From 7bf80aa106b98469706b93d39773ec3d1073a9d2 Mon Sep 17 00:00:00 2001
From: alisceon <alisceon@protonmail.com>
Date: Tue, 30 Sep 2025 19:59:18 +0200
Subject: [PATCH] NO MORE NSPAWN DOCKER NESTING I CANT TAKE THIS

---
 hosts/tesla-nixos/configuration.nix | 168 +++++++---------------------
 1 file changed, 42 insertions(+), 126 deletions(-)

diff --git a/hosts/tesla-nixos/configuration.nix b/hosts/tesla-nixos/configuration.nix
index 491677d..b9521aa 100644
--- a/hosts/tesla-nixos/configuration.nix
+++ b/hosts/tesla-nixos/configuration.nix
@@ -20,137 +20,53 @@
       ];
     }; # end isponsorblocktv
   };
-  
-  boot.kernel.sysctl = {
-    "kernel.unprivileged_userns_clone" = 1;
-  };
 
-  systemd.tmpfiles.rules = [
-    "d /var/lib/gitlab-runner          0755 root root -"
-    "d /var/lib/gitlab-runner/builds   0755 root root -"
-    "d /var/lib/gitlab-runner/cache    0755 root root -"
-  ];
-
-  networking.nat = {
+  virtualisation.docker = {
     enable = true;
-    internalInterfaces = ["ve-+"];
-    externalInterface = "ens18";
+    autoPrune = {
+      enable = true;
+      dates = "daily";
+    };
+    daemon.settings = {
+      "runtimes" = {
+        crun = { path = "${pkgs.crun}/bin/crun"; };
+      };
+      "default-runtime" = "crun";
+    };
+  };
+  users.users.gitlab-runner = {
+    home = "/var/lib/gitlab-runner";
+    createHome = true;
+    shell = pkgs.bashInteractive;
+    extraGroups = [ "docker" "wheel" ];
+    group = "gitlab-runner";
+  };
+  users.groups.gitlab-runner = { };
+  users.groups.docker = { };
+  systemd.services."enable-linger-gitlab-runner" = {
+    description = "Enable linger for gitlab-runner";
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
+      RemainAfterExit = true;
+    };
   };
-  environment.systemPackages = with pkgs; [
-    fuse-overlayfs
-  ];
 
-  containers.gitlab-runner = {
-    autoStart = true;
-    ephemeral = false;
-
-    privateNetwork = true;
-    privateUsers = "identity";
-    hostAddress  = "10.250.0.1";
-    localAddress = "10.250.0.2";
-
-    extraFlags = [
-      "--system-call-filter=@keyring"
-      "--system-call-filter=bpf"
-    ];
-    bindMounts = {
-      "/var/lib/gitlab-runner" = {
-        hostPath = "/var/lib/gitlab-runner";
-        isReadOnly = false;
-      };
-      "/run/proc" = {
-        hostPath = "/proc";
-      };
-      "/run/sys" = {
-        hostPath = "/sys";
-      };
-      "/dev/fuse" = {
-        hostPath = "/dev/fuse";
+  # GitLab Runner configured to use the local Docker daemon
+  services.gitlab-runner = {
+    enable = true;
+    services = {
+      ci-nspawn-docker = {
+        authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
+        executor = "docker";
+        dockerImage = "alpine:3";
+        dockerPrivileged = true;
+        dockerVolumes = [
+          "/var/lib/gitlab-runner/cache:/cache"
+        ];
       };
     };
-    allowedDevices = [
-      {
-        node = "/dev/fuse";
-        modifier = "rwm";
-      }
-    ];
-
-    # Guest (inside the nspawn container)
-    config = { pkgs, lib, ... }: {
-      networking.hostName = "ci-nspawn";
-      networking.useHostResolvConf = true;
-      time.timeZone = "UTC";
-      # Docker daemon inside the container
-      virtualisation.docker = {
-        enable = true;
-        autoPrune = {
-          enable = true;
-          dates = "daily";
-        };
-        daemon.settings = {
-          "runtimes" = {
-            crun = { path = "${pkgs.crun}/bin/crun"; };
-          };
-          "default-runtime" = "crun";
-        };
-      };
-
-      users.users.gitlab-runner = {
-        isSystemUser = true;
-        home = "/var/lib/gitlab-runner";
-        createHome = true;
-        shell = pkgs.bashInteractive;
-        extraGroups = [ "docker" "wheel" ];
-        group = "gitlab-runner";
-      };
-      users.groups.gitlab-runner = { };
-      users.groups.docker = { };
-      environment.systemPackages = with pkgs; [
-        docker
-        git
-        crun
-        fuse-overlayfs
-      ];
-      systemd.services."enable-linger-gitlab-runner" = {
-        description = "Enable linger for gitlab-runner";
-        wantedBy = [ "multi-user.target" ];
-        serviceConfig = {
-          Type = "oneshot";
-          ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
-          RemainAfterExit = true;
-        };
-      };
-
-      # GitLab Runner configured to use the local Docker daemon
-      services.gitlab-runner = {
-        enable = true;
-        services = {
-          ci-nspawn-docker = {
-            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
-
-            executor = "docker";
-            dockerImage = "alpine:3";
-            dockerPrivileged = true;
-            dockerVolumes = [
-              "/var/lib/gitlab-runner/cache:/cache"
-            ];
-          };
-        };
-      };
-      systemd.services.gitlab-runner.serviceConfig = {
-        StateDirectory = lib.mkForce "";
-        LogsDirectory  = lib.mkForce "";
-        CacheDirectory = lib.mkForce "";
-        RuntimeDirectory = lib.mkForce "";
-        ProtectSystem = lib.mkForce "no";
-        ProtectHome   = lib.mkForce "no";
-        ReadWritePaths = [ "/var/lib/gitlab-runner" ];
-      };
-      # Basics
-      systemd.oomd.enable = false;
-      services.dbus.enable = true;
-    };
-  }; # end containers.gitlab-runner
-
+  };
 } # end file