From 0d3f1b4afcea1323cbcb1ba726100bf33312ee14 Mon Sep 17 00:00:00 2001
From: Paul-Henri Froidmont <git.contact-57n2p@froidmont.org>
Date: Sat, 7 Dec 2024 21:49:38 +0100
Subject: [PATCH] Move gitlab-runner to hel1

---
 modules/gitlab-runner.nix | 20 ++++++--------------
 profiles/hel.nix          | 21 +++++++++++++++++----
 profiles/storage.nix      |  1 -
 secrets.enc.yml           |  8 +++++---
 4 files changed, 28 insertions(+), 22 deletions(-)

diff --git a/modules/gitlab-runner.nix b/modules/gitlab-runner.nix
index 2584280..c8640e7 100644
--- a/modules/gitlab-runner.nix
+++ b/modules/gitlab-runner.nix
@@ -11,15 +11,10 @@ in
 {
   options.custom.services.gitlab-runner = {
     enable = mkEnableOption "gitlab-runner";
+    runnerRegistrationConfigFile = lib.mkOption { type = lib.types.path; };
   };
 
   config = mkIf cfg.enable {
-    sops.secrets = {
-      runnerRegistrationConfig = {
-        owner = config.users.users.gitlab-runner.name;
-        key = "gitlab/runner_registration_config";
-      };
-    };
 
     users.groups.gitlab-runner = { };
     users.users.gitlab-runner = {
@@ -35,16 +30,13 @@ in
       localAddress = "192.168.100.2";
 
       bindMounts = {
-        "${config.sops.secrets.runnerRegistrationConfig.path}" = {
-          hostPath = config.sops.secrets.runnerRegistrationConfig.path;
+        "${cfg.runnerRegistrationConfigFile}" = {
+          hostPath = cfg.runnerRegistrationConfigFile;
         };
       };
 
       config =
-        let
-          hostConfig = config;
-        in
-        args@{ config, ... }:
+        { config, ... }:
         {
 
           nix = {
@@ -80,7 +72,7 @@ in
               enable = true;
               services = {
                 shell = {
-                  authenticationTokenConfigFile = hostConfig.sops.secrets.runnerRegistrationConfig.path;
+                  authenticationTokenConfigFile = cfg.runnerRegistrationConfigFile;
                   executor = "shell";
                 };
               };
@@ -93,7 +85,7 @@ in
             Group = config.users.groups.gitlab-runner.name;
           };
 
-          system.stateVersion = "22.05";
+          system.stateVersion = "24.05";
         };
     };
   };
diff --git a/profiles/hel.nix b/profiles/hel.nix
index 8cb6bd7..b35e8bf 100644
--- a/profiles/hel.nix
+++ b/profiles/hel.nix
@@ -1,9 +1,5 @@
 {
   config,
-  lib,
-  pkgs,
-  pkgs-unstable,
-  inputs,
   ...
 }:
 {
@@ -13,8 +9,21 @@
     ../modules
   ];
 
+  sops.secrets = {
+    runnerRegistrationConfig = {
+      owner = config.users.users.gitlab-runner.name;
+      key = "gitlab/runner_registration_config/hel1";
+    };
+  };
+
   time.timeZone = "Europe/Amsterdam";
 
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-+" ];
+    externalInterface = "enp41s0";
+  };
+
   disko.devices = {
     disk = {
       nvme0 = {
@@ -160,6 +169,10 @@
 
   custom = {
     services.openssh.enable = true;
+    services.gitlab-runner = {
+      enable = true;
+      runnerRegistrationConfigFile = config.sops.secrets.runnerRegistrationConfig.path;
+    };
   };
 
 }
diff --git a/profiles/storage.nix b/profiles/storage.nix
index 49f0fe1..aa5028a 100644
--- a/profiles/storage.nix
+++ b/profiles/storage.nix
@@ -118,7 +118,6 @@
     };
 
     services.nginx.enable = true;
-    services.gitlab-runner.enable = true;
     services.openssh.enable = true;
     services.jellyfin.enable = true;
     services.stb.enable = true;
diff --git a/secrets.enc.yml b/secrets.enc.yml
index 0160b2d..f51ed5f 100644
--- a/secrets.enc.yml
+++ b/secrets.enc.yml
@@ -7,7 +7,9 @@ nix:
     cache_secret_key: ENC[AES256_GCM,data:Q2mRU+EuTyqjYNvbuyGLqoDSqa/7EPlzNuCJU7QUBRSozf1D4dDzAPNU47xZ2rKcjz6Eg4OhAZLlGeFw9le8SzHOSJ65UYHoMMc6Rpvv/fPhgg2s2UMArrqyO3ultj1pVe3eIIRzBQcdoFqVDg==,iv:jhMTWEO6ahcZl+Dq6mA+mWIie8T0Dq1ZYe/HHYAD5ss=,tag:2GRmd2z96+TGI7MdvOBEdA==,type:str]
 gitlab:
     password: ENC[AES256_GCM,data:ellmwJv7zasbAD3hzAkSSJ4Z9qHqmlernG0=,iv:czXgy9wnDHLSrzefL+nKfbPm6DhZwpNARkUxNsBDHzM=,tag:NYXTjgaUAvOOeJlGe5fchQ==,type:str]
-    runner_registration_config: ENC[AES256_GCM,data:R+9UIDgrTx8xiz4DRRjB4ocyib43lIfQyxWTW+d8/UzkA87GFIraSLIjhnoDFhk57s3jQGUtmudl709z410V8+EXbLB81gl1mJqaXQ==,iv:qckhsamd24VVTB7glMcVyMsLJo9jON3Nc9JfeGOM0xI=,tag:/DOmtSrQOoIzpMHH/oBnFQ==,type:str]
+    runner_registration_config:
+        storage1: ENC[AES256_GCM,data:rYaKEZaJEIXTgLCrSGw7IqahrEBrD6cpwf+dB1C1mrUn395PcZ7A/er5765WKTuaFHsOUyZ7Lsj1fDl1bzbr1xnhkPE3/gCJFy7OLg==,iv:WCz4mEJO6BZbeAPhccfoMI3EYh1Kil40AWj6sU1bR9s=,tag:+DqVtAZpt288S7HAoZKcEw==,type:str]
+        hel1: ENC[AES256_GCM,data:wP7WidQ+w7V/Dk5eKOg2bO1ZQaTvRMwPK0nadncDZNMsZnU8OcfS3KDDufvZPO33oWd0LfjxqNPikppqOt9T00uO2JoTek8KOzQ75iSwZA==,iv:iEn76embp30/CVyqtOoTNvo0xo8QTZ2hW6wCkwkOM28=,tag:6d/IbI2YnSbZDksfxUlkbw==,type:str]
 synapse:
     db_password: ENC[AES256_GCM,data:hy2BgTsRaZDQZULTW/csmnRy5ZjDEuPqxyuINv0ov5pFzDkozJVL1wut3HgBXjYZ8bqNjS5pCPQtkznw,iv:i41zKGwvPGIEZP0ZjhRaY4UMeOXBovQmLr1e1ewZhV4=,tag:3kKKYouH+lOrNxPJE5ul/Q==,type:str]
     macaroon_secret_key: ENC[AES256_GCM,data:6n1gCit2MC8l4VR9DSUR87BB+hY5Oza33423sbV8sNIXmZsPzhyvxaBalK/0TVjLH6Q=,iv:OgHxNG96ZW4+LPZhLAtOD01Wibad6vSX6s4BrPE67YE=,tag:OGIz/ufUwt8/pUMLvoaXtg==,type:str]
@@ -71,8 +73,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-09-11T18:58:46Z"
-    mac: ENC[AES256_GCM,data:NeD6/1DBlvW9vyReJJVBb8YY8qnMPZE0pobvNNdq/0dJKQfnAEndEokqWrRCuzd8oFuMbSmb4CDMX3N6r6nypGi4MMeeBAxPqlHO8aHAZ+XSrAh0XPNmcUnTYUP/zhJA9mp2fyWWgQT4gMEQslKVHDiCd68yOrj2wOr9Nx4CW8Y=,iv:eUyv6w/hXdxGg/1y2CU/WjEivzctCKO3Yw66ToEolH0=,tag:nFh240Xx1+dtLpz9P4U6gA==,type:str]
+    lastmodified: "2024-12-05T15:21:41Z"
+    mac: ENC[AES256_GCM,data:8p+Am3IjJZoBmZDwOSymSVeMrbaXfgHO1BZhq8Sdn/pFCGC2/et8xg/heQ7JGBRQMER2AzIdtreTe9f+6NJLYdRuh0CghwxKHfcykUSBNkgzc2bDFLD+xAFWhFoYJx9YZvuDuOeU6rQ/YVSunDYu4K7aX5KdCLon2+1MOtDHZXo=,iv:gW1hBzHSxugVl09FT1HhL2J/9HccwfLFwSEKdei5mLg=,tag:ncQof/HBVGht+xfna6AC2Q==,type:str]
     pgp:
         - created_at: "2024-12-05T00:56:17Z"
           enc: |-