aboutsummaryrefslogtreecommitdiff
path: root/nixos/machine/mrpump.nix
blob: e3af017c84a2f6884248c2d41d3f84409fc51e58 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
self: { config, lib, pkgs, ... }:

with builtins;
with lib;

{

  config = let

    localNix = import (self.inputs.nix.outPath + "/docker.nix") {
      pkgs = pkgs;
      name = "local/nix";
      tag = "latest";
      bundleNixpkgs = false;
      extraPkgs = with pkgs; [ cachix ];
      nixConf = {
        cores = "0";
        experimental-features = [ "nix-command" "flakes" ];
      };
    };
    localNixDaemon = pkgs.dockerTools.buildLayeredImage {
      fromImage = localNix;
      name = "local/nix-daemon";
      tag = "latest";
      config = {
        Volumes = {
          "/nix/store" = { };
          "/nix/var/nix/db" = { };
          "/nix/var/nix/daemon-socket" = { };
        };
      };
      maxLayers = 125;
    };

  in {

    # Docker for the gitlab runner
    virtualisation.docker = {
      enable = true;
      autoPrune = {
        enable = true;
        dates = "daily";
      };
    };
    users.users.cynerd.extraGroups = [ "docker" ];

    # Common container for the Gitlab Nix runner
    virtualisation.oci-containers = {
      backend = "docker";
      containers.gitlabnix = {
        imageFile = localNixDaemon;
        image = "local/nix-daemon:latest";
        cmd = ["nix" "daemon"];
      };
    };

    # Gitlab runner
    systemd.services.gitlab-runner.serviceConfig = let
      runners = project: [
        {
          name = "MrPump Docker (${project})";
          url = "https://gitlab.com";
          id = 18138767;
          token = "@TOKEN_${toUpper project}_DOCKER@";
          executor = "docker";
          docker = {
            image = "alpine";
          };
        }
        {
          name = "MrPump Nix (${project})";
          url = "https://gitlab.com";
          id = 18139391;
          token = "@TOKEN_${toUpper project}_NIX@";
          executor = "docker";
          docker = {
            image = "local/nix:latest";
            allowed_images = ["local/nix:latest"];
            pull_policy = "if-not-present";
            allowed_pull_policies = ["if-not-present"];
            volumes_from = ["gitlabnix:ro"];
          };
          environment = [
            "NIX_REMOTE=daemon"
            "ENV=/etc/profile.d/nix-daemon.sh"
            "BASH_ENV=/etc/profile.d/nix-daemon.sh"
          ];
          # TODO for some reason the /tmp seems to be missing
          # The cp is required to allow modification of nix config for cachix as
          # otherwise it is link to the read only file in the store.
          pre_build_script = ''
            mkdir -p /tmp
            cp --remove-destination \
              $(readlink -f /etc/nix/nix.conf) /etc/nix/nix.conf
          '';
        }
      ];
      config = (pkgs.formats.toml{}).generate "gitlab-runner.toml" {
        concurrent = 1;
        runners = (runners "LogC") ++ (runners "NixTurris");
      };
      configPath = "$HOME/.gitlab-runner/config.toml";
      configureScript = pkgs.writeShellScript "gitlab-runner-configure" ''
        ${pkgs.docker}/bin/docker load < ${localNix}
        mkdir -p $(dirname ${configPath})
        ${pkgs.gawk}/bin/awk '{
          for(varname in ENVIRON)
            gsub("@"varname"@", ENVIRON[varname])
          print
        }' "${config}" > "${configPath}"
        chown -R --reference=$HOME $(dirname ${configPath})
      '';
    in {
      EnvironmentFile = "/run/secrets/gitlab-runner.env";
      ExecStartPre = mkForce "!${configureScript}";
      ExecReload = mkForce "!${configureScript}";
    };
    services.gitlab-runner.enable = true;

  };

}