# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ config, depot, lib, pkgs, ... }:
let
inherit (depot.ops) secrets;
in {
imports = [
../lib/bvm.nix
];
# Networking!
networking = {
hostName = "bvm-heptapod";
hostId = "c30784de";
tempAddresses = "disabled";
interfaces.enp1s0 = {
ipv4.addresses = [{ address = "10.100.0.208"; prefixLength = 23; }];
};
interfaces.enp2s0 = {
ipv4.addresses = [{ address = "92.118.28.10"; prefixLength = 24; }];
ipv6.addresses = [{ address = "2a09:a441::10"; prefixLength = 32; }];
};
interfaces.lo = {
ipv4.addresses = [
{ address = "127.0.0.1"; prefixLength = 8; }
{ address = "92.118.28.11"; prefixLength = 32; }
];
ipv6.addresses = [
{ address = "::1"; prefixLength = 128; }
{ address = "2a09:a441::11"; prefixLength = 128; }
];
};
defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };
firewall = {
interfaces.docker0.allowedTCPPorts = [ 25 ];
allowedTCPPorts = [ 22 80 443 20022 ];
allowedUDPPorts = [ 443 ];
};
};
my.ip.tailscale = "100.94.23.105";
my.ip.tailscale6 = "fd7a:115c:a1e0:ab12:4843:cd96:625e:1769";
services.openssh.ports = [ 20022 ];
my.deploy.args = "-p 20022";
my.rundeck.hostname = "${config.networking.fqdn}:20022";
users.users.postfix.extraGroups = [ "opendkim" ];
services.postfix = {
enable = true;
domain = "hg.lukegb.com";
hostname = "hg.lukegb.com";
extraConfig = ''
milter_protocol = 2
milter_default_action = accept
smtpd_milters = ${config.services.opendkim.socket}
non_smtpd_milters = ${config.services.opendkim.socket}
'';
networks = [ "172.17.0.0/16" ];
};
services.opendkim = {
enable = true;
domains = "csl:hg.lukegb.com";
selector = "marukuru";
};
virtualisation.docker.extraOptions = "--experimental --ipv6 --ip6tables --fixed-cidr-v6 2a09:a441:10::/64";
virtualisation.oci-containers.containers = {
heptapod-runner = {
image = "octobus/heptapod-runner:0.2.0";
volumes = [
"/srv/gitlab-runner/config:/etc/gitlab-runner"
"/var/run/docker.sock:/var/run/docker.sock"
];
};
heptapod = let img = depot.nix.docker.heptapod; in {
image = "${img.meta.name}:${img.meta.tag}";
imageFile = img;
ports = [
# host:container
"22:22"
"80:80"
"443:443"
];
volumes = [
"/srv/gitlab/config:/etc/gitlab"
"/srv/gitlab/logs:/var/log/gitlab"
"/srv/gitlab/data:/var/opt/gitlab"
];
environment = {
GITLAB_OMNIBUS_CONFIG = builtins.replaceStrings ["\n"] [";"] ''
external_url "https://hg.lukegb.com"
letsencrypt['enable'] = true
letsencrypt['contact_emails'] = ['letsencrypt@lukegb.com']
nginx['redirect_http_to_https'] = true
nginx['listen_addresses'] = ["0.0.0.0", "[::]"]
gitlab_rails['smtp_enable'] = true
gitlab_rails['smtp_address'] = '92.118.28.10'
gitlab_rails['smtp_port'] = 25
gitlab_rails['gitlab_email_from'] = 'heptapod@hg.lukegb.com'
gitlab_rails['gitlab_email_reply_to'] = 'noreply@hg.lukegb.com'
prometheus['enable'] = false
'';
};
};
};
my.vault.secrets.gitlab-runner-environment = {
restartUnits = ["gitlab-runner.service"];
group = "root";
template = ''
{{ with secret "kv/apps/gitlab-runner" }}
{{ .Data.data.environment }}
{{ end }}
'';
};
containers.deployer = {
autoStart = true;
bindMounts = {
"/var/lib/secrets/nix-daemon" = {
hostPath = "/var/lib/secrets/nix-daemon";
isReadOnly = true;
};
"/var/lib/secrets/gitlab-runner-environment" = {
hostPath = "/var/lib/secrets/gitlab-runner-environment";
isReadOnly = true;
};
};
config = { config, pkgs, ... }: {
imports = [
../lib/low-space.nix
];
networking.hosts = depot.ops.nixos.tailscaleIPs;
nix = {
settings = {
substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
trusted-substituters = lib.mkForce [ "https://cache.nixos.org/" "s3://lukegb-nix-cache?endpoint=storage.googleapis.com&trusted=1" ];
};
};
systemd.services.nix-daemon.serviceConfig.EnvironmentFile = "/var/lib/secrets/nix-daemon/secret";
services.gitlab-runner = {
enable = true;
settings.concurrent = 16;
services = {
deployer = {
registrationConfigFile = "/var/lib/secrets/gitlab-runner-environment/secret";
executor = "shell";
tagList = [ "deployer" ];
};
};
gracefulTermination = true;
gracefulTimeout = "4min";
package = depot.nix.pkgs.heptapod-runner;
};
users.users.gitlab-runner = {
isNormalUser = true;
group = "nogroup";
createHome = true;
home = "/srv/gitlab-runner";
};
system.activationScripts.deployer-key = lib.stringAfter [ "users" "groups" ] ''
mkdir -p /srv/gitlab-runner/.ssh
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
cp "${pkgs.writeTextFile {
name = "gitlab-runner-key";
destination = "/private/id_ed25519";
text = depot.ops.secrets.deployer.privateKey;
}}/private/id_ed25519" /srv/gitlab-runner/.ssh/id_ed25519
chown -R gitlab-runner:nogroup /srv/gitlab-runner/.ssh
chmod -R u=rwX,go= /srv/gitlab-runner/.ssh
'';
environment.systemPackages = with pkgs; [
vim rxvt_unicode.terminfo kitty.terminfo rsync jq
depot.nix.pkgs.heptapod-runner-mercurial
];
};
};
system.stateVersion = "21.11";
}