proper templating

2025-08-13 12:52:13 +02:00 · 2025-08-13 12:52:13 +02:00 · 51345a4d8e
commit 51345a4d8e
parent 6da6cc678a
2 changed files with 79 additions and 91 deletions
--- a/machines/dev/forgejo-ci/woodpecker.nix
+++ b/machines/dev/forgejo-ci/woodpecker.nix
@ -4,6 +4,10 @@
  config,
  ...
 }:
 let
  sources = import ../../../npins;
  inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
 in
 {
  security.acme = {
    acceptTerms = true;
@ -35,7 +39,10 @@
  vars.generators.woodpecker-agent-secret = {
    runtimeInputs = [ pkgs.openssl ];
-    files.my-secret.secret = true;
+    files.my-secret = {
      secret = true;
      group = "woodpecker-server";
    };
    script = ''
      openssl rand -hex 32 > "$out"/my-secret
    '';
@ -45,7 +52,10 @@
      coreutils
      bash
    ];
-    files.rpc-secret.secret = true;
+    files.rpc-secret = {
      secret = true;
      group = "woodpecker-server";
    };
    # wrap in bash command to prevent `vars`' pipefail aborting half-way
    script = ''
      bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret"
@ -75,59 +85,21 @@
      '';
    };
-  # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
+  # enable git-lfs
-  # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
+  programs.git = {
-  vars.generators."templates" = rec {
+    enable = true;
-    dependencies = [
+    lfs.enable = true;
-      "woodpecker"
+  };
      "woodpecker-agent-secret"
      "woodpecker-rpc-secret"
    ];
    runtimeInputs = [
      pkgs.coreutils
      pkgs.gnused
    ];
    script = lib.concatStringsSep "\n" (
      lib.mapAttrsToList (template: _: ''
        cp "$templates/${template}" "$out/${template}"
        echo "filling placeholders in template ${template}..."
        ${lib.concatStringsSep "\n" (
          lib.lists.map (dependency: ''
            echo "filling placeholders in template ${template} from generator ${dependency}..."
            ${lib.concatStringsSep "\n" (
              lib.mapAttrsToList (
                parent:
                { placeholder, ... }:
                ''
                  sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}"
                  echo "- substituted ${parent}"
                ''
              ) config.vars.generators.${dependency}.files
            )}
          '') dependencies
        )}
      '') files
    );
-    files =
+  systemd.services = {
-      let
+    woodpecker-server.serviceConfig = {
-        # https://woodpecker-ci.org/docs/administration/configuration/agent
+      EnvironmentFile = lib.mkForce "-/tmp/woodpecker-server.conf";
-        shared = ''
+      ExecStartPre = "${
-          WOODPECKER_SERVER=localhost:9000
+        template_text {
-          WOODPECKER_USERNAME=x-oauth-basic
+          # FIXME find a place less public
-          WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
+          outPath = "/tmp/woodpecker-server.conf";
-          WOODPECKER_MAX_WORKFLOWS=5
+          # https://woodpecker-ci.org/docs/administration/configuration/server
-          WOODPECKER_LOG_LEVEL=info
+          text = ''
          WOODPECKER_DEBUG_PRETTY=true
          WOODPECKER_DEBUG_NOCOLOR=false
          WOODPECKER_GRPC_SECURE=true
        '';
      in
      {
        # https://woodpecker-ci.org/docs/administration/configuration/server
        "woodpecker-server.conf" = {
          secret = true;
          template = pkgs.writeText "woodpecker-server.conf" ''
            WOODPECKER_DATABASE_DRIVER=sqlite3
            WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
            WOODPECKER_OPEN=false
@ -135,38 +107,45 @@
            WOODPECKER_HOST=https://woodpecker.fediversity.eu
            WOODPECKER_GITEA=true
            WOODPECKER_GITEA_URL=https://git.fediversity.eu
-            WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
+            WOODPECKER_GITEA_CLIENT=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-client.path}
-            WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
+            WOODPECKER_GITEA_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-secret.path}
-            WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
+            WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker-agent-secret.files.my-secret.path}
-            WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
+            WOODPECKER_GRPC_SECRET=${fileContents config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path}
            WOODPECKER_LOG_LEVEL=info
            WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
            WOODPECKER_SERVER_ADDR=:8000
            WOODPECKER_GRPC_ADDR=:9000
          '';
-        };
+          name = "write";
-        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+        }
-        "woodpecker-agent-podman.conf" = {
+      }/bin/write";
-          secret = true;
+    };
-          template = pkgs.writeText "woodpecker-agent-podman.conf" (
+    woodpecker-agent-docker.serviceConfig = {
-            lib.concatStringsSep "\n" [
+      EnvironmentFile = lib.mkForce "-/tmp/woodpecker-agent-podman.conf";
-              shared
+      ExecStartPre = "${
-              ''
+        template_text {
-                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
+          # FIXME find a place less public
-                WOODPECKER_BACKEND=docker
+          outPath = "/tmp/woodpecker-agent-podman.conf";
-                WOODPECKER_AGENT_LABELS=type=docker
+          # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
-                DOCKER_HOST=unix:///run/podman/podman.sock
+          # https://woodpecker-ci.org/docs/administration/configuration/agent
-              ''
+          text = ''
-            ]
+            WOODPECKER_SERVER=localhost:9000
-          );
+            WOODPECKER_USERNAME=x-oauth-basic
-        };
+            WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
-      };
+            WOODPECKER_MAX_WORKFLOWS=5
-  };
+            WOODPECKER_LOG_LEVEL=info
-
+            WOODPECKER_DEBUG_PRETTY=true
-  # enable git-lfs
+            WOODPECKER_DEBUG_NOCOLOR=false
-  programs.git = {
+            WOODPECKER_GRPC_SECURE=true
-    enable = true;
+            WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-agent-container.path}
-    lfs.enable = true;
+            WOODPECKER_BACKEND=docker
            WOODPECKER_AGENT_LABELS=type=docker
            DOCKER_HOST=unix:///run/podman/podman.sock
          '';
          name = "write";
        }
      }/bin/write";
    };
  };
  services = {
@ -185,16 +164,12 @@
      };
    };
-    woodpecker-server = {
+    woodpecker-server.enable = true;
      enable = true;
      environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
    };
    # https://woodpecker-ci.org/docs/administration/configuration/agent
    woodpecker-agents.agents = {
      docker = {
        enable = true;
        environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
        extraGroups = [
          "podman"
          "woodpecker-agent-docker"
--- a/npins/sources.json
+++ b/npins/sources.json
@ -125,6 +125,19 @@
      "url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
      "hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
    },
    "nix-templating": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
        "owner": "KiaraGrouwstra",
        "repo": "nix-templating"
      },
      "branch": "lib-default-arg",
      "submodules": false,
      "revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
      "url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
      "hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
    },
    "nix-unit": {
      "type": "Git",
      "repository": {
@ -155,14 +168,14 @@
      "type": "Git",
      "repository": {
        "type": "GitHub",
-        "owner": "kiaragrouwstra",
+        "owner": "KiaraGrouwstra",
        "repo": "vars"
      },
-      "branch": "templates",
+      "branch": "rights",
      "submodules": false,
-      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
+      "revision": "c268638fd7afc9ba2b53c1fe925374d7cd845fa4",
-      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
+      "url": "https://github.com/KiaraGrouwstra/vars/archive/c268638fd7afc9ba2b53c1fe925374d7cd845fa4.tar.gz",
-      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
+      "hash": "07l6s66i93vp4vhwl14p8hlj1xlrdr1yac1vwklvd24jcpsj5nr7"
    }
  },
  "version": 5