nixos_config/hosts/tesla-nixos/configuration.nix

{ config, pkgs, lib, ... }:

{
  security.sudo.wheelNeedsPassword = false;
  imports =
    [ ./hardware-configuration.nix ];
  networking.hostName = "tesla-nixos";
  boot.initrd.enable = true;
  boot.loader = {
    systemd-boot = {
      enable = true;
    }; # end loader.systemd-boot
  }; # end boot
  virtualisation.oci-containers.containers = {
    isponsorblocktv = {
      image = "ghcr.io/dmunozv04/isponsorblocktv:latest";
      autoStart = true;
      volumes = [
        "/home/alisceon/isponsorblocktv:/app/data"
      ];
    }; # end isponsorblocktv
  };
  
  boot.kernel.sysctl = {
    "kernel.unprivileged_userns_clone" = 1;
  };

  systemd.tmpfiles.rules = [
    "d /var/lib/gitlab-runner          0755 root root -"
    "d /var/lib/gitlab-runner/builds   0755 root root -"
    "d /var/lib/gitlab-runner/cache    0755 root root -"
  ];

  networking.nat = {
    enable = true;
    internalInterfaces = ["ve-+"];
    externalInterface = "ens18";
  };
  environment.systemPackages = with pkgs; [
    fuse-overlayfs
  ];

  containers.gitlab-runner = {
    autoStart = true;
    ephemeral = false;

    privateNetwork = true;
    privateUsers = "identity";
    hostAddress  = "10.250.0.1";
    localAddress = "10.250.0.2";

    extraFlags = [
      "--system-call-filter=@keyring"
      "--system-call-filter=bpf"
    ];
    bindMounts = {
      "/var/lib/gitlab-runner" = {
        hostPath = "/var/lib/gitlab-runner";
        isReadOnly = false;
      };
      "/proc" = {
        hostPath = "/run/proc";
      };
      "/sys" = {
        hostPath = "/run/sys";
      };
      "/dev/fuse" = {
        hostPath = "/dev/fuse";
      };
    };
    allowedDevices = [
      {
        path = "/dev/fuse";
        access = "rwm";
      }
    ];

    # Guest (inside the nspawn container)
    config = { pkgs, lib, ... }: {
      networking.hostName = "ci-nspawn";
      networking.useHostResolvConf = true;
      time.timeZone = "UTC";
      # Docker daemon inside the container
      virtualisation.docker = {
        enable = true;
        autoPrune = {
          enable = true;
          dates = "daily";
        };
        daemon.settings = {
          "runtimes" = {
            crun = { path = "${pkgs.crun}/bin/crun"; };
          };
          "default-runtime" = "crun";
        };
      };

      users.users.gitlab-runner = {
        isSystemUser = true;
        home = "/var/lib/gitlab-runner";
        createHome = true;
        shell = pkgs.bashInteractive;
        extraGroups = [ "docker" "wheel" ];
        group = "gitlab-runner";
      };
      users.groups.gitlab-runner = { };
      users.groups.docker = { };
      environment.systemPackages = with pkgs; [
        docker
        git
        crun
        fuse-overlayfs
      ];
      systemd.services."enable-linger-gitlab-runner" = {
        description = "Enable linger for gitlab-runner";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
          RemainAfterExit = true;
        };
      };

      # GitLab Runner configured to use the local Docker daemon
      services.gitlab-runner = {
        enable = true;
        services = {
          ci-nspawn-docker = {
            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";

            executor = "docker";
            dockerImage = "alpine:3";
            dockerPrivileged = true;
            dockerVolumes = [
              "/var/lib/gitlab-runner/cache:/cache"
            ];
          };
        };
      };
      systemd.services.gitlab-runner.serviceConfig = {
        StateDirectory = lib.mkForce "";
        LogsDirectory  = lib.mkForce "";
        CacheDirectory = lib.mkForce "";
        RuntimeDirectory = lib.mkForce "";
        ProtectSystem = lib.mkForce "no";
        ProtectHome   = lib.mkForce "no";
        ReadWritePaths = [ "/var/lib/gitlab-runner" ];
      };
      # Basics
      systemd.oomd.enable = false;
      services.dbus.enable = true;
    };
  }; # end containers.gitlab-runner

} # end file
libs in my cfg 2025-09-29 18:03:24 +02:00			`{ config, pkgs, lib, ... }:`
server v1 2025-08-12 21:00:01 +02:00
			`{`
known bronken 2025-09-29 15:56:43 +02:00			`security.sudo.wheelNeedsPassword = false;`
server v1 2025-08-12 21:00:01 +02:00			`imports =`
			`[ ./hardware-configuration.nix ];`
			`networking.hostName = "tesla-nixos";`
			`boot.initrd.enable = true;`
			`boot.loader = {`
			`systemd-boot = {`
			`enable = true;`
			`}; # end loader.systemd-boot`
			`}; # end boot`
we servering 2025-09-24 18:23:45 +02:00			`virtualisation.oci-containers.containers = {`
			`isponsorblocktv = {`
			`image = "ghcr.io/dmunozv04/isponsorblocktv:latest";`
			`autoStart = true;`
			`volumes = [`
oopsies 2025-09-24 18:33:20 +02:00			`"/home/alisceon/isponsorblocktv:/app/data"`
puchy 2025-09-24 18:31:24 +02:00			`];`
we servering 2025-09-24 18:23:45 +02:00			`}; # end isponsorblocktv`
			`};`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00
			`boot.kernel.sysctl = {`
			`"kernel.unprivileged_userns_clone" = 1;`
			`};`

			`systemd.tmpfiles.rules = [`
piss 2025-09-29 16:55:37 +02:00			`"d /var/lib/gitlab-runner 0755 root root -"`
			`"d /var/lib/gitlab-runner/builds 0755 root root -"`
			`"d /var/lib/gitlab-runner/cache 0755 root root -"`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`];`

networking fix 2025-09-29 17:51:11 +02:00			`networking.nat = {`
			`enable = true;`
			`internalInterfaces = ["ve-+"];`
			`externalInterface = "ens18";`
			`};`
all the mounts, none of the secure 2025-09-30 19:43:18 +02:00			`environment.systemPackages = with pkgs; [`
			`fuse-overlayfs`
			`];`
networking fix 2025-09-29 17:51:11 +02:00
one hallucination at a time 2025-09-29 16:06:47 +02:00			`containers.gitlab-runner = {`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`autoStart = true;`
			`ephemeral = false;`

networking fix 2025-09-29 17:51:11 +02:00			`privateNetwork = true;`
maybe maybe 2025-09-29 20:18:51 +02:00			`privateUsers = "identity";`
archwiki plz 2025-09-30 11:15:18 +02:00			`hostAddress = "10.250.0.1";`
			`localAddress = "10.250.0.2";`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00
archwiki plz 2025-09-30 11:15:18 +02:00			`extraFlags = [`
grrr 2025-09-30 11:18:29 +02:00			`"--system-call-filter=@keyring"`
this easy? 2025-09-30 18:27:32 +02:00			`"--system-call-filter=bpf"`
archwiki plz 2025-09-30 11:15:18 +02:00			`];`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`bindMounts = {`
			`"/var/lib/gitlab-runner" = {`
			`hostPath = "/var/lib/gitlab-runner";`
			`isReadOnly = false;`
			`};`
all the mounts, none of the secure 2025-09-30 19:43:18 +02:00			`"/proc" = {`
			`hostPath = "/run/proc";`
			`};`
			`"/sys" = {`
			`hostPath = "/run/sys";`
			`};`
			`"/dev/fuse" = {`
			`hostPath = "/dev/fuse";`
			`};`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`};`
typo 2025-09-30 19:46:08 +02:00			`allowedDevices = [`
allowdev 2025-09-30 19:45:35 +02:00			`{`
			`path = "/dev/fuse";`
			`access = "rwm";`
			`}`
			`];`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00
switch to docker 2025-09-29 17:32:31 +02:00			`# Guest (inside the nspawn container)`
libs in my cfg 2025-09-29 18:03:24 +02:00			`config = { pkgs, lib, ... }: {`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`networking.hostName = "ci-nspawn";`
just trying things now 2025-09-29 19:09:03 +02:00			`networking.useHostResolvConf = true;`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`time.timeZone = "UTC";`
switch to docker 2025-09-29 17:32:31 +02:00			`# Docker daemon inside the container`
			`virtualisation.docker = {`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`enable = true;`
cruntime 2025-09-29 20:11:41 +02:00			`autoPrune = {`
			`enable = true;`
			`dates = "daily";`
			`};`
			`daemon.settings = {`
			`"runtimes" = {`
			`crun = { path = "${pkgs.crun}/bin/crun"; };`
			`};`
			`"default-runtime" = "crun";`
			`};`
wonderwall 2025-09-29 16:49:43 +02:00			`};`
switch to docker 2025-09-29 17:32:31 +02:00
just trying things now 2025-09-29 19:09:03 +02:00			`users.users.gitlab-runner = {`
			`isSystemUser = true;`
			`home = "/var/lib/gitlab-runner";`
			`createHome = true;`
			`shell = pkgs.bashInteractive;`
			`extraGroups = [ "docker" "wheel" ];`
			`group = "gitlab-runner";`
			`};`
			`users.groups.gitlab-runner = { };`
			`users.groups.docker = { };`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`environment.systemPackages = with pkgs; [`
switch to docker 2025-09-29 17:32:31 +02:00			`docker`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`git`
cruntime 2025-09-29 20:11:41 +02:00			`crun`
all the mounts, none of the secure 2025-09-30 19:43:18 +02:00			`fuse-overlayfs`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`];`
			`systemd.services."enable-linger-gitlab-runner" = {`
			`description = "Enable linger for gitlab-runner";`
			`wantedBy = [ "multi-user.target" ];`
			`serviceConfig = {`
			`Type = "oneshot";`
			`ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";`
			`RemainAfterExit = true;`
			`};`
			`};`

switch to docker 2025-09-29 17:32:31 +02:00			`# GitLab Runner configured to use the local Docker daemon`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`services.gitlab-runner = {`
			`enable = true;`
tee hee next error 2025-09-29 16:12:43 +02:00			`services = {`
switch to docker 2025-09-29 17:32:31 +02:00			`ci-nspawn-docker = {`
tee hee next error 2025-09-29 16:12:43 +02:00			`authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";`

switch to docker 2025-09-29 17:32:31 +02:00			`executor = "docker";`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`dockerImage = "alpine:3";`
switch to docker 2025-09-29 17:32:31 +02:00			`dockerPrivileged = true;`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`dockerVolumes = [`
			`"/var/lib/gitlab-runner/cache:/cache"`
			`];`
switch to docker 2025-09-29 17:32:31 +02:00			`};`
			`};`
			`};`
GIMME MY BIND MOUNTS 2025-09-29 18:01:37 +02:00			`systemd.services.gitlab-runner.serviceConfig = {`
			`StateDirectory = lib.mkForce "";`
			`LogsDirectory = lib.mkForce "";`
			`CacheDirectory = lib.mkForce "";`
inconcievable 2025-09-29 18:10:56 +02:00			`RuntimeDirectory = lib.mkForce "";`
			`ProtectSystem = lib.mkForce "no";`
			`ProtectHome = lib.mkForce "no";`
			`ReadWritePaths = [ "/var/lib/gitlab-runner" ];`
GIMME MY BIND MOUNTS 2025-09-29 18:01:37 +02:00			`};`
switch to docker 2025-09-29 17:32:31 +02:00			`# Basics`
			`systemd.oomd.enable = false;`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00			`services.dbus.enable = true;`
switch to docker 2025-09-29 17:32:31 +02:00			`};`
error whom 2025-09-29 16:22:54 +02:00			`}; # end containers.gitlab-runner`
switch to docker 2025-09-29 17:32:31 +02:00
server v1 2025-08-12 21:00:01 +02:00			`} # end file`
first gitlab-runner experiment 2025-09-29 11:23:45 +02:00