diff --git a/machines/dev/forgejo-ci/woodpecker.nix b/machines/dev/forgejo-ci/woodpecker.nix index 6fbdfb68..1b9420f1 100644 --- a/machines/dev/forgejo-ci/woodpecker.nix +++ b/machines/dev/forgejo-ci/woodpecker.nix @@ -4,6 +4,10 @@ config, ... }: +let + sources = import ../../../npins; + inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text; +in { security.acme = { acceptTerms = true; @@ -35,7 +39,10 @@ vars.generators.woodpecker-agent-secret = { runtimeInputs = [ pkgs.openssl ]; - files.my-secret.secret = true; + files.my-secret = { + secret = true; + group = "woodpecker-server"; + }; script = '' openssl rand -hex 32 > "$out"/my-secret ''; @@ -45,7 +52,10 @@ coreutils bash ]; - files.rpc-secret.secret = true; + files.rpc-secret = { + secret = true; + group = "woodpecker-server"; + }; # wrap in bash command to prevent `vars`' pipefail aborting half-way script = '' bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret" @@ -75,59 +85,21 @@ ''; }; - # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates: - # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;` - vars.generators."templates" = rec { - dependencies = [ - "woodpecker" - "woodpecker-agent-secret" - "woodpecker-rpc-secret" - ]; - runtimeInputs = [ - pkgs.coreutils - pkgs.gnused - ]; - script = lib.concatStringsSep "\n" ( - lib.mapAttrsToList (template: _: '' - cp "$templates/${template}" "$out/${template}" - echo "filling placeholders in template ${template}..." - ${lib.concatStringsSep "\n" ( - lib.lists.map (dependency: '' - echo "filling placeholders in template ${template} from generator ${dependency}..." - ${lib.concatStringsSep "\n" ( - lib.mapAttrsToList ( - parent: - { placeholder, ... }: - '' - sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}" - echo "- substituted ${parent}" - '' - ) config.vars.generators.${dependency}.files - )} - '') dependencies - )} - '') files - ); + # enable git-lfs + programs.git = { + enable = true; + lfs.enable = true; + }; - files = - let - # https://woodpecker-ci.org/docs/administration/configuration/agent - shared = '' - WOODPECKER_SERVER=localhost:9000 - WOODPECKER_USERNAME=x-oauth-basic - WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu - WOODPECKER_MAX_WORKFLOWS=5 - WOODPECKER_LOG_LEVEL=info - WOODPECKER_DEBUG_PRETTY=true - WOODPECKER_DEBUG_NOCOLOR=false - WOODPECKER_GRPC_SECURE=true - ''; - in - { - # https://woodpecker-ci.org/docs/administration/configuration/server - "woodpecker-server.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-server.conf" '' + systemd.services = { + woodpecker-server.serviceConfig = { + EnvironmentFile = lib.mkForce "-/tmp/woodpecker-server.conf"; + ExecStartPre = "${ + template_text { + # FIXME find a place less public + outPath = "/tmp/woodpecker-server.conf"; + # https://woodpecker-ci.org/docs/administration/configuration/server + text = '' WOODPECKER_DATABASE_DRIVER=sqlite3 WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false WOODPECKER_OPEN=false @@ -135,38 +107,45 @@ WOODPECKER_HOST=https://woodpecker.fediversity.eu WOODPECKER_GITEA=true WOODPECKER_GITEA_URL=https://git.fediversity.eu - WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} - WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} - WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} + WOODPECKER_GITEA_CLIENT=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-client.path} + WOODPECKER_GITEA_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-secret.path} + WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker-agent-secret.files.my-secret.path} + WOODPECKER_GRPC_SECRET=${fileContents config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path} WOODPECKER_LOG_LEVEL=info WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git WOODPECKER_SERVER_ADDR=:8000 WOODPECKER_GRPC_ADDR=:9000 ''; - }; - # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables - "woodpecker-agent-podman.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-agent-podman.conf" ( - lib.concatStringsSep "\n" [ - shared - '' - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder} - WOODPECKER_BACKEND=docker - WOODPECKER_AGENT_LABELS=type=docker - DOCKER_HOST=unix:///run/podman/podman.sock - '' - ] - ); - }; - }; - }; - - # enable git-lfs - programs.git = { - enable = true; - lfs.enable = true; + name = "write"; + } + }/bin/write"; + }; + woodpecker-agent-docker.serviceConfig = { + EnvironmentFile = lib.mkForce "-/tmp/woodpecker-agent-podman.conf"; + ExecStartPre = "${ + template_text { + # FIXME find a place less public + outPath = "/tmp/woodpecker-agent-podman.conf"; + # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables + # https://woodpecker-ci.org/docs/administration/configuration/agent + text = '' + WOODPECKER_SERVER=localhost:9000 + WOODPECKER_USERNAME=x-oauth-basic + WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu + WOODPECKER_MAX_WORKFLOWS=5 + WOODPECKER_LOG_LEVEL=info + WOODPECKER_DEBUG_PRETTY=true + WOODPECKER_DEBUG_NOCOLOR=false + WOODPECKER_GRPC_SECURE=true + WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-agent-container.path} + WOODPECKER_BACKEND=docker + WOODPECKER_AGENT_LABELS=type=docker + DOCKER_HOST=unix:///run/podman/podman.sock + ''; + name = "write"; + } + }/bin/write"; + }; }; services = { @@ -185,16 +164,12 @@ }; }; - woodpecker-server = { - enable = true; - environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path; - }; + woodpecker-server.enable = true; # https://woodpecker-ci.org/docs/administration/configuration/agent woodpecker-agents.agents = { docker = { enable = true; - environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ]; extraGroups = [ "podman" "woodpecker-agent-docker" diff --git a/npins/sources.json b/npins/sources.json index 6b87338c..4fe6629f 100644 --- a/npins/sources.json +++ b/npins/sources.json @@ -125,6 +125,19 @@ "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4", "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2" }, + "nix-templating": { + "type": "Git", + "repository": { + "type": "GitHub", + "owner": "KiaraGrouwstra", + "repo": "nix-templating" + }, + "branch": "lib-default-arg", + "submodules": false, + "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f", + "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz", + "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0" + }, "nix-unit": { "type": "Git", "repository": { @@ -155,14 +168,14 @@ "type": "Git", "repository": { "type": "GitHub", - "owner": "kiaragrouwstra", + "owner": "KiaraGrouwstra", "repo": "vars" }, - "branch": "templates", + "branch": "rights", "submodules": false, - "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b", - "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz", - "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x" + "revision": "c268638fd7afc9ba2b53c1fe925374d7cd845fa4", + "url": "https://github.com/KiaraGrouwstra/vars/archive/c268638fd7afc9ba2b53c1fe925374d7cd845fa4.tar.gz", + "hash": "07l6s66i93vp4vhwl14p8hlj1xlrdr1yac1vwklvd24jcpsj5nr7" } }, "version": 5