner-key"; + destination = "/private/id_ed25519"; + text = depot.ops.secrets.deployer.privateKey; + }}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519 + chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh + chmod -R u=rwX,go= /srv/gitlab-runner/.ssh + ''; + environment.systemPackages = with pkgs; [ + vim rxvt_unicode.terminfo kitty.terminfo rsync jq + depot.nix.pkgs.heptapod-runner-mercurial + ]; + }; + }; + system.stateVersion = "21.11"; }