switch to docker

2025-09-29 17:32:31 +02:00 · 2025-09-29 17:32:31 +02:00 · b62ea0fcf5
commit b62ea0fcf5
parent 77684b6df6
1 changed files with 21 additions and 74 deletions
--- a/hosts/tesla-nixos/configuration.nix
+++ b/hosts/tesla-nixos/configuration.nix
@ -25,8 +25,6 @@
    "kernel.unprivileged_userns_clone" = 1;
  };

-  # Persist GitLab Runner state on the host (tokens, cache, builds)
-  # so the container can be rebuilt without losing registration.
  systemd.tmpfiles.rules = [
    "d /var/lib/gitlab-runner          0755 root root -"
    "d /var/lib/gitlab-runner/builds   0755 root root -"
@ -37,14 +35,8 @@
    autoStart = true;
    ephemeral = false;

-    # Keep networking simple. If you want isolation, set privateNetwork = true
-    # and configure veth/bridge. With false it shares the host network namespace.
    privateNetwork = false;

-    # Podman rootless uses fuse-overlayfs → /dev/fuse must be available
-    allowedDevices = [
-      { node = "/dev/fuse"; modifier = "rwm"; }
-    ];
    bindMounts = {
      "/var/lib/gitlab-runner" = {
        hostPath = "/var/lib/gitlab-runner";
@ -59,112 +51,67 @@
        isReadOnly = false;
      };
    };
-    # The container runs its own NixOS config below:
-    config = { config, pkgs, lib, ... }: {
-      imports = [ ];

+    # Guest (inside the nspawn container)
+    config = { pkgs, ... }: {
      networking.hostName = "ci-nspawn";
      time.timeZone = "UTC";

-      # GitLab Runner user (will run jobs and the user-scoped Podman API)
+      # Runner user
      users.users.gitlab-runner = {
        isSystemUser = true;
-        # keep home on the persistent mount
        home = "/var/lib/gitlab-runner";
        createHome = true;
        shell = pkgs.bashInteractive;
-        extraGroups = [ "podman" "wheel" ];
+        extraGroups = [ "docker" "wheel" ];
        group = "gitlab-runner";
      };
      users.groups.gitlab-runner = { };
-      users.groups.podman = { };
+      users.groups.docker = { };

-      # Rootless Podman
-      virtualisation.podman = {
+      # Docker daemon inside the container
+      virtualisation.docker = {
        enable = true;
-        defaultNetwork.settings.dns_enabled = true;
-      };
-      virtualisation.containers.storage.settings = {
-        storage = {
-          driver = "overlay";
-        };
-        "storage.options" = {
-          mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs";
-        };
      };
+
      environment.systemPackages = with pkgs; [
-        podman
-        fuse-overlayfs
-        slirp4netns
-        crun
-        skopeo
+        docker
        git
      ];
-
-      # Ensure /etc/subuid /etc/subgid exist for rootless user namespace
-      environment.etc."subuid".text = ''
-        gitlab-runner:100000:65536
-      '';
-      environment.etc."subgid".text = ''
-        gitlab-runner:100000:65536
-      '';
-
-      # Run a *user*-scoped Podman API service so GitLab Runner can talk to it.
-      # The socket ends up at: /run/user/<UID>/podman/podman.sock
-      # We keep it always-on via linger below.
-      systemd.user.services."podman-api" = {
-        description = "Podman API (rootless)";
-        serviceConfig = {
-          ExecStart = "${pkgs.podman}/bin/podman system service --time=0";
-          Restart = "always";
-        };
-        wantedBy = [ "default.target" ];
-      };
-
-      # Make the user session available at boot (so the user service can run)
-      # This is the NixOS way to call `loginctl enable-linger gitlab-runner`.
      systemd.services."enable-linger-gitlab-runner" = {
        description = "Enable linger for gitlab-runner";
        wantedBy = [ "multi-user.target" ];
        serviceConfig = {
          Type = "oneshot";
          ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
-          # Harmless if already enabled
          RemainAfterExit = true;
        };
      };

-      # GitLab Runner
+      # GitLab Runner configured to use the local Docker daemon
      services.gitlab-runner = {
        enable = true;
+        user = "gitlab-runner";

        services = {
-          ci-nspawn-rootless-podman = {
-            # Prefer auth tokens (GitLab 18 deprecates registration tokens)
-            # Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format).
+          ci-nspawn-docker = {
            authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
-            # …or, if you still use a registration token:
-            # registrationConfigFile = "/var/lib/gitlab-runner/registration.env";

-            executor = "docker";          # use Docker executor against Podman
+            executor = "docker";
            dockerImage = "alpine:3";
-            dockerPrivileged = true;      # tighten later if you can
+            dockerPrivileged = true;
            dockerVolumes = [
              "/var/lib/gitlab-runner/cache:/cache"
            ];
-            environmentVariables = {
-              DOCKER_HOST = "unix:///run/user/2100/podman/podman.sock";
-            };
-          }; # end services.ci-nspawn-rootless-podman
-        }; # end services.gitlab-runner
-      }; # end containers.ci.config
+          };
+        };
+      };

-
-      # Make sure systemd + cgroups are fully available inside the container
-      systemd.oomd.enable = false; # avoids noise in small containers
+      # Basics
+      systemd.oomd.enable = false;
      services.dbus.enable = true;
-
-    }; # end containers.gitlab-runner.config
+    };
  }; # end containers.gitlab-runner
+
 } # end file