From 98d240c588d29cc1973b7f70c7c04a1f22baa133 Mon Sep 17 00:00:00 2001 From: Kiara Grouwstra Date: Sun, 27 Jul 2025 10:24:27 +0200 Subject: [PATCH] rm agent exec plug hole in firewall format --- machines/dev/fedi203/woodpecker.nix | 176 ++++++++++------------------ secrets/secrets.nix | 1 - secrets/woodpecker-agent-exec.age | 19 --- 3 files changed, 63 insertions(+), 133 deletions(-) delete mode 100644 secrets/woodpecker-agent-exec.age diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix index aabe4e77..96fe0517 100644 --- a/machines/dev/fedi203/woodpecker.nix +++ b/machines/dev/fedi203/woodpecker.nix @@ -10,10 +10,7 @@ defaults.email = "something@fediversity.eu"; }; - users.groups = { - woodpecker-agent-exec = { }; - woodpecker-agent-docker = { }; - }; + users.groups.woodpecker-agent-docker = { }; age.secrets = lib.mapAttrs @@ -22,28 +19,11 @@ inherit group; mode = "440"; }) - ( - { - woodpecker-gitea-client = "woodpecker-server"; - woodpecker-gitea-secret = "woodpecker-server"; - } - // ( - if config.services.woodpecker-agents.agents.exec.enable then - { - woodpecker-agent-exec = "woodpecker-agent-exec"; - } - else - { } - ) - // ( - if config.services.woodpecker-agents.agents.docker.enable then - { - woodpecker-agent-container = "woodpecker-agent-docker"; - } - else - { } - ) - ); + { + woodpecker-gitea-client = "woodpecker-server"; + woodpecker-gitea-secret = "woodpecker-server"; + woodpecker-agent-container = "woodpecker-agent-docker"; + }; # needs `sudo generate-vars` vars.settings.on-machine.enable = true; @@ -69,13 +49,11 @@ vars.generators.woodpecker = let - fileNames = - [ - "woodpecker-gitea-client" - "woodpecker-gitea-secret" - ] - ++ (lib.lists.optional config.services.woodpecker-agents.agents.exec.enable "woodpecker-agent-exec") - ++ (lib.lists.optional config.services.woodpecker-agents.agents.docker.enable "woodpecker-agent-container"); + fileNames = [ + "woodpecker-gitea-client" + "woodpecker-gitea-secret" + "woodpecker-agent-container" + ]; in { runtimeInputs = [ @@ -93,7 +71,7 @@ }; # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates: - # `woodpecker-agents.agents.exec.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;` + # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;` vars.generators."templates" = rec { dependencies = [ "woodpecker" @@ -143,64 +121,44 @@ WOODPECKER_GRPC_SECURE=false ''; in - (lib.mkMerge [ - { - # https://woodpecker-ci.org/docs/administration/configuration/server - "woodpecker-server.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-server.conf" '' - WOODPECKER_DATABASE_DRIVER=sqlite3 - WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false - WOODPECKER_OPEN=false - WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols - WOODPECKER_HOST=https://woodpecker.fediversity.eu - WOODPECKER_GITEA=true - WOODPECKER_GITEA_URL=https://git.fediversity.eu - WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} - WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} - WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} - WOODPECKER_LOG_LEVEL=info - WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git - WOODPECKER_SERVER_ADDR=:8000 - WOODPECKER_GRPC_ADDR=:9000 - ''; - }; - } - (lib.mkIf config.services.woodpecker-agents.agents.exec.enable { - # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables - "woodpecker-agent-exec.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-agent-exec.conf" ( - lib.concatStringsSep "\n" [ - shared - '' - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder} - WOODPECKER_BACKEND=local - WOODPECKER_AGENT_LABELS=type=local - '' - ] - ); - }; - }) - (lib.mkIf config.services.woodpecker-agents.agents.docker.enable { - # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables - "woodpecker-agent-podman.conf" = { - secret = true; - template = pkgs.writeText "woodpecker-agent-podman.conf" ( - lib.concatStringsSep "\n" [ - shared - '' - WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder} - WOODPECKER_BACKEND=docker - WOODPECKER_AGENT_LABELS=type=docker - DOCKER_HOST=unix:///run/podman/podman.sock - '' - ] - ); - }; - }) - ]); + { + # https://woodpecker-ci.org/docs/administration/configuration/server + "woodpecker-server.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-server.conf" '' + WOODPECKER_DATABASE_DRIVER=sqlite3 + WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false + WOODPECKER_OPEN=false + WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols + WOODPECKER_HOST=https://woodpecker.fediversity.eu + WOODPECKER_GITEA=true + WOODPECKER_GITEA_URL=https://git.fediversity.eu + WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder} + WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder} + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder} + WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder} + WOODPECKER_LOG_LEVEL=info + WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git + WOODPECKER_SERVER_ADDR=:8000 + WOODPECKER_GRPC_ADDR=:9000 + ''; + }; + # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables + "woodpecker-agent-podman.conf" = { + secret = true; + template = pkgs.writeText "woodpecker-agent-podman.conf" ( + lib.concatStringsSep "\n" [ + shared + '' + WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder} + WOODPECKER_BACKEND=docker + WOODPECKER_AGENT_LABELS=type=docker + DOCKER_HOST=unix:///run/podman/podman.sock + '' + ] + ); + }; + }; }; # enable git-lfs @@ -232,20 +190,6 @@ # https://woodpecker-ci.org/docs/administration/configuration/agent woodpecker-agents.agents = { - exec = { - # enable = true; - path = with pkgs; [ - git - git-lfs - woodpecker-plugin-git - bash - coreutils - nix - attic-client - ]; - environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ]; - extraGroups = [ "woodpecker-agent-exec" ]; - }; docker = { enable = true; environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ]; @@ -259,14 +203,20 @@ networking = { nftables.enable = lib.mkForce false; + firewall = { + allowedTCPPorts = [ + 22 + 80 + 443 + ]; + # needed for podman to be able to talk over dns + interfaces."podman0" = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; + }; + }; }; - networking.firewall.allowedTCPPorts = [ - 22 - 80 - 443 - ]; - virtualisation.podman = { enable = true; autoPrune = { @@ -276,7 +226,7 @@ }; systemd.services = { - woodpecker-agent-docker = lib.mkIf config.services.woodpecker-agents.agents.docker.enable { + woodpecker-agent-docker = { wants = [ "podman.socket" ]; after = [ "podman.socket" ]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e044dc0a..18488e58 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,7 +35,6 @@ concatMapAttrs wiki-smtp-password = [ vm02187 ]; woodpecker-gitea-client = [ fedi203 ]; woodpecker-gitea-secret = [ fedi203 ]; - woodpecker-agent-exec = [ fedi203 ]; woodpecker-agent-container = [ fedi203 ]; } ) diff --git a/secrets/woodpecker-agent-exec.age b/secrets/woodpecker-agent-exec.age deleted file mode 100644 index c76592c9..00000000 --- a/secrets/woodpecker-agent-exec.age +++ /dev/null @@ -1,19 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI -+qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8 --> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c -wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo --> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8 -cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg --> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs -Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0 --> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU -LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64 --> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo -RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8 --> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY -k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM --> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM -QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY ---- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo - i7VC_!EZ؍@+;oN逍| KKB/6jM$wΛtk \ No newline at end of file