From 5b4f15c6f0d74d63bc5d244ab862ae21b1c9a5cc Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Sun, 27 Jul 2025 10:30:23 +0200 Subject: [PATCH] disable exec agent make service group setting conditional make secrets conditional make things conditional rm group --- machines/dev/fedi203/woodpecker.nix | 164 ++++++++++++++++------------ 1 file changed, 93 insertions(+), 71 deletions(-) diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix index d07fca66..aabe4e77 100644 --- a/machines/dev/fedi203/woodpecker.nix +++ b/machines/dev/fedi203/woodpecker.nix @@ -22,12 +22,28 @@ inherit group; mode = "440"; }) - { - woodpecker-gitea-client = "woodpecker-server"; - woodpecker-gitea-secret = "woodpecker-server"; - woodpecker-agent-exec = "woodpecker-agent-exec"; - woodpecker-agent-container = "woodpecker-agent-docker"; - }; + ( + { + woodpecker-gitea-client = "woodpecker-server"; + woodpecker-gitea-secret = "woodpecker-server"; + } + // ( + if config.services.woodpecker-agents.agents.exec.enable then + { + woodpecker-agent-exec = "woodpecker-agent-exec"; + } + else + { } + ) + // ( + if config.services.woodpecker-agents.agents.docker.enable then + { + woodpecker-agent-container = "woodpecker-agent-docker"; + } + else + { } + ) + ); # needs `sudo generate-vars` vars.settings.on-machine.enable = true; @@ -53,12 +69,13 @@ vars.generators.woodpecker = let - fileNames = [ - "woodpecker-gitea-client" - "woodpecker-gitea-secret" - "woodpecker-agent-exec" - "woodpecker-agent-container" - ]; + fileNames = + [ + "woodpecker-gitea-client" + "woodpecker-gitea-secret" + ] + ++ (lib.lists.optional config.services.woodpecker-agents.agents.exec.enable "woodpecker-agent-exec") + ++ (lib.lists.optional config.services.woodpecker-agents.agents.docker.enable "woodpecker-agent-container"); in { runtimeInputs = [ @@ -126,60 +143,64 @@ WOODPECKER_GRPC_SECURE=false ''; in - { - # https://woodpecker-ci.org/docs/administration/configuration/server - "woodpecker-server.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-server.conf" '' - WOODPECKER_DATABASE_DRIVER=sqlite3 - WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false - WOODPECKER_OPEN=false - WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols - WOODPECKER_HOST=https://woodpecker.fediversity.eu - WOODPECKER_GITEA=true - WOODPECKER_GITEA_URL=https://git.fediversity.eu - WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} - WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} - WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} - WOODPECKER_LOG_LEVEL=info - WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git - WOODPECKER_SERVER_ADDR=:8000 - WOODPECKER_GRPC_ADDR=:9000 - ''; - }; - - # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables - "woodpecker-agent-exec.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-agent-exec.conf" ( - lib.concatStringsSep "\n" [ - shared - '' - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder} - WOODPECKER_BACKEND=local - WOODPECKER_AGENT_LABELS=type=local - '' - ] - ); - }; - - # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables - "woodpecker-agent-podman.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-agent-podman.conf" ( - lib.concatStringsSep "\n" [ - shared - '' - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder} - WOODPECKER_BACKEND=docker - WOODPECKER_AGENT_LABELS=type=docker - DOCKER_HOST=unix:///run/podman/podman.sock - '' - ] - ); - }; - }; + (lib.mkMerge [ + { + # https://woodpecker-ci.org/docs/administration/configuration/server + "woodpecker-server.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-server.conf" '' + WOODPECKER_DATABASE_DRIVER=sqlite3 + WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false + WOODPECKER_OPEN=false + WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols + WOODPECKER_HOST=https://woodpecker.fediversity.eu + WOODPECKER_GITEA=true + WOODPECKER_GITEA_URL=https://git.fediversity.eu + WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} + WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} + WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} + WOODPECKER_LOG_LEVEL=info + WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git + WOODPECKER_SERVER_ADDR=:8000 + WOODPECKER_GRPC_ADDR=:9000 + ''; + }; + } + (lib.mkIf config.services.woodpecker-agents.agents.exec.enable { + # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables + "woodpecker-agent-exec.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-agent-exec.conf" ( + lib.concatStringsSep "\n" [ + shared + '' + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder} + WOODPECKER_BACKEND=local + WOODPECKER_AGENT_LABELS=type=local + '' + ] + ); + }; + }) + (lib.mkIf config.services.woodpecker-agents.agents.docker.enable { + # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables + "woodpecker-agent-podman.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-agent-podman.conf" ( + lib.concatStringsSep "\n" [ + shared + '' + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder} + WOODPECKER_BACKEND=docker + WOODPECKER_AGENT_LABELS=type=docker + DOCKER_HOST=unix:///run/podman/podman.sock + '' + ] + ); + }; + }) + ]); }; # enable git-lfs @@ -212,7 +233,7 @@ # https://woodpecker-ci.org/docs/administration/configuration/agent woodpecker-agents.agents = { exec = { - enable = true; + # enable = true; path = with pkgs; [ git git-lfs @@ -254,9 +275,10 @@ }; }; - systemd.services.woodpecker-agent-docker = { - wants = [ "podman.socket" ]; - after = [ "podman.socket" ]; - serviceConfig.SupplementaryGroups = [ "podman" ]; + systemd.services = { + woodpecker-agent-docker = lib.mkIf config.services.woodpecker-agents.agents.docker.enable { + wants = [ "podman.socket" ]; + after = [ "podman.socket" ]; + }; }; }