From ad84020ba4c3dc60ac9d4a28cd81a32576af5bb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Karel=20Ko=C4=8D=C3=AD?= Date: Tue, 18 Oct 2022 16:08:43 +0200 Subject: nixos/machine/mrpump: Gitlab CI --- flake.lock | 122 ++++++++++++++++++++++++++++++++++++---------- flake.nix | 5 +- nixos/default.nix | 6 +-- nixos/machine/default.nix | 4 +- nixos/machine/mrpump.nix | 118 +++++++++++++++++++++++++++++++++++++++----- nixos/modules/develop.nix | 2 +- nixos/modules/generic.nix | 5 +- 7 files changed, 216 insertions(+), 46 deletions(-) diff --git a/flake.lock b/flake.lock index 0fba624..befdace 100644 --- a/flake.lock +++ b/flake.lock @@ -56,6 +56,41 @@ "type": "indirect" } }, + "lowdown-src": { + "flake": false, + "locked": { + "lastModified": 1633514407, + "narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=", + "owner": "kristapsdz", + "repo": "lowdown", + "rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8", + "type": "github" + }, + "original": { + "owner": "kristapsdz", + "repo": "lowdown", + "type": "github" + } + }, + "nix": { + "inputs": { + "lowdown-src": "lowdown-src", + "nixpkgs": "nixpkgs", + "nixpkgs-regression": "nixpkgs-regression" + }, + "locked": { + "lastModified": 1666079405, + "narHash": "sha256-FckhGfnosWtcQop/TF/6yj4ifgd18/vdRT2ctPzNpUg=", + "owner": "NixOS", + "repo": "nix", + "rev": "a324e9a5c84a144b824303064220463977c63c73", + "type": "github" + }, + "original": { + "id": "nix", + "type": "indirect" + } + }, "nixos-hardware": { "locked": { "lastModified": 1665649208, @@ -72,19 +107,53 @@ }, "nixpkgs": { "locked": { - "lastModified": 1665634984, - "narHash": "sha256-zwXeMc96BD9iFxSB/SLr3dI8iYpqM+seX9qy6bGV+cw=", + "lastModified": 1657693803, + "narHash": "sha256-G++2CJ9u0E7NNTAi9n5G8TdDmGJXcIjkJ3NF8cetQB8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "cfea568da97a2668ef3cb3fc42eaacfb0e706807", + "rev": "365e1b3a859281cf11b94f87231adeabbdd878a2", "type": "github" }, "original": { - "id": "nixpkgs", - "type": "indirect" + "owner": "NixOS", + "ref": "nixos-22.05-small", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-regression": { + "locked": { + "lastModified": 1643052045, + "narHash": "sha256-uGJ0VXIhWKGXxkeNnq4TvV3CIOkUJ3PAoLZ3HMzNVMw=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" + }, + "original": { + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "215d4d0fd80ca5163643b03a33fde804a29cc1e2", + "type": "github" } }, "nixpkgs_2": { + "locked": { + "lastModified": 1666099973, + "narHash": "sha256-JCX0alqjPHPsak/YOVDEbjpThSnGOX2q+NWR1M3aE6E=", + "owner": "Cynerd", + "repo": "nixpkgs", + "rev": "3eadda2cf8cfbdc86e9f44fc145ea5cd23653e8f", + "type": "github" + }, + "original": { + "owner": "Cynerd", + "ref": "oci-container-docker", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { "locked": { "lastModified": 1654875595, "narHash": "sha256-Vairke3ryPSFpgQdaYicPPhPWMGhtzm6V+1uF2Tefbk=", @@ -98,7 +167,7 @@ "type": "indirect" } }, - "nixpkgs_3": { + "nixpkgs_4": { "locked": { "lastModified": 1637875414, "narHash": "sha256-Ica++SXFuLyxX9Q7YxhfZulUif6/gwM8AEQYlUxqSgE=", @@ -113,7 +182,7 @@ "type": "indirect" } }, - "nixpkgs_4": { + "nixpkgs_5": { "locked": { "lastModified": 1664847737, "narHash": "sha256-Wxl0CtRH3Vo8+qEZ/PbCcx+9D8wEEi56tJPmROum2ss=", @@ -150,11 +219,11 @@ }, "personal-secret": { "locked": { - "lastModified": 1665047556, - "narHash": "sha256-TWELa1+akUyj0zc6DucheOydPN23b9oqXApKU3nqgzo=", + "lastModified": 1665994212, + "narHash": "sha256-z/3GZvfFC8W49uHZ2htZt4ADENrK+JpTewblATdbui0=", "ref": "refs/heads/master", - "rev": "e6000437e6ab83ddf537de765b116bed40672e8b", - "revCount": 32, + "rev": "aa14cb2d6812912286fe73f1ac0f81de1d779a3d", + "revCount": 34, "type": "git", "url": "ssh://git@cynerd.cz/nixos-personal-secret" }, @@ -166,8 +235,9 @@ "root": { "inputs": { "flake-utils": "flake-utils", + "nix": "nix", "nixos-hardware": "nixos-hardware", - "nixpkgs": "nixpkgs", + "nixpkgs": "nixpkgs_2", "nixturris": "nixturris", "personal-secret": "personal-secret", "shellrc": "shellrc", @@ -179,14 +249,14 @@ "shellrc": { "inputs": { "flake-utils": "flake-utils_3", - "nixpkgs": "nixpkgs_2" + "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1665667521, - "narHash": "sha256-T/+xbor0L5U9VkZAfIbDVn7xKaqcBlVM5IySnPsRRTs=", + "lastModified": 1665670695, + "narHash": "sha256-ggnEnAC28aLWrA+nynLDgWYJv/sUy8RYYQekfeYigkY=", "ref": "refs/heads/master", - "rev": "43bd5ac8b20f0f846da6c067eba4058b86daa0fb", - "revCount": 79, + "rev": "9eb1eabfb13c3a88b0a6fd4832bd76c4ba5a1159", + "revCount": 80, "type": "git", "url": "https://git.cynerd.cz/shellrc" }, @@ -197,7 +267,7 @@ }, "sterm": { "inputs": { - "nixpkgs": "nixpkgs_3" + "nixpkgs": "nixpkgs_4" }, "locked": { "lastModified": 1661025608, @@ -216,14 +286,14 @@ "usbkey": { "inputs": { "flake-utils": "flake-utils_4", - "nixpkgs": "nixpkgs_4" + "nixpkgs": "nixpkgs_5" }, "locked": { - "lastModified": 1665669035, - "narHash": "sha256-xhtwhGEmLoc8Dhn1eA9jYK5Csz0hAVpq3cpSgcNxwTg=", + "lastModified": 1665754388, + "narHash": "sha256-y9fCPNjGHLeIsnXTo792bG1ffJSQA3XtyeTofYllsK4=", "ref": "modules", - "rev": "5696f8083a2d3aaffee0786677a145ddbf6b38c8", - "revCount": 8, + "rev": "4c7363b056aaf2a73f2a908f7e864174569de15f", + "revCount": 10, "type": "git", "url": "https://git.cynerd.cz/usbkey" }, @@ -235,11 +305,11 @@ }, "vpsadminos": { "locked": { - "lastModified": 1665653150, - "narHash": "sha256-I+Tu9mZmZ6Odc2fDXvh2e+FmNt5OWfHTgbnMRzTiwPU=", + "lastModified": 1666063321, + "narHash": "sha256-O3+kp+7eN53E/OMbL1jpUd2Et5hOq7q5IdUbHvP4GP0=", "owner": "vpsfreecz", "repo": "vpsadminos", - "rev": "53f83a6ca7f8fa417c2d0fdfd4b382eb9e739744", + "rev": "f6f24bf43ee0c268831ff6dac3e94198dbe5a76b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index efef019..51f2fe4 100644 --- a/flake.nix +++ b/flake.nix @@ -2,6 +2,7 @@ description = "Cynerd's personal flake"; inputs = { + nixpkgs.url = "github:Cynerd/nixpkgs/oci-container-docker"; shellrc.url = "git+https://git.cynerd.cz/shellrc"; personal-secret.url = "git+ssh://git@cynerd.cz/nixos-personal-secret"; nixturris = { @@ -16,7 +17,7 @@ }; outputs = { self - , nixpkgs, flake-utils, nixos-hardware + , nixpkgs, flake-utils, nixos-hardware, nix , shellrc, usbkey, nixturris, personal-secret , vpsadminos , sterm @@ -24,7 +25,7 @@ with flake-utils.lib; { overlays.default = final: prev: import ./pkgs { inherit self; nixpkgs = prev; }; - nixosModules = import ./nixos nixpkgs; + nixosModules = import ./nixos self; nixosConfigurations = let diff --git a/nixos/default.nix b/nixos/default.nix index 72eae65..64593bb 100644 --- a/nixos/default.nix +++ b/nixos/default.nix @@ -1,9 +1,9 @@ -nixpkgs: +self: let - modules = import ./modules nixpkgs; - machines = import ./machine; + modules = import ./modules self.inputs.nixpkgs; + machines = import ./machine self; in modules // machines // { default = { imports = builtins.attrValues modules; }; diff --git a/nixos/machine/default.nix b/nixos/machine/default.nix index 2efe2da..801d0a4 100644 --- a/nixos/machine/default.nix +++ b/nixos/machine/default.nix @@ -1,4 +1,4 @@ -{ +self: { machine-albert = import ./albert.nix; machine-binky = import ./binky.nix; machine-dean = import ./dean.nix; @@ -7,7 +7,7 @@ machine-susan = import ./susan.nix; machine-lipwig = import ./lipwig.nix; - machine-mrpump = import ./mrpump.nix; + machine-mrpump = import ./mrpump.nix self; machine-gaspode = import ./gaspode.nix; diff --git a/nixos/machine/mrpump.nix b/nixos/machine/mrpump.nix index 99ce26d..97853d4 100644 --- a/nixos/machine/mrpump.nix +++ b/nixos/machine/mrpump.nix @@ -1,22 +1,118 @@ -{ config, lib, pkgs, ... }: +self: { config, lib, pkgs, ... }: +with builtins; with lib; { - config = { - # Gitlab worker - services.gitlab-runner = { + config = let + + localNix = import (self.inputs.nix.outPath + "/docker.nix") { + pkgs = pkgs; + name = "local/nix"; + tag = "latest"; + bundleNixpkgs = false; + nixConf = { + cores = "0"; + experimental-features = [ "nix-command" "flakes" ]; + }; + }; + localNixDaemon = pkgs.dockerTools.buildLayeredImage { + fromImage = localNix; + name = "local/nix-daemon"; + tag = "latest"; + config = { + Volumes = { + "/nix/store" = { }; + "/nix/var/nix/db" = { }; + "/nix/var/nix/daemon-socket" = { }; + }; + }; + maxLayers = 125; + }; + + in { + + # Docker for the gitlab runner + virtualisation.docker = { enable = true; - services.docker = { - registrationConfigFile = "/run/secrets/gitlab-runner-registration"; - tagList = ["docker"]; - runUntagged = true; - executor = "docker"; - dockerImage = "alpine"; - description = "Docker runner"; + autoPrune = { + enable = true; + dates = "daily"; + }; + }; + users.users.cynerd.extraGroups = [ "docker" ]; + + # Common container for the Gitlab Nix runner + virtualisation.oci-containers = { + backend = "docker"; + containers.gitlabnix = { + imageFile = localNixDaemon; + image = "local/nix-daemon:latest"; + cmd = ["nix" "daemon"]; + }; + }; + + # Gitlab runner + systemd.services.gitlab-runner.serviceConfig = let + config = (pkgs.formats.toml{}).generate "gitlab-runner.toml" { + concurent = 1; + session_server = { + session_timeout = 1800; + }; + runners = [ + { + name = "MrPump Docker (LogC)"; + url = "https://gitlab.com"; + id = 18138767; + token = "@TOKEN_LOGC_DOCKER@"; + executor = "docker"; + docker = { + image = "alpine"; + }; + } + { + name = "MrPump Nix (LogC)"; + url = "https://gitlab.com"; + id = 18139391; + token = "@TOKEN_LOGC_NIX@"; + executor = "docker"; + docker = { + image = "local/nix:latest"; + allowed_images = ["local/nix:latest"]; + pull_policy = "never"; + allowed_pull_policies = ["never"]; + volumes_from = ["gitlabnix:ro"]; + }; + environment = [ + "NIX_REMOTE=daemon" + "ENV=/etc/profile.d/nix-daemon.sh" + "BASH_ENV=/etc/profile.d/nix-daemon.sh" + ]; + # TODO for some reason the /tmp seems to be missing + pre_build_script = '' + mkdir -p /tmp + ''; + } + ]; }; + configPath = "$HOME/.gitlab-runner/config.toml"; + configureScript = pkgs.writeShellScript "gitlab-runner-configure" '' + docker load < ${localNix} + mkdir -p $(dirname ${configPath}) + ${pkgs.gawk}/bin/awk '{ + for(varname in ENVIRON) + gsub("@"varname"@", ENVIRON[varname]) + print + }' "${config}" > "${configPath}" + chown -R --reference=$HOME $(dirname ${configPath}) + ''; + in { + EnvironmentFile = "/run/secrets/gitlab-runner.env"; + ExecStartPre = mkForce "!${configureScript}"; + ExecReload = mkForce "!${configureScript}"; }; + services.gitlab-runner.enable = true; }; diff --git a/nixos/modules/develop.nix b/nixos/modules/develop.nix index 76f0d71..2360cda 100644 --- a/nixos/modules/develop.nix +++ b/nixos/modules/develop.nix @@ -96,7 +96,7 @@ in { dfeet # Documentation - man-pages man-pages-posix + man-pages man-pages-posix linux-manual ]; documentation.dev.enable = true; diff --git a/nixos/modules/generic.nix b/nixos/modules/generic.nix index fb2879c..a7816ed 100644 --- a/nixos/modules/generic.nix +++ b/nixos/modules/generic.nix @@ -45,7 +45,7 @@ in { git # We need git for this repository to even work # Administration tools #coreutils moreutils binutils psmisc progress lshw file - coreutils binutils psmisc progress lshw file + coreutils binutils psmisc progress lshw file vde2 ldns wget gnumake exfat exfatprogs @@ -136,6 +136,9 @@ in { substituteAll ${./nixos-system.sh} $out/bin/nixos-system chmod +x $out/bin/nixos-system ''; + + programs.fuse.userAllowOther = true; + }; } -- cgit v1.2.3