disable exec agent

make service group setting conditional make secrets conditional make things conditional rm group
2025-07-27 10:30:23 +02:00 · 2025-07-27 10:30:23 +02:00 · 3c3df517d4
commit 3c3df517d4
parent 87fb01b37d
1 changed files with 93 additions and 71 deletions
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@ -22,12 +22,28 @@
        inherit group;
        mode = "440";
      })
-      {
-        woodpecker-gitea-client = "woodpecker-server";
-        woodpecker-gitea-secret = "woodpecker-server";
-        woodpecker-agent-exec = "woodpecker-agent-exec";
-        woodpecker-agent-container = "woodpecker-agent-docker";
-      };
+      (
+        {
+          woodpecker-gitea-client = "woodpecker-server";
+          woodpecker-gitea-secret = "woodpecker-server";
+        }
+        // (
+          if config.services.woodpecker-agents.agents.exec.enable then
+            {
+              woodpecker-agent-exec = "woodpecker-agent-exec";
+            }
+          else
+            { }
+        )
+        // (
+          if config.services.woodpecker-agents.agents.docker.enable then
+            {
+              woodpecker-agent-container = "woodpecker-agent-docker";
+            }
+          else
+            { }
+        )
+      );

  # needs `sudo generate-vars`
  vars.settings.on-machine.enable = true;
@ -53,12 +69,13 @@

  vars.generators.woodpecker =
    let
-      fileNames = [
-        "woodpecker-gitea-client"
-        "woodpecker-gitea-secret"
-        "woodpecker-agent-exec"
-        "woodpecker-agent-container"
-      ];
+      fileNames =
+        [
+          "woodpecker-gitea-client"
+          "woodpecker-gitea-secret"
+        ]
+        ++ (lib.lists.optional config.services.woodpecker-agents.agents.exec.enable "woodpecker-agent-exec")
+        ++ (lib.lists.optional config.services.woodpecker-agents.agents.docker.enable "woodpecker-agent-container");
    in
    {
      runtimeInputs = [
@ -126,60 +143,64 @@
          WOODPECKER_GRPC_SECURE=false
        '';
      in
-      {
-        # https://woodpecker-ci.org/docs/administration/configuration/server
-        "woodpecker-server.conf" = {
-          secret = true;
-          template = pkgs.writeText "woodpecker-server.conf" ''
-            WOODPECKER_DATABASE_DRIVER=sqlite3
-            WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
-            WOODPECKER_OPEN=false
-            WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
-            WOODPECKER_HOST=https://woodpecker.fediversity.eu
-            WOODPECKER_GITEA=true
-            WOODPECKER_GITEA_URL=https://git.fediversity.eu
-            WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
-            WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
-            WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
-            WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
-            WOODPECKER_LOG_LEVEL=info
-            WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
-            WOODPECKER_SERVER_ADDR=:8000
-            WOODPECKER_GRPC_ADDR=:9000
-          '';
-        };
-
-        # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
-        "woodpecker-agent-exec.conf" = {
-          secret = true;
-          template = pkgs.writeText "woodpecker-agent-exec.conf" (
-            lib.concatStringsSep "\n" [
-              shared
-              ''
-                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
-                WOODPECKER_BACKEND=local
-                WOODPECKER_AGENT_LABELS=type=local
-              ''
-            ]
-          );
-        };
-
-        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
-        "woodpecker-agent-podman.conf" = {
-          secret = true;
-          template = pkgs.writeText "woodpecker-agent-podman.conf" (
-            lib.concatStringsSep "\n" [
-              shared
-              ''
-                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
-                WOODPECKER_BACKEND=docker
-                WOODPECKER_AGENT_LABELS=type=docker
-                DOCKER_HOST=unix:///run/podman/podman.sock
-              ''
-            ]
-          );
-        };
-      };
+      (lib.mkMerge [
+        {
+          # https://woodpecker-ci.org/docs/administration/configuration/server
+          "woodpecker-server.conf" = {
+            secret = true;
+            template = pkgs.writeText "woodpecker-server.conf" ''
+              WOODPECKER_DATABASE_DRIVER=sqlite3
+              WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
+              WOODPECKER_OPEN=false
+              WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
+              WOODPECKER_HOST=https://woodpecker.fediversity.eu
+              WOODPECKER_GITEA=true
+              WOODPECKER_GITEA_URL=https://git.fediversity.eu
+              WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
+              WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
+              WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
+              WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
+              WOODPECKER_LOG_LEVEL=info
+              WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
+              WOODPECKER_SERVER_ADDR=:8000
+              WOODPECKER_GRPC_ADDR=:9000
+            '';
+          };
+        }
+        (lib.mkIf config.services.woodpecker-agents.agents.exec.enable {
+          # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
+          "woodpecker-agent-exec.conf" = {
+            secret = true;
+            template = pkgs.writeText "woodpecker-agent-exec.conf" (
+              lib.concatStringsSep "\n" [
+                shared
+                ''
+                  WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
+                  WOODPECKER_BACKEND=local
+                  WOODPECKER_AGENT_LABELS=type=local
+                ''
+              ]
+            );
+          };
+        })
+        (lib.mkIf config.services.woodpecker-agents.agents.docker.enable {
+          # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+          "woodpecker-agent-podman.conf" = {
+            secret = true;
+            template = pkgs.writeText "woodpecker-agent-podman.conf" (
+              lib.concatStringsSep "\n" [
+                shared
+                ''
+                  WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
+                  WOODPECKER_BACKEND=docker
+                  WOODPECKER_AGENT_LABELS=type=docker
+                  DOCKER_HOST=unix:///run/podman/podman.sock
+                ''
+              ]
+            );
+          };
+        })
+      ]);
  };

  # enable git-lfs
@ -212,7 +233,7 @@
    # https://woodpecker-ci.org/docs/administration/configuration/agent
    woodpecker-agents.agents = {
      exec = {
-        enable = true;
+        # enable = true;
        path = with pkgs; [
          git
          git-lfs
@ -250,9 +271,10 @@
    };
  };

-  systemd.services.woodpecker-agent-docker = {
-    wants = [ "podman.socket" ];
-    after = [ "podman.socket" ];
-    serviceConfig.SupplementaryGroups = [ "podman" ];
+  systemd.services = {
+    woodpecker-agent-docker = lib.mkIf config.services.woodpecker-agents.agents.docker.enable {
+      wants = [ "podman.socket" ];
+      after = [ "podman.socket" ];
+    };
  };
 }