6 files changed, 34 insertions, 5 deletions
diff --git a/modules/common/default.nix b/modules/common/default.nix
index f338823..b1df8b2 100644
--- a/modules/common/default.nix
+++ b/modules/common/default.nix
@@ -12,7 +12,7 @@
   };
 
   # Default Packages Set
-  environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools ];
+  environment.systemPackages = with pkgs; [ vim htop wget nftables wireguard-tools git ];
 
   # Security
   networking.firewall.enable = false;
diff --git a/modules/default.nix b/modules/default.nix
index 9c986a7..b2df22e 100644
--- a/modules/default.nix
+++ b/modules/default.nix
@@ -1,6 +1,7 @@
 {
   common = import ./common;
   crypto = import ./crypto;
+  gitlab = import ./gitlab;
   hetzner = import ./hetzner;
   image = import ./image;
   kubernetes = import ./kubernetes;
diff --git a/modules/gitlab/default.nix b/modules/gitlab/default.nix
new file mode 100644
index 0000000..078b467
--- /dev/null
+++ b/modules/gitlab/default.nix
@@ -0,0 +1,24 @@
+{ config, lib, pkgs, ... }:
+
+{
+  services.gitlab-runner = {
+    enable = true;
+    services.shell = {
+      registrationConfigFile = "/etc/gitlab/runner-registration";
+      executor = "shell";
+      tagList = [ "shell" "claranet-de-nix-runner" "nix" ];
+    };
+  };
+
+  systemd.services.gitlab-runner = {
+    serviceConfig = {
+      # Set `DynamicUser` under `systemd.services.gitlab-runner.serviceConfig`
+      # to `lib.mkForce false` in your configuration to run this service as root.
+      # You can also set `User` and `Group` options to run this service as desired user.
+      # Make sure to restart service or changes won't apply.
+      DynamicUser = lib.mkForce false;
+      # User = "nixbuilder";
+      # Group = "users";
+    };
+  };
+}
diff --git a/modules/kubernetes/default.nix b/modules/kubernetes/default.nix
index 20b766f..078545b 100644
--- a/modules/kubernetes/default.nix
+++ b/modules/kubernetes/default.nix
@@ -83,8 +83,6 @@ in {
             attrValues (mapAttrs (n: v: "${n}=${toString v}") cfg.taints);
 
           kubelet-arg = "cgroup-driver=systemd";
-
-          no-flannel = true;
         } // (if cfg.role == "server" then {
           advertise-address = "${internalIP.v4}";
 
@@ -110,8 +108,9 @@ in {
       role = cfg.role;
       token = "YPoyiPeBpQpB7oK8";
       serverAddr = "https://10.10.0.1:6443";
+      # clusterInit = true;
       configPath = "/etc/k3s/config.yaml";
-      disableAgent = cfg.role == "agent";
+      # disableAgent = cfg.role != "agent";
     };
   };
 }
diff --git a/modules/wireguard/default.nix b/modules/wireguard/default.nix
index 345af3e..73396dc 100644
--- a/modules/wireguard/default.nix
+++ b/modules/wireguard/default.nix
@@ -15,7 +15,7 @@ with lib; {
               in
               {
                 endpoint =
-                  "${node.config.deployment.targetHost}:${toString peer.port}";
+                  "${node.config.wireguard.endpoint}:${toString peer.port}";
                 publicKey = peer.publicKey;
                 persistentKeepalive = 25;
                 allowedIPs = [
diff --git a/modules/wireguard/options.nix b/modules/wireguard/options.nix
index 69013d0..60a93fc 100644
--- a/modules/wireguard/options.nix
+++ b/modules/wireguard/options.nix
@@ -15,6 +15,11 @@ with lib; {
         default = false;
       };
 
+      endpoint = mkOption {
+        type = types.str;
+        description = "Public endpoint of wireguard interface";
+      };
+
       port = mkOption {
         type = types.int;
         description = "Port of the wireguard interface (51820)";