From a6330a9df3766e1bfd15080337031aae4725b10e Mon Sep 17 00:00:00 2001
From: Daryl Ronningen <relms@relms.dev>
Date: Fri, 6 Jan 2023 23:51:58 -0800
Subject: [PATCH] add crystal-gitlab host and gitlab runner

---
 devices/{common.nix => common-gpt.nix} |  0
 devices/common-mbr.nix                 | 22 ++++++++++++++++++
 devices/crystal-gitlab/base.nix        | 31 ++++++++++++++++++++++++++
 flake.lock                             | 21 +++++++++++++++++
 flake.nix                              | 31 +++++++++++++++++++++++++-
 secrets/gitlab-runners.age             |  7 ++++++
 secrets/secrets.nix                    |  8 +++++++
 services/crystal/gitlab-runner.nix     | 17 ++++++++++++++
 services/openssh.nix                   |  3 +++
 9 files changed, 139 insertions(+), 1 deletion(-)
 rename devices/{common.nix => common-gpt.nix} (100%)
 create mode 100644 devices/common-mbr.nix
 create mode 100644 devices/crystal-gitlab/base.nix
 create mode 100644 secrets/gitlab-runners.age
 create mode 100644 secrets/secrets.nix
 create mode 100644 services/crystal/gitlab-runner.nix
 create mode 100644 services/openssh.nix

diff --git a/devices/common.nix b/devices/common-gpt.nix
similarity index 100%
rename from devices/common.nix
rename to devices/common-gpt.nix
diff --git a/devices/common-mbr.nix b/devices/common-mbr.nix
new file mode 100644
index 0000000..0bf4dcd
--- /dev/null
+++ b/devices/common-mbr.nix
@@ -0,0 +1,22 @@
+{pkgs, ...}: {
+  boot = {
+    loader = {
+      grub = {
+        enable = true;
+        device = "/dev/sda";
+        useOSProber = true;
+      };
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  hardware = {
+    xpadneo.enable = true;
+  };
+
+  time.timeZone = "America/Los_Angeles";
+
+  zramSwap.enable = true;
+
+  system.stateVersion = "23.05";
+}
diff --git a/devices/crystal-gitlab/base.nix b/devices/crystal-gitlab/base.nix
new file mode 100644
index 0000000..bae8a3b
--- /dev/null
+++ b/devices/crystal-gitlab/base.nix
@@ -0,0 +1,31 @@
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/profiles/qemu-guest.nix")];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["uhci_hcd" "ehci-pci" "ahci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+      kernelModules = [];
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+    };
+  };
+
+  networking.hostName = "crystal-gitlab";
+  networking.useDHCP = true;
+  nixpkgs.hostPlatform = "x86_64-linux";
+  powerManagement.cpuFreqGovernor = "powersave";
+  hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
+}
diff --git a/flake.lock b/flake.lock
index cf25c57..17563de 100644
--- a/flake.lock
+++ b/flake.lock
@@ -1,5 +1,25 @@
 {
   "nodes": {
+    "agenix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1665870395,
+        "narHash": "sha256-Tsbqb27LDNxOoPLh0gw2hIb6L/6Ow/6lIBvqcHzEKBI=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "a630400067c6d03c9b3e0455347dc8559db14288",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -264,6 +284,7 @@
     },
     "root": {
       "inputs": {
+        "agenix": "agenix",
         "home-manager": "home-manager",
         "neovim": "neovim",
         "nix-on-droid": "nix-on-droid",
diff --git a/flake.nix b/flake.nix
index 490884e..de564a9 100644
--- a/flake.nix
+++ b/flake.nix
@@ -24,6 +24,9 @@
     nix-on-droid.inputs.home-manager.follows = "home-manager";
 
     nixos-hardware.url = "github:NixOS/nixos-hardware";
+
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
   };
   outputs = {
     self,
@@ -35,6 +38,7 @@
     nixos-wsl,
     nix-on-droid,
     nixos-hardware,
+    agenix,
     ...
   }: let
     modules = {
@@ -54,11 +58,21 @@
         common = [
           ./common/personal.nix
           ./common/nix.nix
-          ./devices/common.nix
+          ./devices/common-gpt.nix
+        ];
+        common-mbr = [
+          ./common/personal.nix
+          ./common/nix.nix
+          ./devices/common-mbr.nix
         ];
         dev = [
           ./common/dev/podman.nix
         ];
+        services = {
+          common = [
+            ./services/openssh.nix
+          ];
+        };
         desktops = {
           common = [
             ./common/desktop/apps.nix
@@ -84,6 +98,7 @@
         modules =
           modules.nixos.common
           ++ modules.nixos.dev
+          ++ modules.nixos.services.common
           ++ modules.nixos.desktops.common
           ++ modules.nixos.desktops.gnome
           ++ [
@@ -91,6 +106,7 @@
             ./devices/skynet/base.nix
             ./devices/skynet/hardware.nix
             nixos-hardware.nixosModules.framework-12th-gen-intel
+            agenix.nixosModule
           ];
       };
 
@@ -104,6 +120,19 @@
           ./devices/wsl/base.nix
         ];
       };
+
+      crystal-gitlab = nixpkgs.lib.nixosSystem {
+        pkgs = pkgsForSystem "x86_64-linux";
+        system = "x86_64-linux";
+        modules =
+          modules.nixos.common-mbr
+          ++ modules.nixos.services.common
+          ++ [
+            agenix.nixosModule
+            ./devices/crystal-gitlab/base.nix
+            ./services/crystal/gitlab-runner.nix
+          ];
+      };
     };
 
     homeConfigurations.relms = home-manager.lib.homeManagerConfiguration {
diff --git a/secrets/gitlab-runners.age b/secrets/gitlab-runners.age
new file mode 100644
index 0000000..3c43cd3
--- /dev/null
+++ b/secrets/gitlab-runners.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 lCCbYQ HHxHdDoRM4AmtCuYtNbjYuMzXx201+Cpwc+nPHlGqjQ
+JIkr2C6TalQ6gFng8Lo4FZmX3FFRL6yFIdmYqIKtXPo
+-> ?x+~awL9-grease ( =Vvj_3'y
+rIUv4FY
+--- OnKh4PXvG3q5GXG4y9TtdOnyeIkdBEOYm8xkw9eQB1M
+Š“×†"¢4Jž>:\õÌ3Ö€ŽEê>ª¶ˆ¨ôâIˆwHØS¿ŽG¼›f5Åo:¿æÙ²¹á'ù˜Ï,&0¨¹Ÿô‘wâ9K%Beo<ì­t`]qÈŒdþc"‡vRµÔÚÈÂr"s
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..b78ba37
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,8 @@
+let
+  relms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKqJnbK9FjoPX7EYtXwG5QV8XfK7fcTfOWGFrfsQRj9z";
+
+  skynet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMajj7jUSGbJgndndLYs1ZQi37WsZi7Foyj2xmfbGrnn";
+  crystal-gitlab = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBg8PGtAXNsZYmWLYCmIdv1rpezCXBZ/Z+XbVZ39m3vt";
+in {
+  "gitlab-runners.age".publicKeys = [crystal-gitlab];
+}
diff --git a/services/crystal/gitlab-runner.nix b/services/crystal/gitlab-runner.nix
new file mode 100644
index 0000000..6161ffb
--- /dev/null
+++ b/services/crystal/gitlab-runner.nix
@@ -0,0 +1,17 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  age.secrets.gitlab-runner.file = ../../secrets/gitlab-runners.age;
+
+  services.gitlab-runner = {
+    enable = true;
+    services = {
+      alpha = {
+        registrationConfigFile = config.age.secrets.gitlab-runner.path;
+        dockerImage = "alpine:latest";
+      };
+    };
+  };
+}
diff --git a/services/openssh.nix b/services/openssh.nix
new file mode 100644
index 0000000..8f0456f
--- /dev/null
+++ b/services/openssh.nix
@@ -0,0 +1,3 @@
+{
+  services.openssh.enable = true;
+}