NO MORE NSPAWN DOCKER NESTING I CANT TAKE THIS
This commit is contained in:
alisceon
parent
a6e833f65f
commit
7bf80aa106
1 changed files with 42 additions and 126 deletions
|
|
@ -20,137 +20,53 @@
|
|||
];
|
||||
}; # end isponsorblocktv
|
||||
};
|
||||
|
||||
boot.kernel.sysctl = {
|
||||
"kernel.unprivileged_userns_clone" = 1;
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /var/lib/gitlab-runner 0755 root root -"
|
||||
"d /var/lib/gitlab-runner/builds 0755 root root -"
|
||||
"d /var/lib/gitlab-runner/cache 0755 root root -"
|
||||
];
|
||||
|
||||
networking.nat = {
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
internalInterfaces = ["ve-+"];
|
||||
externalInterface = "ens18";
|
||||
autoPrune = {
|
||||
enable = true;
|
||||
dates = "daily";
|
||||
};
|
||||
daemon.settings = {
|
||||
"runtimes" = {
|
||||
crun = { path = "${pkgs.crun}/bin/crun"; };
|
||||
};
|
||||
"default-runtime" = "crun";
|
||||
};
|
||||
};
|
||||
users.users.gitlab-runner = {
|
||||
home = "/var/lib/gitlab-runner";
|
||||
createHome = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
extraGroups = [ "docker" "wheel" ];
|
||||
group = "gitlab-runner";
|
||||
};
|
||||
users.groups.gitlab-runner = { };
|
||||
users.groups.docker = { };
|
||||
systemd.services."enable-linger-gitlab-runner" = {
|
||||
description = "Enable linger for gitlab-runner";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
fuse-overlayfs
|
||||
];
|
||||
|
||||
containers.gitlab-runner = {
|
||||
autoStart = true;
|
||||
ephemeral = false;
|
||||
|
||||
privateNetwork = true;
|
||||
privateUsers = "identity";
|
||||
hostAddress = "10.250.0.1";
|
||||
localAddress = "10.250.0.2";
|
||||
|
||||
extraFlags = [
|
||||
"--system-call-filter=@keyring"
|
||||
"--system-call-filter=bpf"
|
||||
];
|
||||
bindMounts = {
|
||||
"/var/lib/gitlab-runner" = {
|
||||
hostPath = "/var/lib/gitlab-runner";
|
||||
isReadOnly = false;
|
||||
};
|
||||
"/run/proc" = {
|
||||
hostPath = "/proc";
|
||||
};
|
||||
"/run/sys" = {
|
||||
hostPath = "/sys";
|
||||
};
|
||||
"/dev/fuse" = {
|
||||
hostPath = "/dev/fuse";
|
||||
# GitLab Runner configured to use the local Docker daemon
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
services = {
|
||||
ci-nspawn-docker = {
|
||||
authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
|
||||
executor = "docker";
|
||||
dockerImage = "alpine:3";
|
||||
dockerPrivileged = true;
|
||||
dockerVolumes = [
|
||||
"/var/lib/gitlab-runner/cache:/cache"
|
||||
];
|
||||
};
|
||||
};
|
||||
allowedDevices = [
|
||||
{
|
||||
node = "/dev/fuse";
|
||||
modifier = "rwm";
|
||||
}
|
||||
];
|
||||
|
||||
# Guest (inside the nspawn container)
|
||||
config = { pkgs, lib, ... }: {
|
||||
networking.hostName = "ci-nspawn";
|
||||
networking.useHostResolvConf = true;
|
||||
time.timeZone = "UTC";
|
||||
# Docker daemon inside the container
|
||||
virtualisation.docker = {
|
||||
enable = true;
|
||||
autoPrune = {
|
||||
enable = true;
|
||||
dates = "daily";
|
||||
};
|
||||
daemon.settings = {
|
||||
"runtimes" = {
|
||||
crun = { path = "${pkgs.crun}/bin/crun"; };
|
||||
};
|
||||
"default-runtime" = "crun";
|
||||
};
|
||||
};
|
||||
|
||||
users.users.gitlab-runner = {
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/gitlab-runner";
|
||||
createHome = true;
|
||||
shell = pkgs.bashInteractive;
|
||||
extraGroups = [ "docker" "wheel" ];
|
||||
group = "gitlab-runner";
|
||||
};
|
||||
users.groups.gitlab-runner = { };
|
||||
users.groups.docker = { };
|
||||
environment.systemPackages = with pkgs; [
|
||||
docker
|
||||
git
|
||||
crun
|
||||
fuse-overlayfs
|
||||
];
|
||||
systemd.services."enable-linger-gitlab-runner" = {
|
||||
description = "Enable linger for gitlab-runner";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
serviceConfig = {
|
||||
Type = "oneshot";
|
||||
ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
|
||||
RemainAfterExit = true;
|
||||
};
|
||||
};
|
||||
|
||||
# GitLab Runner configured to use the local Docker daemon
|
||||
services.gitlab-runner = {
|
||||
enable = true;
|
||||
services = {
|
||||
ci-nspawn-docker = {
|
||||
authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
|
||||
|
||||
executor = "docker";
|
||||
dockerImage = "alpine:3";
|
||||
dockerPrivileged = true;
|
||||
dockerVolumes = [
|
||||
"/var/lib/gitlab-runner/cache:/cache"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.gitlab-runner.serviceConfig = {
|
||||
StateDirectory = lib.mkForce "";
|
||||
LogsDirectory = lib.mkForce "";
|
||||
CacheDirectory = lib.mkForce "";
|
||||
RuntimeDirectory = lib.mkForce "";
|
||||
ProtectSystem = lib.mkForce "no";
|
||||
ProtectHome = lib.mkForce "no";
|
||||
ReadWritePaths = [ "/var/lib/gitlab-runner" ];
|
||||
};
|
||||
# Basics
|
||||
systemd.oomd.enable = false;
|
||||
services.dbus.enable = true;
|
||||
};
|
||||
}; # end containers.gitlab-runner
|
||||
|
||||
};
|
||||
} # end file
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue