alisceon/nixos_config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos_config/hosts/tesla-nixos/configuration.nix
alisceon 8cad7c3620 error whom
2025-09-29 16:22:54 +02:00

181 lines
6.1 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ config, pkgs, ... }:
{
security.sudo.wheelNeedsPassword = false;
imports =
[ ./hardware-configuration.nix ];
networking.hostName = "tesla-nixos";
boot.initrd.enable = true;
boot.loader = {
systemd-boot = {
enable = true;
}; # end loader.systemd-boot
}; # end boot
virtualisation.oci-containers.containers = {
isponsorblocktv = {
image = "ghcr.io/dmunozv04/isponsorblocktv:latest";
autoStart = true;
volumes = [
"/home/alisceon/isponsorblocktv:/app/data"
];
}; # end isponsorblocktv
};
boot.kernel.sysctl = {
"kernel.unprivileged_userns_clone" = 1;
};
# Persist GitLab Runner state on the host (tokens, cache, builds)
# so the container can be rebuilt without losing registration.
systemd.tmpfiles.rules = [
"d /var/lib/gitlab-runner 0755 root root -"
];
containers.gitlab-runner = {
autoStart = true;
ephemeral = false;
# Keep networking simple. If you want isolation, set privateNetwork = true
# and configure veth/bridge. With false it shares the host network namespace.
privateNetwork = false;
# Podman rootless uses fuse-overlayfs → /dev/fuse must be available
allowedDevices = [
{ node = "/dev/fuse"; modifiers = [ "rwm" ]; }
];
# Persist runners home/state and optionally cache
bindMounts = {
"/var/lib/gitlab-runner" = {
hostPath = "/var/lib/gitlab-runner";
isReadOnly = false;
};
# Optional: a big builds/cache dir for job artifacts
"/var/lib/gitlab-runner/builds" = {
hostPath = "/var/lib/gitlab-runner/builds";
isReadOnly = false;
create = true;
};
"/var/lib/gitlab-runner/cache" = {
hostPath = "/var/lib/gitlab-runner/cache";
isReadOnly = false;
create = true;
};
};
# The container runs its own NixOS config below:
config = { config, pkgs, lib, ... }: {
imports = [ ];
networking.hostName = "ci-nspawn";
time.timeZone = "UTC";
# GitLab Runner user (will run jobs and the user-scoped Podman API)
users.users.gitlab-runner = {
isSystemUser = true;
# keep home on the persistent mount
home = "/var/lib/gitlab-runner";
createHome = true;
shell = pkgs.bashInteractive;
extraGroups = [ "podman" "wheel" ];
};
users.groups.podman = { };
# Rootless Podman
virtualisation.podman = {
enable = true;
# Provide Docker-compatible CLI & /var/run/docker.sock shim (for rootful).
# We'll still point the runner directly at the rootless socket (recommended).
dockerCompat = true;
defaultNetwork.settings.dns_enabled = true;
};
environment.systemPackages = with pkgs; [
podman
fuse-overlayfs
slirp4netns
crun
skopeo
git
];
# Ensure /etc/subuid /etc/subgid exist for rootless user namespace
environment.etc."subuid".text = ''
gitlab-runner:100000:65536
'';
environment.etc."subgid".text = ''
gitlab-runner:100000:65536
'';
# Run a *user*-scoped Podman API service so GitLab Runner can talk to it.
# The socket ends up at: /run/user/<UID>/podman/podman.sock
# We keep it always-on via linger below.
systemd.user.services."podman-api" = {
description = "Podman API (rootless)";
serviceConfig = {
ExecStart = "${pkgs.podman}/bin/podman system service --time=0";
Restart = "always";
};
WantedBy = [ "default.target" ];
};
# Make the user session available at boot (so the user service can run)
# This is the NixOS way to call `loginctl enable-linger gitlab-runner`.
systemd.services."enable-linger-gitlab-runner" = {
description = "Enable linger for gitlab-runner";
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
ExecStart = "${pkgs.systemd}/bin/loginctl enable-linger gitlab-runner";
# Harmless if already enabled
RemainAfterExit = true;
};
};
# GitLab Runner
services.gitlab-runner = {
enable = true;
services = {
ci-nspawn-rootless-podman = {
# Prefer auth tokens (GitLab 18 deprecates registration tokens)
# Put CI_SERVER_URL and CI_SERVER_TOKEN into this file (ENV format).
authenticationTokenConfigFile = "/var/lib/gitlab-runner/token-env";
# …or, if you still use a registration token:
# registrationConfigFile = "/var/lib/gitlab-runner/registration.env";
executor = "docker"; # use Docker executor against Podman
dockerImage = "alpine:3";
dockerPrivileged = true; # tighten later if you can
dockerVolumes = [
"/var/lib/gitlab-runner/cache:/cache"
];
# If your nixpkgs exposes it (most do), point Docker executor at Podman:
dockerHost = "unix:///run/user/$(id -u gitlab-runner)/podman/podman.sock";
# If that option isnt available in your channel, instead supply a full
# config.toml via `services.gitlab-runner.configFile` where you set:
# [runners.docker]
# host = "unix:///run/user/UID/podman/podman.sock"
}; # end services.ci-nspawn-rootless-podman
}; # end services.gitlab-runner
}; # end containers.ci.config
# Make sure systemd + cgroups are fully available inside the container
systemd.oomd.enable = false; # avoids noise in small containers
services.dbus.enable = true;
# Storage tuning for rootless overlay
environment.etc."containers/storage.conf".text = ''
[storage]
driver = "overlay"
runroot = "/run/user/1000/containers" # will be per-user anyway
graphroot = "/var/lib/gitlab-runner/.local/share/containers/storage"
[storage.options]
mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
additionalimagestores = []
'';
}; # end containers.gitlab-runner.config
}; # end containers.gitlab-runner
} # end file
Reference in a new issue View git blame Copy permalink