From 01822433d4bd72adffbec19e21253b7fe6152e56 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Fri, 25 Jul 2025 17:04:20 +0200 Subject: [PATCH] add woodpecker status: agents error `agent could not auth: individual agent not found by token: sql: no rows in result set` --- machines/dev/fedi203/woodpecker.nix | 218 ++++++++++++++++++++++------ npins/sources.json | 10 +- 2 files changed, 176 insertions(+), 52 deletions(-) diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix index c2de1c35..d3891bf7 100644 --- a/machines/dev/fedi203/woodpecker.nix +++ b/machines/dev/fedi203/woodpecker.nix @@ -18,7 +18,9 @@ defaults.email = "something@fediversity.eu"; }; + # needs `sudo generate-vars` vars.settings.on-machine.enable = true; + vars.generators.woodpecker-agent-secret = { runtimeInputs = [ pkgs.openssl ]; files.my-secret.secret = true; @@ -27,13 +29,141 @@ ''; }; vars.generators.woodpecker-rpc-secret = { - runtimeInputs = [ pkgs.coreutils ]; + runtimeInputs = with pkgs; [ + coreutils + bash + ]; files.rpc-secret.secret = true; + # wrap in bash command to prevent `vars`' pipefail aborting half-way script = '' - tr -dc 'A-Za-z0-9!?%=' < /dev/urandom | head -c 32 > "$out"/rpc-secret + bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret" ''; }; + vars.generators.woodpecker = + let + fileNames = [ + "woodpecker-gitea-client" + "woodpecker-gitea-secret" + ]; + in + { + runtimeInputs = [ + pkgs.coreutils + pkgs.openssl + ]; + files = lib.genAttrs fileNames (_: { + secret = true; + }); + script = '' + ${lib.concatStringsSep "\n" ( + lib.lists.map (file: ''cp ${config.age.secrets.${file}.path} "$out/"'') fileNames + )} + ''; + }; + + vars.generators."templates" = rec { + dependencies = [ + "woodpecker" + # "woodpecker-agent-secret" + # "woodpecker-rpc-secret" + ]; + runtimeInputs = [ + pkgs.coreutils + pkgs.gnused + ]; + script = lib.concatStringsSep "\n" ( + lib.mapAttrsToList (template: _: '' + cp "$templates/${template}" "$out/${template}" + echo "filling placeholders in template ${template}..." + ${lib.concatStringsSep "\n" ( + lib.lists.map (dependency: '' + echo "filling placeholders in template ${template} from generator ${dependency}..." + ${lib.concatStringsSep "\n" ( + lib.mapAttrsToList ( + parent: + { placeholder, ... }: + '' + sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}" + echo "- substituted ${parent}" + '' + ) config.vars.generators.${dependency}.files + )} + '') dependencies + )} + '') files + ); + + # files."woodpecker-server.conf" = { + # secret = true; + # template = pkgs.writeText "woodpecker-server.conf" '' + # WOODPECKER_DATABASE_DRIVER=sqlite3 + # WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false + # WOODPECKER_OPEN=false + # WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols + # WOODPECKER_HOST=https://woodpecker.fediversity.eu + # WOODPECKER_GITEA=true + # WOODPECKER_GITEA_URL=https://git.fediversity.eu + # WOODPECKER_GITEA_CLIENT_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} + # WOODPECKER_GITEA_SECRET_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} + # WOODPECKER_AGENT_SECRET_FILE=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} + # WOODPECKER_GRPC_SECRET_FILE=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} + # WOODPECKER_LOG_LEVEL=info + # WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git + # WOODPECKER_SERVER_ADDR=:8000 + # WOODPECKER_GRPC_ADDR=:9000 + # ''; + # }; + + files = + let + shared = '' + WOODPECKER_SERVER=localhost:9000 + # TODO: separate to agent-specific tokens? + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} + WOODPECKER_USERNAME=x-oauth-basic + WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu + WOODPECKER_MAX_WORKFLOWS=4 + WOODPECKER_LOG_LEVEL=info + WOODPECKER_DEBUG_PRETTY=false + WOODPECKER_DEBUG_NOCOLOR=true + WOODPECKER_HEALTHCHECK=false + WOODPECKER_GRPC_VERIFY=false + # TODO: fix + WOODPECKER_GRPC_SECURE=false + ''; + in + { + + "woodpecker-agent-exec.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-agent-exec.conf" ( + lib.concatStringsSep "\n" [ + shared + '' + WOODPECKER_BACKEND=local + WOODPECKER_AGENT_LABELS=type=local + '' + ] + ); + }; + + "woodpecker-agent-podman.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-agent-podman.conf" ( + lib.concatStringsSep "\n" [ + shared + '' + WOODPECKER_BACKEND=docker + DOCKER_HOST=unix:///run/podman/podman.sock + WOODPECKER_AGENT_LABELS=type=docker + '' + ] + ); + }; + }; + }; + # enable git-lfs programs.git = { enable = true; @@ -59,6 +189,7 @@ woodpecker-server = { enable = true; + # environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path; # https://woodpecker-ci.org/docs/administration/configuration/server environment = { WOODPECKER_DATABASE_DRIVER = "sqlite3"; @@ -70,10 +201,8 @@ WOODPECKER_GITEA = "true"; WOODPECKER_GITEA_URL = "https://git.fediversity.eu"; - WOODPECKER_GITEA_CLIENT = "fd4bf276-84fb-463c-af0e-7d70d1137718"; - WOODPECKER_GITEA_SECRET = "gto_ce2bfavyahzlnfe6q3gdgr3rnvrbreqne2a77mhesbikqyfpse4q"; - # WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path; - # WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path; + WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path; + WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path; WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path; WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path; @@ -87,29 +216,29 @@ # https://woodpecker-ci.org/docs/administration/configuration/agent woodpecker-agents.agents = - let - shared = { - WOODPECKER_SERVER = "localhost:9000"; - WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path; - # ^ either use the server's or separate to config.age.woodpecker-agent-token-exec.path / config.age.woodpecker-agent-token-container.path - WOODPECKER_USERNAME = "x-oauth-basic"; - WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu"; - WOODPECKER_MAX_WORKFLOWS = "4"; - WOODPECKER_LOG_LEVEL = "info"; - WOODPECKER_DEBUG_PRETTY = "false"; - WOODPECKER_DEBUG_NOCOLOR = "true"; - WOODPECKER_GRPC_SECURE = "false"; # TODO: fix - WOODPECKER_GRPC_VERIFY = "false"; - WOODPECKER_HEALTHCHECK = "false"; - }; - in + # let + # shared = { + # WOODPECKER_SERVER = "localhost:9000"; + # # TODO: separate to agent-specific tokens? + # # TODO: why will it only accept `WOODPECKER_AGENT_SECRET`, not `WOODPECKER_AGENT_SECRET_FILE`? + # # WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path; + # WOODPECKER_USERNAME = "x-oauth-basic"; + # WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu"; + # WOODPECKER_MAX_WORKFLOWS = "4"; + # WOODPECKER_LOG_LEVEL = "info"; + # WOODPECKER_DEBUG_PRETTY = "false"; + # WOODPECKER_DEBUG_NOCOLOR = "true"; + # WOODPECKER_GRPC_SECURE = "false"; # TODO: fix + # WOODPECKER_GRPC_VERIFY = "false"; + # WOODPECKER_HEALTHCHECK = "false"; + # }; + # in { # local exec = { enable = true; - # TODO: enquote in docs path = with pkgs; [ git git-lfs @@ -119,36 +248,31 @@ nix attic-client ]; - # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; - # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables - environment = lib.mkMerge [ - shared - { - WOODPECKER_BACKEND = "local"; - WOODPECKER_AGENT_LABELS = "type=local"; - # WOODPECKER_BACKEND_LOCAL_TEMP_DIR=""; - # NIX_REMOTE = "daemon"; - # PAGER = "cat"; - } - ]; + environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ]; + # # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables + # environment = lib.mkMerge [ + # shared + # { + # WOODPECKER_BACKEND = "local"; + # WOODPECKER_AGENT_LABELS = "type=local"; + # } + # ]; }; # container podman = { enable = true; - # extraGroups = [ "podman" ]; - # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; - # WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"; # openssl rand -hex 32 - # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables - environment = lib.mkMerge [ - shared - { - WOODPECKER_BACKEND = "docker"; - DOCKER_HOST = "unix:///run/podman/podman.sock"; - WOODPECKER_AGENT_LABELS = "type=docker"; - } - ]; + environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ]; + # # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables + # environment = lib.mkMerge [ + # shared + # { + # WOODPECKER_BACKEND = "docker"; + # DOCKER_HOST = "unix:///run/podman/podman.sock"; + # WOODPECKER_AGENT_LABELS = "type=docker"; + # } + # ]; }; }; }; diff --git a/npins/sources.json b/npins/sources.json index 00ad64c7..66b4d154 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -168,14 +168,14 @@ "type": "Git", "repository": { "type": "GitHub", - "owner": "lassulus", + "owner": "kiaragrouwstra", "repo": "vars" }, - "branch": "main", + "branch": "templates", "submodules": false, - "revision": "856c18f0e7b95e262ac88ba9ddebf506a16fd4a5", - "url": "https://github.com/lassulus/vars/archive/856c18f0e7b95e262ac88ba9ddebf506a16fd4a5.tar.gz", - "hash": "095dmc67pf5idj4pgnibjbgfxpkm73px3sc6hylc9j0sqh3379q7" + "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b", + "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz", + "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x" } }, "version": 5