nixos_config/hosts/tesla-nixos/configuration.nix

{ config, pkgs, ... }:

{
  security.sudo.wheelNeedsPassword = false;
  imports =
    [ ./hardware-configuration.nix ];
  networking.hostName = "tesla-nixos";
  boot.initrd.enable = true;
  boot.loader = {
    systemd-boot = {
      enable = true;
    }; # end loader.systemd-boot
  }; # end boot
  virtualisation.oci-containers.containers = {
    isponsorblocktv = {
      image = "ghcr.io/dmunozv04/isponsorblocktv:latest";
      autoStart = true;
      volumes = [
        "/home/alisceon/isponsorblocktv:/app/data"
      ];
    }; # end isponsorblocktv
  };
  
  boot.kernel.sysctl = {
    "kernel.unprivileged_userns_clone" = 1;
  };

  # Persist GitLab Runner state on the host (tokens, cache, builds)
  # so the container can be rebuilt without losing registration.
  systemd.tmpfiles.rules = [
    "d /var/lib/gitlab-runner 0755 root root -"
  ];

  containers.gitlab-runner = {
    autoStart = true;
    ephemeral = false;

    # Keep networking simple. If you want isolation, set privateNetwork = true
    # and configure veth/bridge. With false it shares the host network namespace.
    privateNetwork = false;

    # Podman rootless uses fuse-overlayfs → /dev/fuse must be available
    allowedDevices = [
      { node = "/dev/fuse"; modifiers = [ "rwm" ]; }
    ];

    # Persist runner’s home/state and optionally cache
    bindMounts = {
      "/var/lib/gitlab-runner" = {
        hostPath = "/var/lib/gitlab-runner";
        isReadOnly = false;
      };
      # Optional: a big builds/cache dir for job artifacts
      "/var/lib/gitlab-runner/builds" = {
        hostPath = "/var/lib/gitlab-runner/builds";
        isReadOnly = false;
        create = true;
      };
      "/var/lib/gitlab-runner/cache" = {
        hostPath = "/var/lib/gitlab-runner/cache";
        isReadOnly = false;
        create = true;
      };
    };

    # The container runs its own NixOS config below:
    config = { config, pkgs, lib, ... }: {
      imports = [ ];

      networking.hostName = "ci-nspawn";
      time.timeZone = "UTC";

      # GitLab Runner user (will run jobs and the user-scoped Podman API)
      users.users.gitlab-runner = {
        isSystemUser = true;
        # keep home on the persistent mount
        home = "/var/lib/gitlab-runner";
        createHome = true;
        shell = pkgs.bashInteractive;
        extraGroups = [ "podman" "wheel" ];
        group = "gitlab-runner";
      };
      users.groups.gitlab-runner = { };
      users.groups.podman = { };

      # Rootless Podman
      virtualisation.podman = {
        enable = true;
        defaultNetwork.settings.dns_enabled = true;
      };
      environment.systemPackages = with pkgs; [
        podman
        fuse-overlayfs
        slirp4netns
        crun
        skopeo
        git
      ];

      # Ensure /etc/subuid /etc/subgid exist for rootless user namespace
      environment.etc."subuid".text = ''
        gitlab-runner:100000:65536
      '';
      environment.etc."subgid".text = ''
        gitlab-runner:100000:65536
      '';

      # Run a *user*-scoped Podman API service so GitLab Runner can talk to it.
      # The socket ends up at: /run/user/<UID>/podman/podman.sock
      # We keep it always-on via linger below.
      systemd.user.services."podman-api" = {
        description = "Podman API (rootless)";
        serviceConfig = {
          ExecStart = "${pkgs.podman}/bin/podman system service --time=0";
          Restart = "always";
        };
        wantedBy = [ "default.target" ];
      };

      # Make the user session available at boot (so the user service can run)
      # This is the NixOS way to call `loginctl enable-linger gitlab-runner`.
      systemd.services."enable-linger-gitlab-runner" = {
        description = "Enable linger for gitlab-runner";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
          # Harmless if already enabled
          RemainAfterExit = true;
        };
      };

      # GitLab Runner
      services.gitlab-runner = {
        enable = true;

        services = {
          ci-nspawn-rootless-podman = {
            # Prefer auth tokens (GitLab 18 deprecates registration tokens)
            # Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format).
            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
            # …or, if you still use a registration token:
            # registrationConfigFile = "/var/lib/gitlab-runner/registration.env";

            executor = "docker";          # use Docker executor against Podman
            dockerImage = "alpine:3";
            dockerPrivileged = true;      # tighten later if you can
            dockerVolumes = [
              "/var/lib/gitlab-runner/cache:/cache"
            ];
            environmentVariables = {
              DOCKER_HOST = "unix:///run/user/2100/podman/podman.sock";
            };
          }; # end services.ci-nspawn-rootless-podman
        }; # end services.gitlab-runner
      }; # end containers.ci.config


      # Make sure systemd + cgroups are fully available inside the container
      systemd.oomd.enable = false; # avoids noise in small containers
      services.dbus.enable = true;

      # Storage tuning for rootless overlay
      environment.etc."containers/storage.conf".text = ''
        [storage]
        driver = "overlay"
        runroot = "/run/user/1000/containers"  # will be per-user anyway
        graphroot = "/var/lib/gitlab-runner/.local/share/containers/storage"
        [storage.options]
        mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
        additionalimagestores = []
      '';
    }; # end containers.gitlab-runner.config
  }; # end containers.gitlab-runner
} # end file