# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { config, depot, lib, pkgs, ... }: let inherit (depot.ops) secrets; in { imports = [ ../lib/bvm.nix ]; # Networking! networking = { hostName = "bvm-heptapod"; hostId = "c30784de"; tempAddresses = "disabled"; interfaces.enp1s0 = { ipv4.addresses = [{ address = "10.100.0.208"; prefixLength = 23; }]; }; interfaces.enp2s0 = { ipv4.addresses = [{ address = "92.118.28.10"; prefixLength = 24; }]; ipv6.addresses = [{ address = "2a09:a441::10"; prefixLength = 32; }]; }; interfaces.lo = { ipv4.addresses = [ { address = "127.0.0.1"; prefixLength = 8; } { address = "92.118.28.11"; prefixLength = 32; } ]; ipv6.addresses = [ { address = "::1"; prefixLength = 128; } { address = "2a09:a441::11"; prefixLength = 128; } ]; }; defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; }; defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; }; firewall = { interfaces.docker0.allowedTCPPorts = [ 25 ]; allowedTCPPorts = [ 22 80 443 20022 ]; allowedUDPPorts = [ 443 ]; }; }; my.ip.tailscale = "100.94.23.105"; services.openssh.ports = [ 20022 ]; my.deploy.args = "-p 20022"; my.rundeck.hostname = "${config.networking.fqdn}:20022"; users.users.postfix.extraGroups = [ "opendkim" ]; services.postfix = { enable = true; domain = "hg.lukegb.com"; hostname = "hg.lukegb.com"; extraConfig = '' milter_protocol = 2 milter_default_action = accept smtpd_milters = ${config.services.opendkim.socket} non_smtpd_milters = ${config.services.opendkim.socket} ''; networks = [ "172.17.0.0/16" ]; }; services.opendkim = { enable = true; domains = "csl:hg.lukegb.com"; selector = "marukuru"; }; virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2a09:a441:10::/64"; virtualisation.oci-containers.containers = { heptapod-runner = { image = "octobus/heptapod-runner:0.2.0"; volumes = [ "/srv/gitlab-runner/config:/etc/gitlab-runner" "/var/run/docker.sock:/var/run/docker.sock" ]; }; heptapod = let img = depot.nix.docker.heptapod; in { image = "${img.meta.name}:${img.meta.tag}"; imageFile = img; ports = [ # host:container "22:22" "80:80" "443:443" ]; volumes = [ "/srv/gitlab/config:/etc/gitlab" "/srv/gitlab/logs:/var/log/gitlab" "/srv/gitlab/data:/var/opt/gitlab" ]; environment = { GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] '' external_url "https://hg.lukegb.com" letsencrypt['enable'] = true letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com'] nginx['redirect_http_to_https'] = true nginx['listen_addresses'] = ["0.0.0.0", "[::]"] gitlab_rails['smtp_enable'] = true gitlab_rails['smtp_address'] = '92.118.28.10' gitlab_rails['smtp_port'] = 25 gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com' gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com' prometheus['enable'] = false ''; }; }; }; containers.deployer = { config = { config, pkgs, ... }: { imports = [ ../lib/low-space.nix ]; networking.hosts = depot.ops.nixos.tailscaleIPs; nix = { binaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; trustedBinaryCaches = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ]; envVars = { AWS_ACCESS_KEY_ID = "${depot.ops.secrets.nixCache.AWS_ACCESS_KEY_ID}"; AWS_SECRET_ACCESS_KEY = "${depot.ops.secrets.nixCache.AWS_SECRET_ACCESS_KEY}"; }; }; environment.etc."secrets/gitlab-runner-registration" = { text = '' CI_SERVER_URL=https://hg.lukegb.com REGISTRATION_TOKEN=${depot.ops.secrets.deployer.registrationToken} ''; mode = "0600"; }; services.gitlab-runner = { enable = true; concurrent = 16; services = { deployer = { registrationConfigFile = "/etc/secrets/gitlab-runner-registration"; executor = "shell"; tagList = [ "deployer" ]; }; }; gracefulTermination = true; gracefulTimeout = "4min"; package = depot.nix.pkgs.heptapod-runner; }; users.users.gitlab-runner = { isNormalUser = true; group = "nogroup"; createHome = true; home = "/srv/gitlab-runner"; }; system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] '' mkdir -p /srv/gitlab-runner/.ssh chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh chmod -R u=rwX,go= /srv/gitlab-runner/.ssh cp "${pkgs.writeTextFile { name = "gitlab-runner-key"; destination = "/private/id_ed25519"; text = depot.ops.secrets.deployer.privateKey; }}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519 chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh chmod -R u=rwX,go= /srv/gitlab-runner/.ssh ''; environment.systemPackages = with pkgs; [ vim rxvt_unicode.terminfo kitty.terminfo rsync jq depot.nix.pkgs.heptapod-runner-mercurial ]; }; }; system.stateVersion = "21.11"; }