github-runner
General
With this container, we provide a GitHub runner as well as (more recently), a GitLab runner. This container does not
have the regular Garuda configurations because it is considered untrusted.
Access needs to happen by running nixos-container root-login
on immortalis (click me).
Restarting containers
This can happen via the following command:
sudo systemctl restart docker-compose-gitlab-runner-root
Watchtower additionally keeps the containers up to date.
Nix expression
{ keys
, ...
}: {
# No default modules, untrusted container!
# imports = sources.defaultModules ++ [
# ./garuda/garuda.nix
# ];
imports = [
../modules/hardening.nix
../modules/motd.nix
./github-runner/github-compose.nix
./github-runner/gitlab-compose.nix
];
# Common Docker configurations
virtualisation.docker = {
autoPrune.enable = true;
autoPrune.flags = [ "-a" ];
};
# Enable SSH
services.openssh.enable = true;
# No custom users - only Pedro and root via nixos-container root-login
users = {
allowNoPasswordLogin = true;
mutableUsers = false;
users.pedrohlc = {
home = "/home/pedrohlc";
isNormalUser = true;
openssh.authorizedKeys.keyFiles = [ keys.pedrohlc ];
};
};
# Make Pedro god here
nix.settings.trusted-users = [ "pedrohlc" ];
security.sudo.extraRules = [
{
users = [ "pedrohlc" ];
commands = [
{
command = "ALL";
options = [ "NOPASSWD" ];
}
];
}
];
# OOM prevention
systemd.oomd = {
enable = true; # This is actually the default, anyways...
enableSystemSlice = true;
enableUserSlices = true;
};
networking.firewall = {
extraCommands = ''
iptables -t nat -A PREROUTING -p tcp -d 172.17.0.1 --dport 3128 -j DNAT --to-destination 10.0.5.1:3128
iptables -t nat -A POSTROUTING -p tcp -d 172.17.0.1 --dport 3128 -j SNAT --to-source 10.0.5.130
'';
extraStopCommands = ''
iptables -t nat -D PREROUTING -p tcp -d 10.130.0.1 --dport 3128 -j DNAT --to-destination 10.0.5.1:3128
iptables -t nat -D POSTROUTING -p tcp -d 10.0.5.1 --dport 3128 -j SNAT --to-source 10.0.5.130
'';
};
system.stateVersion = "23.05";
}
Docker containers (GitHub)
# Auto-generated using compose2nix v0.2.2-pre.
{ pkgs, lib, ... }:
{
# Runtime
virtualisation.docker = {
enable = true;
autoPrune.enable = true;
};
virtualisation.oci-containers.backend = "docker";
# Containers
virtualisation.oci-containers.containers."github-runner" = {
image = "myoung34/github-runner:2.318.0";
environment = {
"EPHEMERAL" = "true";
"LABELS" = "nyxbuilder";
"ORG_NAME" = "chaotic-cx";
"RUNNER_NAME" = "immortalis";
"RUNNER_SCOPE" = "org";
"RUNNER_WORKDIR" = "/tmp/runner/work";
};
volumes = [
"/tmp/runner:/tmp/runner:rw"
];
log-driver = "journald";
extraOptions = [
"--network-alias=github-runner"
"--network=github-runner_default"
"--privileged"
];
environmentFiles = [
"/var/garuda/secrets/github-runner.env"
];
};
systemd.services."docker-github-runner" = {
serviceConfig = {
Restart = lib.mkOverride 500 "no";
};
after = [
"docker-network-github-runner_default.service"
];
requires = [
"docker-network-github-runner_default.service"
];
partOf = [
"docker-compose-github-runner-root.target"
];
wantedBy = [
"docker-compose-github-runner-root.target"
];
unitConfig.RequiresMountsFor = [
"/tmp/runner"
];
};
# Networks
systemd.services."docker-network-github-runner_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f github-runner_default";
};
script = ''
docker network inspect github-runner_default || docker network create github-runner_default
'';
partOf = [ "docker-compose-github-runner-root.target" ];
wantedBy = [ "docker-compose-github-runner-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-github-runner-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}
Docker containers (GitLab)
# Auto-generated using compose2nix v0.2.2-pre.
{ pkgs, lib, ... }:
{
# Runtime
virtualisation.docker = {
enable = true;
autoPrune.enable = true;
};
virtualisation.oci-containers.backend = "docker";
# Containers
virtualisation.oci-containers.containers."gitlab-runner-chaotic" = {
image = "gitlab/gitlab-runner:alpine";
volumes = [
"/etc/gitlab-runner/chaotic:/etc/gitlab-runner:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
log-driver = "journald";
extraOptions = [
"--network-alias=gitlab-runner-chaotic"
"--network=gitlab-runner_default"
];
};
systemd.services."docker-gitlab-runner-chaotic" = {
serviceConfig = {
Restart = lib.mkOverride 500 "no";
};
after = [
"docker-network-gitlab-runner_default.service"
];
requires = [
"docker-network-gitlab-runner_default.service"
];
partOf = [
"docker-compose-gitlab-runner-root.target"
];
wantedBy = [
"docker-compose-gitlab-runner-root.target"
];
unitConfig.RequiresMountsFor = [
"/etc/gitlab-runner/chaotic"
"/var/run/docker.sock"
];
};
virtualisation.oci-containers.containers."gitlab-runner-dind" = {
image = "gitlab/gitlab-runner:alpine";
volumes = [
"/etc/gitlab-runner/dind:/etc/gitlab-runner:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
log-driver = "journald";
extraOptions = [
"--network-alias=gitlab-runner-dind"
"--network=gitlab-runner_default"
];
};
systemd.services."docker-gitlab-runner-dind" = {
serviceConfig = {
Restart = lib.mkOverride 500 "no";
};
after = [
"docker-network-gitlab-runner_default.service"
];
requires = [
"docker-network-gitlab-runner_default.service"
];
partOf = [
"docker-compose-gitlab-runner-root.target"
];
wantedBy = [
"docker-compose-gitlab-runner-root.target"
];
unitConfig.RequiresMountsFor = [
"/etc/gitlab-runner/dind"
"/var/run/docker.sock"
];
};
virtualisation.oci-containers.containers."gitlab-runner-garuda" = {
image = "gitlab/gitlab-runner:alpine";
volumes = [
"/etc/gitlab-runner:/etc/gitlab-runner:rw"
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
log-driver = "journald";
extraOptions = [
"--network-alias=gitlab-runner-garuda"
"--network=gitlab-runner_default"
];
};
systemd.services."docker-gitlab-runner-garuda" = {
serviceConfig = {
Restart = lib.mkOverride 500 "no";
};
after = [
"docker-network-gitlab-runner_default.service"
];
requires = [
"docker-network-gitlab-runner_default.service"
];
partOf = [
"docker-compose-gitlab-runner-root.target"
];
wantedBy = [
"docker-compose-gitlab-runner-root.target"
];
unitConfig.RequiresMountsFor = [
"/etc/gitlab-runner"
"/var/run/docker.sock"
];
};
virtualisation.oci-containers.containers."watchtower" = {
image = "containrrr/watchtower:1.7.1";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock:rw"
];
cmd = [ "--cleanup" "gitlab-runner-chaotic" "gitlab-runner-garuda" "gitlab-runner-dind" ];
log-driver = "journald";
extraOptions = [
"--network-alias=watchtower"
"--network=gitlab-runner_default"
];
};
systemd.services."docker-watchtower" = {
serviceConfig = {
Restart = lib.mkOverride 500 "always";
RestartMaxDelaySec = lib.mkOverride 500 "1m";
RestartSec = lib.mkOverride 500 "100ms";
RestartSteps = lib.mkOverride 500 9;
};
after = [
"docker-network-gitlab-runner_default.service"
];
requires = [
"docker-network-gitlab-runner_default.service"
];
partOf = [
"docker-compose-gitlab-runner-root.target"
];
wantedBy = [
"docker-compose-gitlab-runner-root.target"
];
unitConfig.RequiresMountsFor = [
"/var/run/docker.sock"
];
};
# Networks
systemd.services."docker-network-gitlab-runner_default" = {
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStop = "docker network rm -f gitlab-runner_default";
};
script = ''
docker network inspect gitlab-runner_default || docker network create gitlab-runner_default
'';
partOf = [ "docker-compose-gitlab-runner-root.target" ];
wantedBy = [ "docker-compose-gitlab-runner-root.target" ];
};
# Root service
# When started, this will automatically create all resources and start
# the containers. When stopped, this will teardown all resources.
systemd.targets."docker-compose-gitlab-runner-root" = {
unitConfig = {
Description = "Root target generated by compose2nix.";
};
wantedBy = [ "multi-user.target" ];
};
}