From b62ea0fcf52f05e77022519ae43603a18736e8a6 Mon Sep 17 00:00:00 2001
From: alisceon <alisceon@protonmail.com>
Date: Mon, 29 Sep 2025 17:32:31 +0200
Subject: [PATCH] switch to docker

---
 hosts/tesla-nixos/configuration.nix | 95 +++++++----------------------
 1 file changed, 21 insertions(+), 74 deletions(-)

diff --git a/hosts/tesla-nixos/configuration.nix b/hosts/tesla-nixos/configuration.nix
index ec31307..a714581 100644
--- a/hosts/tesla-nixos/configuration.nix
+++ b/hosts/tesla-nixos/configuration.nix
@@ -25,8 +25,6 @@
     "kernel.unprivileged_userns_clone" = 1;
   };
 
-  # Persist GitLab Runner state on the host (tokens, cache, builds)
-  # so the container can be rebuilt without losing registration.
   systemd.tmpfiles.rules = [
     "d /var/lib/gitlab-runner          0755 root root -"
     "d /var/lib/gitlab-runner/builds   0755 root root -"
@@ -37,14 +35,8 @@
     autoStart = true;
     ephemeral = false;
 
-    # Keep networking simple. If you want isolation, set privateNetwork = true
-    # and configure veth/bridge. With false it shares the host network namespace.
     privateNetwork = false;
 
-    # Podman rootless uses fuse-overlayfs → /dev/fuse must be available
-    allowedDevices = [
-      { node = "/dev/fuse"; modifier = "rwm"; }
-    ];
     bindMounts = {
       "/var/lib/gitlab-runner" = {
         hostPath = "/var/lib/gitlab-runner";
@@ -59,112 +51,67 @@
         isReadOnly = false;
       };
     };
-    # The container runs its own NixOS config below:
-    config = { config, pkgs, lib, ... }: {
-      imports = [ ];
 
+    # Guest (inside the nspawn container)
+    config = { pkgs, ... }: {
       networking.hostName = "ci-nspawn";
       time.timeZone = "UTC";
 
-      # GitLab Runner user (will run jobs and the user-scoped Podman API)
+      # Runner user
       users.users.gitlab-runner = {
         isSystemUser = true;
-        # keep home on the persistent mount
         home = "/var/lib/gitlab-runner";
         createHome = true;
         shell = pkgs.bashInteractive;
-        extraGroups = [ "podman" "wheel" ];
+        extraGroups = [ "docker" "wheel" ];
         group = "gitlab-runner";
       };
       users.groups.gitlab-runner = { };
-      users.groups.podman = { };
+      users.groups.docker = { };
 
-      # Rootless Podman
-      virtualisation.podman = {
+      # Docker daemon inside the container
+      virtualisation.docker = {
         enable = true;
-        defaultNetwork.settings.dns_enabled = true;
-      };
-      virtualisation.containers.storage.settings = {
-        storage = {
-          driver = "overlay";
-        };
-        "storage.options" = {
-          mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs";
-        };
       };
+
       environment.systemPackages = with pkgs; [
-        podman
-        fuse-overlayfs
-        slirp4netns
-        crun
-        skopeo
+        docker
         git
       ];
-
-      # Ensure /etc/subuid /etc/subgid exist for rootless user namespace
-      environment.etc."subuid".text = ''
-        gitlab-runner:100000:65536
-      '';
-      environment.etc."subgid".text = ''
-        gitlab-runner:100000:65536
-      '';
-
-      # Run a *user*-scoped Podman API service so GitLab Runner can talk to it.
-      # The socket ends up at: /run/user/<UID>/podman/podman.sock
-      # We keep it always-on via linger below.
-      systemd.user.services."podman-api" = {
-        description = "Podman API (rootless)";
-        serviceConfig = {
-          ExecStart = "${pkgs.podman}/bin/podman system service --time=0";
-          Restart = "always";
-        };
-        wantedBy = [ "default.target" ];
-      };
-
-      # Make the user session available at boot (so the user service can run)
-      # This is the NixOS way to call `loginctl enable-linger gitlab-runner`.
       systemd.services."enable-linger-gitlab-runner" = {
         description = "Enable linger for gitlab-runner";
         wantedBy = [ "multi-user.target" ];
         serviceConfig = {
           Type = "oneshot";
           ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
-          # Harmless if already enabled
           RemainAfterExit = true;
         };
       };
 
-      # GitLab Runner
+      # GitLab Runner configured to use the local Docker daemon
       services.gitlab-runner = {
         enable = true;
+        user = "gitlab-runner";
 
         services = {
-          ci-nspawn-rootless-podman = {
-            # Prefer auth tokens (GitLab 18 deprecates registration tokens)
-            # Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format).
+          ci-nspawn-docker = {
             authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
-            # …or, if you still use a registration token:
-            # registrationConfigFile = "/var/lib/gitlab-runner/registration.env";
 
-            executor = "docker";          # use Docker executor against Podman
+            executor = "docker";
             dockerImage = "alpine:3";
-            dockerPrivileged = true;      # tighten later if you can
+            dockerPrivileged = true;
             dockerVolumes = [
               "/var/lib/gitlab-runner/cache:/cache"
             ];
-            environmentVariables = {
-              DOCKER_HOST = "unix:///run/user/2100/podman/podman.sock";
-            };
-          }; # end services.ci-nspawn-rootless-podman
-        }; # end services.gitlab-runner
-      }; # end containers.ci.config
+          };
+        };
+      };
 
-
-      # Make sure systemd + cgroups are fully available inside the container
-      systemd.oomd.enable = false; # avoids noise in small containers
+      # Basics
+      systemd.oomd.enable = false;
       services.dbus.enable = true;
-
-    }; # end containers.gitlab-runner.config
+    };
   }; # end containers.gitlab-runner
+
 } # end file