add woodpecker

status: agents error `agent could not auth: individual agent not found by token: sql: no rows in result set`
2025-07-25 17:04:20 +02:00 · 2025-07-25 17:04:20 +02:00 · 01822433d4
commit 01822433d4
parent 5018857d85
2 changed files with 176 additions and 52 deletions
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@ -18,7 +18,9 @@
    defaults.email = "something@fediversity.eu";
  };
  # needs `sudo generate-vars`
  vars.settings.on-machine.enable = true;
  vars.generators.woodpecker-agent-secret = {
    runtimeInputs = [ pkgs.openssl ];
    files.my-secret.secret = true;
@ -27,13 +29,141 @@
    '';
  };
  vars.generators.woodpecker-rpc-secret = {
-    runtimeInputs = [ pkgs.coreutils ];
+    runtimeInputs = with pkgs; [
      coreutils
      bash
    ];
    files.rpc-secret.secret = true;
    # wrap in bash command to prevent `vars`' pipefail aborting half-way
    script = ''
-      tr -dc 'A-Za-z0-9!?%=' < /dev/urandom | head -c 32 > "$out"/rpc-secret
+      bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret"
    '';
  };
  vars.generators.woodpecker =
    let
      fileNames = [
        "woodpecker-gitea-client"
        "woodpecker-gitea-secret"
      ];
    in
    {
      runtimeInputs = [
        pkgs.coreutils
        pkgs.openssl
      ];
      files = lib.genAttrs fileNames (_: {
        secret = true;
      });
      script = ''
        ${lib.concatStringsSep "\n" (
          lib.lists.map (file: ''cp ${config.age.secrets.${file}.path} "$out/"'') fileNames
        )}
      '';
    };
  vars.generators."templates" = rec {
    dependencies = [
      "woodpecker"
      # "woodpecker-agent-secret"
      # "woodpecker-rpc-secret"
    ];
    runtimeInputs = [
      pkgs.coreutils
      pkgs.gnused
    ];
    script = lib.concatStringsSep "\n" (
      lib.mapAttrsToList (template: _: ''
        cp "$templates/${template}" "$out/${template}"
        echo "filling placeholders in template ${template}..."
        ${lib.concatStringsSep "\n" (
          lib.lists.map (dependency: ''
            echo "filling placeholders in template ${template} from generator ${dependency}..."
            ${lib.concatStringsSep "\n" (
              lib.mapAttrsToList (
                parent:
                { placeholder, ... }:
                ''
                  sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}"
                  echo "- substituted ${parent}"
                ''
              ) config.vars.generators.${dependency}.files
            )}
          '') dependencies
        )}
      '') files
    );
    # files."woodpecker-server.conf" = {
    #   secret = true;
    #   template = pkgs.writeText "woodpecker-server.conf" ''
    #     WOODPECKER_DATABASE_DRIVER=sqlite3
    #     WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
    #     WOODPECKER_OPEN=false
    #     WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
    #     WOODPECKER_HOST=https://woodpecker.fediversity.eu
    #     WOODPECKER_GITEA=true
    #     WOODPECKER_GITEA_URL=https://git.fediversity.eu
    #     WOODPECKER_GITEA_CLIENT_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
    #     WOODPECKER_GITEA_SECRET_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
    #     WOODPECKER_AGENT_SECRET_FILE=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
    #     WOODPECKER_GRPC_SECRET_FILE=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
    #     WOODPECKER_LOG_LEVEL=info
    #     WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
    #     WOODPECKER_SERVER_ADDR=:8000
    #     WOODPECKER_GRPC_ADDR=:9000
    #   '';
    # };
    files =
      let
        shared = ''
          WOODPECKER_SERVER=localhost:9000
          # TODO: separate to agent-specific tokens?
          WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
          WOODPECKER_USERNAME=x-oauth-basic
          WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
          WOODPECKER_MAX_WORKFLOWS=4
          WOODPECKER_LOG_LEVEL=info
          WOODPECKER_DEBUG_PRETTY=false
          WOODPECKER_DEBUG_NOCOLOR=true
          WOODPECKER_HEALTHCHECK=false
          WOODPECKER_GRPC_VERIFY=false
          # TODO: fix
          WOODPECKER_GRPC_SECURE=false
        '';
      in
      {
        "woodpecker-agent-exec.conf" = {
          secret = true;
          template = pkgs.writeText "woodpecker-agent-exec.conf" (
            lib.concatStringsSep "\n" [
              shared
              ''
                WOODPECKER_BACKEND=local
                WOODPECKER_AGENT_LABELS=type=local
              ''
            ]
          );
        };
        "woodpecker-agent-podman.conf" = {
          secret = true;
          template = pkgs.writeText "woodpecker-agent-podman.conf" (
            lib.concatStringsSep "\n" [
              shared
              ''
                WOODPECKER_BACKEND=docker
                DOCKER_HOST=unix:///run/podman/podman.sock
                WOODPECKER_AGENT_LABELS=type=docker
              ''
            ]
          );
        };
      };
  };
  # enable git-lfs
  programs.git = {
    enable = true;
@ -59,6 +189,7 @@
    woodpecker-server = {
      enable = true;
      # environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
      # https://woodpecker-ci.org/docs/administration/configuration/server
      environment = {
        WOODPECKER_DATABASE_DRIVER = "sqlite3";
@ -70,10 +201,8 @@
        WOODPECKER_GITEA = "true";
        WOODPECKER_GITEA_URL = "https://git.fediversity.eu";
-        WOODPECKER_GITEA_CLIENT = "fd4bf276-84fb-463c-af0e-7d70d1137718";
+        WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path;
-        WOODPECKER_GITEA_SECRET = "gto_ce2bfavyahzlnfe6q3gdgr3rnvrbreqne2a77mhesbikqyfpse4q";
+        WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path;
        # WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path;
        # WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path;
        WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
        WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path;
@ -87,29 +216,29 @@
    # https://woodpecker-ci.org/docs/administration/configuration/agent
    woodpecker-agents.agents =
-      let
+      # let
-        shared = {
+      #   shared = {
-          WOODPECKER_SERVER = "localhost:9000";
+      #     WOODPECKER_SERVER = "localhost:9000";
-          WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
+      #     # TODO: separate to agent-specific tokens?
-          # ^ either use the server's or separate to config.age.woodpecker-agent-token-exec.path / config.age.woodpecker-agent-token-container.path
+      #     # TODO: why will it only accept `WOODPECKER_AGENT_SECRET`, not `WOODPECKER_AGENT_SECRET_FILE`?
-          WOODPECKER_USERNAME = "x-oauth-basic";
+      #     # WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
-          WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
+      #     WOODPECKER_USERNAME = "x-oauth-basic";
-          WOODPECKER_MAX_WORKFLOWS = "4";
+      #     WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
-          WOODPECKER_LOG_LEVEL = "info";
+      #     WOODPECKER_MAX_WORKFLOWS = "4";
-          WOODPECKER_DEBUG_PRETTY = "false";
+      #     WOODPECKER_LOG_LEVEL = "info";
-          WOODPECKER_DEBUG_NOCOLOR = "true";
+      #     WOODPECKER_DEBUG_PRETTY = "false";
-          WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
+      #     WOODPECKER_DEBUG_NOCOLOR = "true";
-          WOODPECKER_GRPC_VERIFY = "false";
+      #     WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
-          WOODPECKER_HEALTHCHECK = "false";
+      #     WOODPECKER_GRPC_VERIFY = "false";
-        };
+      #     WOODPECKER_HEALTHCHECK = "false";
-      in
+      #   };
      # in
      {
        # local
        exec = {
          enable = true;
          # TODO: enquote in docs
          path = with pkgs; [
            git
            git-lfs
@ -119,36 +248,31 @@
            nix
            attic-client
          ];
-          # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];
+          environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
-          # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
+          # # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
-          environment = lib.mkMerge [
+          # environment = lib.mkMerge [
-            shared
+          #   shared
-            {
+          #   {
-              WOODPECKER_BACKEND = "local";
+          #     WOODPECKER_BACKEND = "local";
-              WOODPECKER_AGENT_LABELS = "type=local";
+          #     WOODPECKER_AGENT_LABELS = "type=local";
-              # WOODPECKER_BACKEND_LOCAL_TEMP_DIR="";
+          #   }
-              # NIX_REMOTE = "daemon";
+          # ];
              # PAGER = "cat";
            }
          ];
        };
        # container
        podman = {
          enable = true;
-          # extraGroups = [ "podman" ];
+          environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
-          # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];
+          # # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
-          # WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"; # openssl rand -hex 32
+          # environment = lib.mkMerge [
-          # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+          #   shared
-          environment = lib.mkMerge [
+          #   {
-            shared
+          #     WOODPECKER_BACKEND = "docker";
-            {
+          #     DOCKER_HOST = "unix:///run/podman/podman.sock";
-              WOODPECKER_BACKEND = "docker";
+          #     WOODPECKER_AGENT_LABELS = "type=docker";
-              DOCKER_HOST = "unix:///run/podman/podman.sock";
+          #   }
-              WOODPECKER_AGENT_LABELS = "type=docker";
+          # ];
            }
          ];
        };
      };
  };
--- a/npins/sources.json
+++ b/npins/sources.json
@ -168,14 +168,14 @@
      "type": "Git",
      "repository": {
        "type": "GitHub",
-        "owner": "lassulus",
+        "owner": "kiaragrouwstra",
        "repo": "vars"
      },
-      "branch": "main",
+      "branch": "templates",
      "submodules": false,
-      "revision": "856c18f0e7b95e262ac88ba9ddebf506a16fd4a5",
+      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
-      "url": "https://github.com/lassulus/vars/archive/856c18f0e7b95e262ac88ba9ddebf506a16fd4a5.tar.gz",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
-      "hash": "095dmc67pf5idj4pgnibjbgfxpkm73px3sc6hylc9j0sqh3379q7"
+      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
    }
  },
  "version": 5