kiara/Fediversity
1
0
Fork 0
forked from Fediversity/Fediversity
Code Pull requests Activity

proper templating

Browse source
This commit is contained in:
Kiara Grouwstra 2025-08-13 12:52:13 +02:00
parent 6da6cc678a
commit 51345a4d8e
Signed by: kiara
SSH key fingerprint: SHA256:COspvLoLJ5WC5rFb9ZDe5urVCkK4LJZOsjfF4duRJFU
2 changed files with 79 additions and 91 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

145
machines/dev/forgejo-ci/woodpecker.nix
View file

@ -4,6 +4,10 @@
config,
...
}:
let
sources = import ../../../npins;
inherit (import "${sources.nix-templating}/lib.nix" { inherit pkgs; }) fileContents template_text;
in
{
security.acme = {
acceptTerms = true;
@ -35,7 +39,10 @@
vars.generators.woodpecker-agent-secret = {
runtimeInputs = [ pkgs.openssl ];
files.my-secret.secret = true;
files.my-secret = {
secret = true;
group = "woodpecker-server";
};
script = ''
openssl rand -hex 32 > "$out"/my-secret
'';
@ -45,7 +52,10 @@
coreutils
bash
];
files.rpc-secret.secret = true;
files.rpc-secret = {
secret = true;
group = "woodpecker-server";
};
# wrap in bash command to prevent `vars`' pipefail aborting half-way
script = ''
bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret"
@ -75,44 +85,50 @@
'';
};
# FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
# `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
vars.generators."templates" = rec {
dependencies = [
"woodpecker"
"woodpecker-agent-secret"
"woodpecker-rpc-secret"
];
runtimeInputs = [
pkgs.coreutils
pkgs.gnused
];
script = lib.concatStringsSep "\n" (
lib.mapAttrsToList (template: _: ''
cp "$templates/${template}" "$out/${template}"
echo "filling placeholders in template ${template}..."
${lib.concatStringsSep "\n" (
lib.lists.map (dependency: ''
echo "filling placeholders in template ${template} from generator ${dependency}..."
${lib.concatStringsSep "\n" (
lib.mapAttrsToList (
parent:
{ placeholder, ... }:
''
sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}"
echo "- substituted ${parent}"
''
) config.vars.generators.${dependency}.files
)}
'') dependencies
)}
'') files
);
# enable git-lfs
programs.git = {
enable = true;
lfs.enable = true;
};
files =
let
systemd.services = {
woodpecker-server.serviceConfig = {
EnvironmentFile = lib.mkForce "-/tmp/woodpecker-server.conf";
ExecStartPre = "${
template_text {
# FIXME find a place less public
outPath = "/tmp/woodpecker-server.conf";
# https://woodpecker-ci.org/docs/administration/configuration/server
text = ''
WOODPECKER_DATABASE_DRIVER=sqlite3
WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
WOODPECKER_OPEN=false
WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
WOODPECKER_HOST=https://woodpecker.fediversity.eu
WOODPECKER_GITEA=true
WOODPECKER_GITEA_URL=https://git.fediversity.eu
WOODPECKER_GITEA_CLIENT=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-client.path}
WOODPECKER_GITEA_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-gitea-secret.path}
WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker-agent-secret.files.my-secret.path}
WOODPECKER_GRPC_SECRET=${fileContents config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path}
WOODPECKER_LOG_LEVEL=info
WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
WOODPECKER_SERVER_ADDR=:8000
WOODPECKER_GRPC_ADDR=:9000
'';
name = "write";
}
}/bin/write";
};
woodpecker-agent-docker.serviceConfig = {
EnvironmentFile = lib.mkForce "-/tmp/woodpecker-agent-podman.conf";
ExecStartPre = "${
template_text {
# FIXME find a place less public
outPath = "/tmp/woodpecker-agent-podman.conf";
# https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
# https://woodpecker-ci.org/docs/administration/configuration/agent
shared = ''
text = ''
WOODPECKER_SERVER=localhost:9000
WOODPECKER_USERNAME=x-oauth-basic
WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
@ -121,53 +137,16 @@
WOODPECKER_DEBUG_PRETTY=true
WOODPECKER_DEBUG_NOCOLOR=false
WOODPECKER_GRPC_SECURE=true
'';
in
{
# https://woodpecker-ci.org/docs/administration/configuration/server
"woodpecker-server.conf" = {
secret = true;
template = pkgs.writeText "woodpecker-server.conf" ''
WOODPECKER_DATABASE_DRIVER=sqlite3
WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
WOODPECKER_OPEN=false
WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
WOODPECKER_HOST=https://woodpecker.fediversity.eu
WOODPECKER_GITEA=true
WOODPECKER_GITEA_URL=https://git.fediversity.eu
WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
WOODPECKER_LOG_LEVEL=info
WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
WOODPECKER_SERVER_ADDR=:8000
WOODPECKER_GRPC_ADDR=:9000
'';
};
# https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
"woodpecker-agent-podman.conf" = {
secret = true;
template = pkgs.writeText "woodpecker-agent-podman.conf" (
lib.concatStringsSep "\n" [
shared
''
WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
WOODPECKER_AGENT_SECRET=${fileContents config.vars.generators.woodpecker.files.woodpecker-agent-container.path}
WOODPECKER_BACKEND=docker
WOODPECKER_AGENT_LABELS=type=docker
DOCKER_HOST=unix:///run/podman/podman.sock
''
]
);
'';
name = "write";
}
}/bin/write";
};
};
};
# enable git-lfs
programs.git = {
enable = true;
lfs.enable = true;
};
services = {
nginx = {
@ -185,16 +164,12 @@
};
};
woodpecker-server = {
enable = true;
environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
};
woodpecker-server.enable = true;
# https://woodpecker-ci.org/docs/administration/configuration/agent
woodpecker-agents.agents = {
docker = {
enable = true;
environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
extraGroups = [
"podman"
"woodpecker-agent-docker"

23
npins/sources.json
View file

@ -125,6 +125,19 @@
"url": "https://api.github.com/repos/bigskysoftware/htmx/tarball/v2.0.4",
"hash": "1c4zm3b7ym01ijydiss4amd14mv5fbgp1n71vqjk4alc35jlnqy2"
},
"nix-templating": {
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "KiaraGrouwstra",
"repo": "nix-templating"
},
"branch": "lib-default-arg",
"submodules": false,
"revision": "e1ff247d508b4efd057a4d6bb13cf45b62c2512f",
"url": "https://github.com/KiaraGrouwstra/nix-templating/archive/e1ff247d508b4efd057a4d6bb13cf45b62c2512f.tar.gz",
"hash": "0g59h4r029jw8vlvn8da62fk9m737s80fg2qk57322iv9lkqlvp0"
},
"nix-unit": {
"type": "Git",
"repository": {
@ -155,14 +168,14 @@
"type": "Git",
"repository": {
"type": "GitHub",
"owner": "kiaragrouwstra",
"owner": "KiaraGrouwstra",
"repo": "vars"
},
"branch": "templates",
"branch": "rights",
"submodules": false,
"revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
"url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
"hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
"revision": "c268638fd7afc9ba2b53c1fe925374d7cd845fa4",
"url": "https://github.com/KiaraGrouwstra/vars/archive/c268638fd7afc9ba2b53c1fe925374d7cd845fa4.tar.gz",
"hash": "07l6s66i93vp4vhwl14p8hlj1xlrdr1yac1vwklvd24jcpsj5nr7"
}
},
"version": 5