{ config, pkgs, ... }: { security.sudo.wheelNeedsPassword = false; imports = [ ./hardware-configuration.nix ]; networking.hostName = "tesla-nixos"; boot.initrd.enable = true; boot.loader = { systemd-boot = { enable = true; }; # end loader.systemd-boot }; # end boot virtualisation.oci-containers.containers = { isponsorblocktv = { image = "ghcr.io/dmunozv04/isponsorblocktv:latest"; autoStart = true; volumes = [ "/home/alisceon/isponsorblocktv:/app/data" ]; }; # end isponsorblocktv }; boot.kernel.sysctl = { "kernel.unprivileged_userns_clone" = 1; }; # Persist GitLab Runner state on the host (tokens, cache, builds) # so the container can be rebuilt without losing registration. systemd.tmpfiles.rules = [ "d /var/lib/gitlab-runner 0755 root root -" ]; containers.gitlab-runner = { autoStart = true; ephemeral = false; # Keep networking simple. If you want isolation, set privateNetwork = true # and configure veth/bridge. With false it shares the host network namespace. privateNetwork = false; # Podman rootless uses fuse-overlayfs → /dev/fuse must be available allowedDevices = [ { node = "/dev/fuse"; modifiers = [ "rwm" ]; } ]; # Persist runner’s home/state and optionally cache bindMounts = { "/var/lib/gitlab-runner" = { hostPath = "/var/lib/gitlab-runner"; isReadOnly = false; }; # Optional: a big builds/cache dir for job artifacts "/var/lib/gitlab-runner/builds" = { hostPath = "/var/lib/gitlab-runner/builds"; isReadOnly = false; create = true; }; "/var/lib/gitlab-runner/cache" = { hostPath = "/var/lib/gitlab-runner/cache"; isReadOnly = false; create = true; }; }; # The container runs its own NixOS config below: config = { config, pkgs, lib, ... }: { imports = [ ]; networking.hostName = "ci-nspawn"; time.timeZone = "UTC"; # GitLab Runner user (will run jobs and the user-scoped Podman API) users.users.gitlab-runner = { isSystemUser = true; # keep home on the persistent mount home = "/var/lib/gitlab-runner"; createHome = true; shell = pkgs.bashInteractive; extraGroups = [ "podman" "wheel" ]; }; users.groups.podman = { }; # Rootless Podman virtualisation.podman = { enable = true; # Provide Docker-compatible CLI & /var/run/docker.sock shim (for rootful). # We'll still point the runner directly at the rootless socket (recommended). dockerCompat = true; defaultNetwork.settings.dns_enabled = true; }; environment.systemPackages = with pkgs; [ podman fuse-overlayfs slirp4netns crun skopeo git ]; # Ensure /etc/subuid /etc/subgid exist for rootless user namespace environment.etc."subuid".text = '' gitlab-runner:100000:65536 ''; environment.etc."subgid".text = '' gitlab-runner:100000:65536 ''; # Run a *user*-scoped Podman API service so GitLab Runner can talk to it. # The socket ends up at: /run/user//podman/podman.sock # We keep it always-on via linger below. systemd.user.services."podman-api" = { description = "Podman API (rootless)"; serviceConfig = { ExecStart = "${pkgs.podman}/bin/podman system service --time=0"; Restart = "always"; }; WantedBy = [ "default.target" ]; }; # Make the user session available at boot (so the user service can run) # This is the NixOS way to call `loginctl enable-linger gitlab-runner`. systemd.services."enable-linger-gitlab-runner" = { description = "Enable linger for gitlab-runner"; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner"; # Harmless if already enabled RemainAfterExit = true; }; }; # GitLab Runner services.gitlab-runner = { enable = true; user = "gitlab-runner"; services = { ci-nspawn-rootless-podman = { # Prefer auth tokens (GitLab 18 deprecates registration tokens) # Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format). authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env"; # …or, if you still use a registration token: # registrationConfigFile = "/var/lib/gitlab-runner/registration.env"; executor = "docker"; # use Docker executor against Podman dockerImage = "alpine:3"; dockerPrivileged = true; # tighten later if you can dockerVolumes = [ "/var/lib/gitlab-runner/cache:/cache" ]; # If your nixpkgs exposes it (most do), point Docker executor at Podman: dockerHost = "unix:///run/user/$(id -u gitlab-runner)/podman/podman.sock"; # If that option isn’t available in your channel, instead supply a full # config.toml via `services.gitlab-runner.configFile` where you set: # [runners.docker] # host = "unix:///run/user/UID/podman/podman.sock" }; # end services.ci-nspawn-rootless-podman }; # end services.gitlab-runner }; # end containers.ci.config # Make sure systemd + cgroups are fully available inside the container systemd.oomd.enable = false; # avoids noise in small containers services.dbus.enable = true; # Storage tuning for rootless overlay environment.etc."containers/storage.conf".text = '' [storage] driver = "overlay" runroot = "/run/user/1000/containers" # will be per-user anyway graphroot = "/var/lib/gitlab-runner/.local/share/containers/storage" [storage.options] mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs" additionalimagestores = [] ''; }; # end containers.ci.config }; # end containers.ci } # end file