bvm-heptapod: add deployer container

This commit is contained in:
Luke Granger-Brown 2022-01-01 00:22:35 +00:00
parent 8b3e77de1e
commit 297e9c97e7

View file

@ -111,5 +111,65 @@ in {
};
};
containers.deployer = {
config = { config, pkgs, ... }: {
imports = [
../lib/low-space.nix
];
networking.hosts = depot.ops.nixos.tailscaleIPs;
nix = {
binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
envVars = {
AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}";
AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}";
};
};
environment.etc."secrets/gitlab-runner-registration" = {
text = ''
CI_SERVER_URL=https://hg.lukegb.com
REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken}
'';
mode = "0600";
};
services.gitlab-runner = {
enable = true;
concurrent = 16;
services = {
deployer = {
registrationConfigFile = "/etc/secrets/gitlab-runner-registration";
executor = "shell";
tagList = [ "deployer" ];
};
};
gracefulTermination = true;
gracefulTimeout = "4min";
package = depot.nix.pkgs.heptapod-runner;
};
users.users.gitlab-runner = {
isNormalUser = true;
group = "nogroup";
createHome = true;
home = "/srv/gitlab-runner";
};
system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] ''
mkdir -p /srv/gitlab-runner/.ssh
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
cp "${pkgs.writeTextFile {
name = "gitlab-runner-key";
destination = "/private/id_ed25519";
text = depot.ops.secrets.deployer.privateKey;
}}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
'';
environment.systemPackages = with pkgs; [
vim rxvt_unicode.terminfo kitty.terminfo rsync jq
depot.nix.pkgs.heptapod-runner-mercurial
];
};
};
system.stateVersion = "21.11";
}