kiara/Fediversity
1
0
Fork 0
forked from fediversity/fediversity
Code Pull requests Activity

rm agent exec

Browse source 
plug hole in firewall

format
This commit is contained in:
Kiara Grouwstra 2025-07-27 10:24:27 +02:00
parent 3eebbda085
commit 232e9b05fc
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
3 changed files with 63 additions and 133 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

176
machines/dev/fedi203/woodpecker.nix
View file

@ -10,10 +10,7 @@
defaults.email = "something@fediversity.eu"; defaults.email = "something@fediversity.eu";
}; };
users.groups = { users.groups.woodpecker-agent-docker = { };
woodpecker-agent-exec = { };
woodpecker-agent-docker = { };
};
age.secrets = age.secrets =
lib.mapAttrs lib.mapAttrs
@ -22,28 +19,11 @@
inherit group; inherit group;
mode = "440"; mode = "440";
}) })
( {
{ woodpecker-gitea-client = "woodpecker-server";
woodpecker-gitea-client = "woodpecker-server"; woodpecker-gitea-secret = "woodpecker-server";
woodpecker-gitea-secret = "woodpecker-server"; woodpecker-agent-container = "woodpecker-agent-docker";
} };
// (
if config.services.woodpecker-agents.agents.exec.enable then
{
woodpecker-agent-exec = "woodpecker-agent-exec";
}
else
{ }
)
// (
if config.services.woodpecker-agents.agents.docker.enable then
{
woodpecker-agent-container = "woodpecker-agent-docker";
}
else
{ }
)
);
# needs `sudo generate-vars` # needs `sudo generate-vars`
vars.settings.on-machine.enable = true; vars.settings.on-machine.enable = true;
@ -69,13 +49,11 @@
vars.generators.woodpecker = vars.generators.woodpecker =
let let
fileNames = fileNames = [
[ "woodpecker-gitea-client"
"woodpecker-gitea-client" "woodpecker-gitea-secret"
"woodpecker-gitea-secret" "woodpecker-agent-container"
] ];
++ (lib.lists.optional config.services.woodpecker-agents.agents.exec.enable "woodpecker-agent-exec")
++ (lib.lists.optional config.services.woodpecker-agents.agents.docker.enable "woodpecker-agent-container");
in in
{ {
runtimeInputs = [ runtimeInputs = [
@ -93,7 +71,7 @@
}; };
# FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates: # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
# `woodpecker-agents.agents.exec.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;` # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
vars.generators."templates" = rec { vars.generators."templates" = rec {
dependencies = [ dependencies = [
"woodpecker" "woodpecker"
@ -143,64 +121,44 @@
WOODPECKER_GRPC_SECURE=false WOODPECKER_GRPC_SECURE=false
''; '';
in in
(lib.mkMerge [ {
{ # https://woodpecker-ci.org/docs/administration/configuration/server
# https://woodpecker-ci.org/docs/administration/configuration/server "woodpecker-server.conf" = {
"woodpecker-server.conf" = { secret = true;
secret = true; template = pkgs.writeText "woodpecker-server.conf" ''
template = pkgs.writeText "woodpecker-server.conf" '' WOODPECKER_DATABASE_DRIVER=sqlite3
WOODPECKER_DATABASE_DRIVER=sqlite3 WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false WOODPECKER_OPEN=false
WOODPECKER_OPEN=false WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols WOODPECKER_HOST=https://woodpecker.fediversity.eu
WOODPECKER_HOST=https://woodpecker.fediversity.eu WOODPECKER_GITEA=true
WOODPECKER_GITEA=true WOODPECKER_GITEA_URL=https://git.fediversity.eu
WOODPECKER_GITEA_URL=https://git.fediversity.eu WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} WOODPECKER_LOG_LEVEL=info
WOODPECKER_LOG_LEVEL=info WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git WOODPECKER_SERVER_ADDR=:8000
WOODPECKER_SERVER_ADDR=:8000 WOODPECKER_GRPC_ADDR=:9000
WOODPECKER_GRPC_ADDR=:9000 '';
''; };
}; # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
} "woodpecker-agent-podman.conf" = {
(lib.mkIf config.services.woodpecker-agents.agents.exec.enable { secret = true;
# https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables template = pkgs.writeText "woodpecker-agent-podman.conf" (
"woodpecker-agent-exec.conf" = { lib.concatStringsSep "\n" [
secret = true; shared
template = pkgs.writeText "woodpecker-agent-exec.conf" ( ''
lib.concatStringsSep "\n" [ WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
shared WOODPECKER_BACKEND=docker
'' WOODPECKER_AGENT_LABELS=type=docker
WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder} DOCKER_HOST=unix:///run/podman/podman.sock
WOODPECKER_BACKEND=local ''
WOODPECKER_AGENT_LABELS=type=local ]
'' );
] };
); };
};
})
(lib.mkIf config.services.woodpecker-agents.agents.docker.enable {
# https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
"woodpecker-agent-podman.conf" = {
secret = true;
template = pkgs.writeText "woodpecker-agent-podman.conf" (
lib.concatStringsSep "\n" [
shared
''
WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
WOODPECKER_BACKEND=docker
WOODPECKER_AGENT_LABELS=type=docker
DOCKER_HOST=unix:///run/podman/podman.sock
''
]
);
};
})
]);
}; };
# enable git-lfs # enable git-lfs
@ -232,20 +190,6 @@
# https://woodpecker-ci.org/docs/administration/configuration/agent # https://woodpecker-ci.org/docs/administration/configuration/agent
woodpecker-agents.agents = { woodpecker-agents.agents = {
exec = {
# enable = true;
path = with pkgs; [
git
git-lfs
woodpecker-plugin-git
bash
coreutils
nix
attic-client
];
environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
extraGroups = [ "woodpecker-agent-exec" ];
};
docker = { docker = {
enable = true; enable = true;
environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ]; environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
@ -259,14 +203,20 @@
networking = { networking = {
nftables.enable = lib.mkForce false; nftables.enable = lib.mkForce false;
firewall = {
allowedTCPPorts = [
22
80
443
];
# needed for podman to be able to talk over dns
interfaces."podman0" = {
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 53 ];
};
};
}; };
networking.firewall.allowedTCPPorts = [
22
80
443
];
virtualisation.podman = { virtualisation.podman = {
enable = true; enable = true;
autoPrune = { autoPrune = {
@ -276,7 +226,7 @@
}; };
systemd.services = { systemd.services = {
woodpecker-agent-docker = lib.mkIf config.services.woodpecker-agents.agents.docker.enable { woodpecker-agent-docker = {
wants = [ "podman.socket" ]; wants = [ "podman.socket" ];
after = [ "podman.socket" ]; after = [ "podman.socket" ];
}; };

1
secrets/secrets.nix
View file

@ -35,7 +35,6 @@ concatMapAttrs
wiki-smtp-password = [ vm02187 ]; wiki-smtp-password = [ vm02187 ];
woodpecker-gitea-client = [ fedi203 ]; woodpecker-gitea-client = [ fedi203 ];
woodpecker-gitea-secret = [ fedi203 ]; woodpecker-gitea-secret = [ fedi203 ];
woodpecker-agent-exec = [ fedi203 ];
woodpecker-agent-container = [ fedi203 ]; woodpecker-agent-container = [ fedi203 ];
} }
) )

19
secrets/woodpecker-agent-exec.age
View file

@ -1,19 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI
+qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8
-> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c
wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo
-> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8
cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg
-> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs
Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0
-> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU
LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64
-> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo
RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8
-> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY
k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM
-> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM
QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY
--- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo
µiÅ7 VìëCº_þ!œð¾ô¤ÞEüZØ<5A>@+;ãáåo†¹ÑN†é€<C3A9>| Kñ©À÷´ÞKB‡/û6ºjM$‘¾âw¼Îk