From b52ccfaf33359af92e5396f29cc510f425e8e22a Mon Sep 17 00:00:00 2001
From: Kiara Grouwstra <kiara@procolix.eu>
Date: Thu, 24 Jul 2025 19:39:54 +0200
Subject: [PATCH] add woodpecker CI

add woodpecker

status: agents error `agent could not auth: individual agent not found
by token: sql: no rows in result set`

allow manual

set `image: bash` to initally test `local` woodpecker back-end

split CI jobs

image: `bash` (`local` back-end) -> `nixos/nix` (`docker` back-end)

add debugging lines to CD pipeline to debug error `Could not open a connection to your authentication agent`

add more debug prints to CD

even more debugging

continue debugging

debug harder

explicitly specify flakes as nixos/nix image is missing this

rm /home

update fedi203

wrap faulty statement

fix check-resources

split

strace pkg

un-strace

un-test cd

dedupe image

max 5

un-bash strace

configure user

simplify secrets

set just group for system users

unverbose npins

schema

add flakes

flakes
---
 .forgejo/workflows/cd.yaml               |  24 --
 .forgejo/workflows/ci.yaml               |  84 ------
 .forgejo/workflows/update.yaml           |  24 --
 .woodpecker/cd.yaml                      |  19 ++
 .woodpecker/check-data-model.yaml        |  13 +
 .woodpecker/check-deployment-basic.yaml  |  13 +
 .woodpecker/check-deployment-cli.yaml    |  13 +
 .woodpecker/check-deployment-panel.yaml  |  13 +
 .woodpecker/check-mastodon.yaml          |  13 +
 .woodpecker/check-panel.yaml             |  13 +
 .woodpecker/check-peertube.yaml          |  13 +
 .woodpecker/check-pre-commit.yaml        |  13 +
 .woodpecker/check-resources.yaml         |  33 +++
 .woodpecker/update.yaml                  |  23 ++
 deployment/check/common/deployerNode.nix |   1 +
 infra/flake-part.nix                     |   2 +
 keys/systems/fedi203.pub                 |   1 +
 machines/dev/fedi203/default.nix         |  26 ++
 machines/dev/fedi203/woodpecker.nix      | 313 +++++++++++++++++++++++
 npins/sources.json                       |  13 +
 secrets/secrets.nix                      |   4 +
 secrets/woodpecker-agent-container.age   |  20 ++
 secrets/woodpecker-agent-exec.age        |  19 ++
 secrets/woodpecker-gitea-client.age      |  20 ++
 secrets/woodpecker-gitea-secret.age      |  19 ++
 25 files changed, 617 insertions(+), 132 deletions(-)
 delete mode 100644 .forgejo/workflows/cd.yaml
 delete mode 100644 .forgejo/workflows/ci.yaml
 delete mode 100644 .forgejo/workflows/update.yaml
 create mode 100644 .woodpecker/cd.yaml
 create mode 100644 .woodpecker/check-data-model.yaml
 create mode 100644 .woodpecker/check-deployment-basic.yaml
 create mode 100644 .woodpecker/check-deployment-cli.yaml
 create mode 100644 .woodpecker/check-deployment-panel.yaml
 create mode 100644 .woodpecker/check-mastodon.yaml
 create mode 100644 .woodpecker/check-panel.yaml
 create mode 100644 .woodpecker/check-peertube.yaml
 create mode 100644 .woodpecker/check-pre-commit.yaml
 create mode 100644 .woodpecker/check-resources.yaml
 create mode 100644 .woodpecker/update.yaml
 create mode 100644 keys/systems/fedi203.pub
 create mode 100644 machines/dev/fedi203/default.nix
 create mode 100644 machines/dev/fedi203/woodpecker.nix
 create mode 100644 secrets/woodpecker-agent-container.age
 create mode 100644 secrets/woodpecker-agent-exec.age
 create mode 100644 secrets/woodpecker-gitea-client.age
 create mode 100644 secrets/woodpecker-gitea-secret.age

diff --git a/.forgejo/workflows/cd.yaml b/.forgejo/workflows/cd.yaml
deleted file mode 100644
index 4112ee03..00000000
--- a/.forgejo/workflows/cd.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: deploy-infra
-
-on:
-  workflow_dispatch: # allows manual triggering
-  push:
-    branches:
-      - main
-
-jobs:
-  deploy:
-    runs-on: native
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Set up SSH key for age secrets and SSH
-        run: |
-          env
-          mkdir -p ~/.ssh
-          echo "${{ secrets.CD_SSH_KEY }}" > ~/.ssh/id_ed25519
-          chmod 600 ~/.ssh/id_ed25519
-
-      - name: Deploy
-        run: nix-shell --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && SHELL=$(which bash) nixops4 apply -v default'
diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml
deleted file mode 100644
index 5015d407..00000000
--- a/.forgejo/workflows/ci.yaml
+++ /dev/null
@@ -1,84 +0,0 @@
-on:
-  pull_request:
-    types:
-      - opened
-      - synchronize
-      - reopened
-  push:
-    branches:
-      - main
-
-jobs:
-  check-pre-commit:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-build -A tests
-
-  check-data-model:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
-
-  check-mastodon:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.test-mastodon-service -L
-
-  check-peertube:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.test-peertube-service -L
-
-  check-panel:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix-build -A tests.panel
-
-  check-deployment-basic:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-basic -L
-
-  check-deployment-cli:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-cli -L
-
-  check-deployment-panel:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: nix build .#checks.x86_64-linux.deployment-panel -L
-
-  ## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
-  ## proxies for resources, namely whether their `.#vmOptions.<machine>` and
-  ## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
-  ## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
-  ## everything, and in particular not issues in how NixOps4 wires up the
-  ## resources, but that is still something.
-  check-resources:
-    runs-on: native
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          set -euC
-          echo ==================== [ VM Options ] ====================
-          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
-          for machine in $machines; do
-            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
-            nix build .#checks.x86_64-linux.vmOptions-$machine
-          done
-          echo
-          echo ==================== [ NixOS Configurations ] ====================
-          machines=$(nix eval --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
-          for machine in $machines; do
-            echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
-            nix build .#checks.x86_64-linux.nixosConfigurations-$machine
-          done
diff --git a/.forgejo/workflows/update.yaml b/.forgejo/workflows/update.yaml
deleted file mode 100644
index 19dacf15..00000000
--- a/.forgejo/workflows/update.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-name: update-dependencies
-
-on:
-  workflow_dispatch: # allows manual triggering
-  # FIXME: re-enable when manual run works
-  # schedule:
-  #   - cron: '0 0 1 * *' # monthly
-
-jobs:
-  lockfile:
-    runs-on: native
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      - name: Update pins
-        run: nix-shell --run "npins --verbose update"
-      - name: Create PR
-        uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
-        with:
-          remote-instance-api-version: v1
-          token: "${{ secrets.DEPLOY_KEY }}"
-          branch: npins-update
-          commit-message: "npins: update sources"
-          title: "npins: update sources"
diff --git a/.woodpecker/cd.yaml b/.woodpecker/cd.yaml
new file mode 100644
index 00000000..84860e54
--- /dev/null
+++ b/.woodpecker/cd.yaml
@@ -0,0 +1,19 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: push
+    branch: main
+
+steps:
+  - name: build
+    image: nixos/nix
+    commands:
+      - |
+        mkdir -p ~/.ssh
+        echo "$CD_SSH_KEY" > ~/.ssh/id_ed25519
+        chmod 600 ~/.ssh/id_ed25519
+      - nix-shell --extra-experimental-features 'nix-command flakes' --run 'eval "$(ssh-agent -s)" && ssh-add ~/.ssh/id_ed25519 && ssh-agent -s && SHELL=$(which bash) nixops4 apply -v default'
+    environment:
+      CD_SSH_KEY:
+        from_secret: cd_ssh_key
diff --git a/.woodpecker/check-data-model.yaml b/.woodpecker/check-data-model.yaml
new file mode 100644
index 00000000..d5c3ac29
--- /dev/null
+++ b/.woodpecker/check-data-model.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-data-model
+    image: nixos/nix
+    commands:
+      - nix-shell --run 'nix-unit ./deployment/data-model-test.nix'
diff --git a/.woodpecker/check-deployment-basic.yaml b/.woodpecker/check-deployment-basic.yaml
new file mode 100644
index 00000000..9d470181
--- /dev/null
+++ b/.woodpecker/check-deployment-basic.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-basic
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-basic -L
diff --git a/.woodpecker/check-deployment-cli.yaml b/.woodpecker/check-deployment-cli.yaml
new file mode 100644
index 00000000..431ccafc
--- /dev/null
+++ b/.woodpecker/check-deployment-cli.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-cli
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-cli -L
diff --git a/.woodpecker/check-deployment-panel.yaml b/.woodpecker/check-deployment-panel.yaml
new file mode 100644
index 00000000..052c9a64
--- /dev/null
+++ b/.woodpecker/check-deployment-panel.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-deployment-panel
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.deployment-panel -L
diff --git a/.woodpecker/check-mastodon.yaml b/.woodpecker/check-mastodon.yaml
new file mode 100644
index 00000000..493354ed
--- /dev/null
+++ b/.woodpecker/check-mastodon.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-mastodon
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.test-mastodon-service -L
diff --git a/.woodpecker/check-panel.yaml b/.woodpecker/check-panel.yaml
new file mode 100644
index 00000000..fdc0b944
--- /dev/null
+++ b/.woodpecker/check-panel.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-panel
+    image: nixos/nix
+    commands:
+      - nix-build -A tests.panel
diff --git a/.woodpecker/check-peertube.yaml b/.woodpecker/check-peertube.yaml
new file mode 100644
index 00000000..173273ac
--- /dev/null
+++ b/.woodpecker/check-peertube.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-peertube
+    image: nixos/nix
+    commands:
+      - nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.test-peertube-service -L
diff --git a/.woodpecker/check-pre-commit.yaml b/.woodpecker/check-pre-commit.yaml
new file mode 100644
index 00000000..9a79b677
--- /dev/null
+++ b/.woodpecker/check-pre-commit.yaml
@@ -0,0 +1,13 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: pull_request
+  - event: push
+    branch: main
+
+steps:
+  - name: check-pre-commit
+    image: nixos/nix
+    commands:
+      - nix-build -A tests
diff --git a/.woodpecker/check-resources.yaml b/.woodpecker/check-resources.yaml
new file mode 100644
index 00000000..1ca6436b
--- /dev/null
+++ b/.woodpecker/check-resources.yaml
@@ -0,0 +1,33 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  - event: push
+    branch: main
+
+## NOTE: NixOps4 does not provide a good “dry run” mode, so we instead check
+## proxies for resources, namely whether their `.#vmOptions.<machine>` and
+## `.#nixosConfigurations.<machine>` outputs evaluate and build correctly, and
+## whether we can dry run `infra/proxmox-*.sh` on them. This will not catch
+## everything, and in particular not issues in how NixOps4 wires up the
+## resources, but that is still something.
+steps:
+  - name: check-resources
+    image: nixos/nix
+    commands:
+      - echo ==================== [ VM Options ] ====================
+      - |
+        set -euC
+        machines=$(nix eval --extra-experimental-features 'nix-command flakes' --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).vmOptions)')
+        for machine in $machines; do
+          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.vmOptions-$machine
+        done
+      - echo ==================== [ NixOS Configurations ] ====================
+      - |
+        set -euC
+        machines=$(nix eval --extra-experimental-features 'nix-command flakes' --impure --raw --expr 'with builtins; toString (attrNames (getFlake (toString ./.)).nixosConfigurations)')
+        for machine in $machines; do
+          echo ~~~~~~~~~~~~~~~~~~~~~: $machine :~~~~~~~~~~~~~~~~~~~~~
+          nix build --extra-experimental-features 'nix-command flakes' .#checks.x86_64-linux.nixosConfigurations-$machine
+        done
diff --git a/.woodpecker/update.yaml b/.woodpecker/update.yaml
new file mode 100644
index 00000000..801bfa0d
--- /dev/null
+++ b/.woodpecker/update.yaml
@@ -0,0 +1,23 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
+when:
+  - event: manual
+  # - event: cron
+  #   cron: updater
+
+steps:
+  - name: lockfile
+    image: nixos/nix
+    commands:
+      - nix-shell --run "npins update"
+      # - name: Create PR
+      #   uses: https://github.com/KiaraGrouwstra/gitea-create-pull-request@f9f80aa5134bc5c03c38f5aaa95053492885b397
+      #   with:
+      #     remote-instance-api-version: v1
+      #     token: "$DEPLOY_KEY"
+      #     branch: npins-update
+      #     commit-message: "npins: update sources"
+      #     title: "npins: update sources"
+    environment:
+      DEPLOY_KEY:
+        from_secret: deploy_key
diff --git a/deployment/check/common/deployerNode.nix b/deployment/check/common/deployerNode.nix
index 987a0a7c..e2be2fd4 100644
--- a/deployment/check/common/deployerNode.nix
+++ b/deployment/check/common/deployerNode.nix
@@ -61,6 +61,7 @@ in
         sources.flake-parts
         sources.flake-inputs
         sources.git-hooks
+        sources.vars
 
         pkgs.stdenv
         pkgs.stdenvNoCC
diff --git a/infra/flake-part.nix b/infra/flake-part.nix
index 34bc6e50..53c25830 100644
--- a/infra/flake-part.nix
+++ b/infra/flake-part.nix
@@ -41,6 +41,8 @@ let
       "${sources.agenix}/modules/age.nix"
       "${sources.disko}/module.nix"
       "${sources.home-manager}/nixos"
+      "${sources.vars}/options.nix"
+      "${sources.vars}/backends/on-machine.nix"
     ];
 
     imports = [
diff --git a/keys/systems/fedi203.pub b/keys/systems/fedi203.pub
new file mode 100644
index 00000000..37bbdca5
--- /dev/null
+++ b/keys/systems/fedi203.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEXsmZn4UykrnH5+ivq6+zqHeXa+Cgz3RjbDvE+689Hn root@fedi203
diff --git a/machines/dev/fedi203/default.nix b/machines/dev/fedi203/default.nix
new file mode 100644
index 00000000..e2413e99
--- /dev/null
+++ b/machines/dev/fedi203/default.nix
@@ -0,0 +1,26 @@
+{
+  _class = "nixops4Resource";
+
+  fediversityVm = {
+    name = "fedi203";
+    isFediversityVm = true;
+    vmId = 203;
+    description = "woodpecker";
+
+    domain = "abundos.eu";
+    ipv4 = {
+      address = "95.215.187.203";
+      gateway = "95.215.187.1";
+    };
+    ipv6 = {
+      address = "2a00:51c0:13:1305::203";
+      gateway = "2a00:51c0:13:1305::1";
+    };
+  };
+
+  nixos.module = {
+    imports = [
+      ./woodpecker.nix
+    ];
+  };
+}
diff --git a/machines/dev/fedi203/woodpecker.nix b/machines/dev/fedi203/woodpecker.nix
new file mode 100644
index 00000000..ed48c767
--- /dev/null
+++ b/machines/dev/fedi203/woodpecker.nix
@@ -0,0 +1,313 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  networking = {
+    firewall.allowedTCPPorts = [
+      22
+      80
+      443
+    ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "something@fediversity.eu";
+  };
+
+  age.secrets =
+    lib.mapAttrs
+      (_: group: {
+        owner = "root";
+        inherit group;
+        mode = "440";
+      })
+      {
+        woodpecker-gitea-client = "woodpecker-server";
+        woodpecker-gitea-secret = "woodpecker-server";
+        woodpecker-agent-exec = "woodpecker-agent-exec";
+        woodpecker-agent-container = "woodpecker-agent-docker";
+      };
+
+  # needs `sudo generate-vars`
+  vars.settings.on-machine.enable = true;
+
+  vars.generators.woodpecker-agent-secret = {
+    runtimeInputs = [ pkgs.openssl ];
+    files.my-secret.secret = true;
+    script = ''
+      openssl rand -hex 32 > "$out"/my-secret
+    '';
+  };
+  vars.generators.woodpecker-rpc-secret = {
+    runtimeInputs = with pkgs; [
+      coreutils
+      bash
+    ];
+    files.rpc-secret.secret = true;
+    # wrap in bash command to prevent `vars`' pipefail aborting half-way
+    script = ''
+      bash -c "tr -dc 'A-Za-z0-9\!?%=' < /dev/urandom | head -c 32 > $out/rpc-secret"
+    '';
+  };
+
+  vars.generators.woodpecker =
+    let
+      fileNames = [
+        "woodpecker-gitea-client"
+        "woodpecker-gitea-secret"
+        "woodpecker-agent-exec"
+        "woodpecker-agent-container"
+      ];
+    in
+    {
+      runtimeInputs = [
+        pkgs.coreutils
+        pkgs.openssl
+      ];
+      files = lib.genAttrs fileNames (_: {
+        secret = true;
+      });
+      script = ''
+        ${lib.concatStringsSep "\n" (
+          lib.lists.map (file: ''cp ${config.age.secrets.${file}.path} "$out/"'') fileNames
+        )}
+      '';
+    };
+
+  vars.generators."templates" = rec {
+    dependencies = [
+      "woodpecker"
+      "woodpecker-agent-secret"
+      "woodpecker-rpc-secret"
+    ];
+    runtimeInputs = [
+      pkgs.coreutils
+      pkgs.gnused
+    ];
+    script = lib.concatStringsSep "\n" (
+      lib.mapAttrsToList (template: _: ''
+        cp "$templates/${template}" "$out/${template}"
+        echo "filling placeholders in template ${template}..."
+        ${lib.concatStringsSep "\n" (
+          lib.lists.map (dependency: ''
+            echo "filling placeholders in template ${template} from generator ${dependency}..."
+            ${lib.concatStringsSep "\n" (
+              lib.mapAttrsToList (
+                parent:
+                { placeholder, ... }:
+                ''
+                  sed -i "s/${placeholder}/$(cat "$in/${dependency}/${parent}")/g" "$out/${template}"
+                  echo "- substituted ${parent}"
+                ''
+              ) config.vars.generators.${dependency}.files
+            )}
+          '') dependencies
+        )}
+      '') files
+    );
+
+    # files."woodpecker-server.conf" = {
+    #   secret = true;
+    #   template = pkgs.writeText "woodpecker-server.conf" ''
+    #     WOODPECKER_DATABASE_DRIVER=sqlite3
+    #     WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
+    #     WOODPECKER_OPEN=false
+    #     WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
+    #     WOODPECKER_HOST=https://woodpecker.fediversity.eu
+    #     WOODPECKER_GITEA=true
+    #     WOODPECKER_GITEA_URL=https://git.fediversity.eu
+    #     WOODPECKER_GITEA_CLIENT_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
+    #     WOODPECKER_GITEA_SECRET_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
+    #     WOODPECKER_AGENT_SECRET_FILE=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
+    #     WOODPECKER_GRPC_SECRET_FILE=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
+    #     WOODPECKER_LOG_LEVEL=info
+    #     WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
+    #     WOODPECKER_SERVER_ADDR=:8000
+    #     WOODPECKER_GRPC_ADDR=:9000
+    #   '';
+    # };
+
+    files =
+      let
+        shared = ''
+          WOODPECKER_SERVER=localhost:9000
+          WOODPECKER_USERNAME=x-oauth-basic
+          WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
+          WOODPECKER_MAX_WORKFLOWS=5
+          WOODPECKER_LOG_LEVEL=info
+          WOODPECKER_DEBUG_PRETTY=false
+          WOODPECKER_DEBUG_NOCOLOR=true
+          WOODPECKER_HEALTHCHECK=false
+          WOODPECKER_GRPC_VERIFY=false
+          # TODO: fix
+          WOODPECKER_GRPC_SECURE=false
+        '';
+      in
+      {
+
+        "woodpecker-agent-exec.conf" = {
+          secret = true;
+          template = pkgs.writeText "woodpecker-agent-exec.conf" (
+            lib.concatStringsSep "\n" [
+              shared
+              ''
+                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
+                WOODPECKER_BACKEND=local
+                WOODPECKER_AGENT_LABELS=type=local
+              ''
+            ]
+          );
+        };
+
+        "woodpecker-agent-podman.conf" = {
+          secret = true;
+          template = pkgs.writeText "woodpecker-agent-podman.conf" (
+            lib.concatStringsSep "\n" [
+              shared
+              ''
+                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
+                WOODPECKER_BACKEND=docker
+                DOCKER_HOST=unix:///run/podman/podman.sock
+                WOODPECKER_AGENT_LABELS=type=docker
+              ''
+            ]
+          );
+        };
+      };
+  };
+
+  # enable git-lfs
+  programs.git = {
+    enable = true;
+    lfs.enable = true;
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts."woodpecker.fediversity.eu" = {
+        enableACME = true;
+        forceSSL = true;
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://127.0.0.1:8000";
+        };
+      };
+    };
+
+    woodpecker-server = {
+      enable = true;
+
+      # environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
+      # https://woodpecker-ci.org/docs/administration/configuration/server
+      environment = {
+        WOODPECKER_DATABASE_DRIVER = "sqlite3";
+        WOODPECKER_DISABLE_USER_AGENT_REGISTRATION = "false";
+
+        WOODPECKER_OPEN = "false";
+        WOODPECKER_ADMIN = "kiara,fricklerhandwerk,niols";
+        WOODPECKER_HOST = "https://woodpecker.fediversity.eu";
+
+        WOODPECKER_GITEA = "true";
+        WOODPECKER_GITEA_URL = "https://git.fediversity.eu";
+        WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path;
+        WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path;
+
+        WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
+        WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path;
+
+        WOODPECKER_LOG_LEVEL = "info";
+        WOODPECKER_DEFAULT_CLONE_PLUGIN = "docker.io/woodpeckerci/plugin-git";
+        WOODPECKER_SERVER_ADDR = ":8000";
+        WOODPECKER_GRPC_ADDR = ":9000";
+      };
+    };
+
+    # https://woodpecker-ci.org/docs/administration/configuration/agent
+    woodpecker-agents.agents =
+      # let
+      #   shared = {
+      #     WOODPECKER_SERVER = "localhost:9000";
+      #     # TODO: separate to agent-specific tokens?
+      #     # TODO: why will it only accept `WOODPECKER_AGENT_SECRET`, not `WOODPECKER_AGENT_SECRET_FILE`?
+      #     # WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
+      #     WOODPECKER_USERNAME = "x-oauth-basic";
+      #     WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
+      #     WOODPECKER_MAX_WORKFLOWS = "4";
+      #     WOODPECKER_LOG_LEVEL = "info";
+      #     WOODPECKER_DEBUG_PRETTY = "false";
+      #     WOODPECKER_DEBUG_NOCOLOR = "true";
+      #     WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
+      #     WOODPECKER_GRPC_VERIFY = "false";
+      #     WOODPECKER_HEALTHCHECK = "false";
+      #   };
+      # in
+      {
+
+        # local
+
+        exec = {
+          enable = true;
+          path = with pkgs; [
+            git
+            git-lfs
+            woodpecker-plugin-git
+            bash
+            coreutils
+            nix
+            attic-client
+          ];
+          environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
+          # # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
+          # environment = lib.mkMerge [
+          #   shared
+          #   {
+          #     WOODPECKER_BACKEND = "local";
+          #     WOODPECKER_AGENT_LABELS = "type=local";
+          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;
+          #   }
+          # ];
+        };
+
+        # container
+
+        podman = {
+          enable = true;
+          environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
+          # # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+          # environment = lib.mkMerge [
+          #   shared
+          #   {
+          #     WOODPECKER_BACKEND = "docker";
+          #     DOCKER_HOST = "unix:///run/podman/podman.sock";
+          #     WOODPECKER_AGENT_LABELS = "type=docker";
+          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-container.path;
+          #   }
+          # ];
+        };
+      };
+  };
+
+  virtualisation.docker = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+  };
+
+  systemd.services.woodpecker-agent-docker = {
+    after = [ "docker.socket" ];
+    restartIfChanged = false;
+    serviceConfig = {
+      BindPaths = [ "/var/run/docker.sock" ];
+    };
+  };
+}
diff --git a/npins/sources.json b/npins/sources.json
index ea9606bd..6b87338c 100644
--- a/npins/sources.json
+++ b/npins/sources.json
@@ -150,6 +150,19 @@
       "revision": "f33a4d26226c05d501b9d4d3e5e60a3a59991921",
       "url": "https://github.com/nixos/nixpkgs/archive/f33a4d26226c05d501b9d4d3e5e60a3a59991921.tar.gz",
       "hash": "1b6dm1sn0bdpcsmxna0zzspjaixa2dald08005fry5jrbjvwafdj"
+    },
+    "vars": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "kiaragrouwstra",
+        "repo": "vars"
+      },
+      "branch": "templates",
+      "submodules": false,
+      "revision": "2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b",
+      "url": "https://github.com/kiaragrouwstra/vars/archive/2f2ebd96b5df4c0f01509d6b283e15d8516a1c7b.tar.gz",
+      "hash": "0rpxh85fizmmh7v2qvhp9jzrvcyv1yhl58zd1dk0hx33s77da84x"
     }
   },
   "version": 5
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c3a3cb25..e044dc0a 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -33,5 +33,9 @@ concatMapAttrs
       wiki-basicauth-htpasswd = [ vm02187 ];
       wiki-password = [ vm02187 ];
       wiki-smtp-password = [ vm02187 ];
+      woodpecker-gitea-client = [ fedi203 ];
+      woodpecker-gitea-secret = [ fedi203 ];
+      woodpecker-agent-exec = [ fedi203 ];
+      woodpecker-agent-container = [ fedi203 ];
     }
   )
diff --git a/secrets/woodpecker-agent-container.age b/secrets/woodpecker-agent-container.age
new file mode 100644
index 00000000..84cec6d2
--- /dev/null
+++ b/secrets/woodpecker-agent-container.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A dmuwKZGPiV0w63FiPsrzxuz/1y4aELf+jyuGb9TgIGE
+jdjfB3PjnVSj7jMeHERUR5+5E/uE0vru2LNlcvoVbiI
+-> ssh-ed25519 BAs8QA 6ilWMbEKJpuUW4jeICOp6+HL8aGZNbZJKS4YZQPy8Qs
+WaBuM8AoTyEsP8tLVCC1ydzqra30owTNiLzW/NmkGnA
+-> ssh-ed25519 ofQnlg hvehgQJismUqdvijHb8nRBgwG+h2wDOMUcA5yMxkrm0
+YO4HMM/sdu+Ivod9Xdlp7/K5BJNGXn1kodMidvi4uBs
+-> ssh-ed25519 COspvA wnbcBB4eFWyn8fNhozukx0v91UFZjJ2ZkYxpv1IIDVE
+bSRztMyqhKOZWdMZ1xENrbpjy0xzFcmO2H0nnXsEaL4
+-> ssh-ed25519 2XrTgw nsZ+enHBMnwwDxdHmz24F0sZuygD3B+qcBWxevW+QiA
+JHD7nELVQ+1Wdb6K7Vb9sjjnhpzA4A/wsYndNcXuI3I
+-> ssh-ed25519 awJeHA CbO98cwZcQ3mbxdgyP5qciSOyiSZQGYDcJ8J63lSCwM
+mvT1YGmh2L69nC+3GX4XHDR6iMm+jcYa+XEObK9ns+s
+-> ssh-ed25519 S1E+mw cccPtYgWJBNgHwGQu3vzEgMn5v0EvzJlOlv86fl0fVw
+DN9gV3vrBg0UfInnGPY6Cl85hO2vHgF47jh9Nb8lSOw
+-> ssh-ed25519 i+ecmQ tpm0UDCaQxW3TLOg7SfE+UGWV27jkG7ULx5bGdrvKhM
+83X2o9uq9zWd31+E/VNbJ/4kPtTitI8ztCTSBXr75uA
+--- 3Yqn1vV91q02NO8NejPOBCPiV2389IaIrHviJl7IJIc
+�v�Y�w6
+�NX��}N���P�D���)Ǧ�@��zA�qN��@/����{P�<ioG�^���{�r�1md��6C�]��&���}
\ No newline at end of file
diff --git a/secrets/woodpecker-agent-exec.age b/secrets/woodpecker-agent-exec.age
new file mode 100644
index 00000000..c76592c9
--- /dev/null
+++ b/secrets/woodpecker-agent-exec.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI
++qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8
+-> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c
+wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo
+-> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8
+cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg
+-> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs
+Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0
+-> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU
+LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64
+-> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo
+RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8
+-> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY
+k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM
+-> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM
+QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY
+--- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo
+�i�7�V��C�_�!������E�Z؍�@+;���o����N�逍|	K�����K��B�/�6�jM$����w�Λt�k
\ No newline at end of file
diff --git a/secrets/woodpecker-gitea-client.age b/secrets/woodpecker-gitea-client.age
new file mode 100644
index 00000000..aef3c179
--- /dev/null
+++ b/secrets/woodpecker-gitea-client.age
@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A +2jGhw/HXWckSc1vT4AZYf9kZPEPWHGJHk8aK/V95jY
+ooChrKsMiKw3a2QtXLAo74QjfDUse5GIbGnU5amq4x4
+-> ssh-ed25519 BAs8QA grbmk79K2OHLeRTNsSuPkmrs043GcMzW/oMf7/c5Jgc
+TJkHc1z3BpeI56xvYRivlLXhKlwmk0N83Pvv6GkY93g
+-> ssh-ed25519 ofQnlg nd11vactc/RTWY1tn11/kUEUEKnR+ukVMJHPH4HFpXc
+qH2g8PywQ652yWIRQdtItcXctyH4DmssJXWLXFdmQ0Q
+-> ssh-ed25519 COspvA 2yPT7BROYippOA/3X6N6AHFR4UXPStP3ru7mDAyyLkQ
+RpxOwYEOMnxxgKbra6iFpNzDTKkqeUiSA1rS59HzIh8
+-> ssh-ed25519 2XrTgw r5FdURbodhFBW0R23xVZyKlTFeDNJdhywYd9JKsJWAw
+XEiBPmT9o8CreZMyZBRnJqofFeb41L7i2gQuHi4mZYM
+-> ssh-ed25519 awJeHA NZsGoEXgw3Bd3hV0F3QxGF5E3DrvtH/vdLiGWPnqD0M
+iS5GPLDMthTLXcQQvaYqdfn1Ad8rZFAOkLHC1FUSRDw
+-> ssh-ed25519 S1E+mw T2efFAUeRiw+0nNiisNV8vmREtmMc0I11gLu/BhW320
+o39//l1VAU2rumRTw/H7a3mR6BooeC6PKwAvIVIDFX0
+-> ssh-ed25519 i+ecmQ OwOx6QjNCrjtMPJZHQ+AKBnJ1q7VICRRGFknOXH38Ss
+AHccP13joz8TPa3RlbU5vBbKnW2w6QEVKhDk6KJUooM
+--- LlMd7GEC/5yZCCypJFV+RfqqxVDhOxxHW6ZSBuV6/Zc
+NU���o�vZX����0��J��{bxt���2U
+�z��0��i}�ټ7�<f���F$� !Y��J
\ No newline at end of file
diff --git a/secrets/woodpecker-gitea-secret.age b/secrets/woodpecker-gitea-secret.age
new file mode 100644
index 00000000..675abdf7
--- /dev/null
+++ b/secrets/woodpecker-gitea-secret.age
@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 Jpc21A uEHtXoqInG0yc2UU09lDAmdaeWBlv6BfgP9ZC6bk/wE
+DLlXPhpRkBB5ir2Euh6bkxblAlyqA3CFNv5UFJXrPkM
+-> ssh-ed25519 BAs8QA yAbCqNKzzu02vjKqYVl46NRfc1u6w03wdv/uYImmBSA
+0+Le8eWSWkF9aSdhk7mpFN+D87kUaBRwbjO4uS+Zz1k
+-> ssh-ed25519 ofQnlg cpdWhJg6pB09hL/x59WgAblk8JShLMrbVRGAGDnoXUo
+pBnnIq989tqbMVnsqyrzFiYsMIwZzi1cg2N86KqRXt4
+-> ssh-ed25519 COspvA A7PWv0kGnmPDtLtKpNSy040AmqphAVaKjaimHbwR2S0
+vG1lSVE3Q2dMfKik50MRhIE29opMVqXUOBjcCWQH/Ck
+-> ssh-ed25519 2XrTgw bwxzUgEXNCPiW8lxOhqUofilGlq+3U05OfO92Y5Zun0
+P6TGcQUHOdYR7G6dojakBGFkFOP7FVnwmZXY7B+sn3w
+-> ssh-ed25519 awJeHA 7rlWcUOwiMFy0gjUQqxSoAWSFkghQG92mo9VUa++PRs
+UPvki4hox5mNrIhE6KQQo5WlVl+8XL4hgVUwE9es3mg
+-> ssh-ed25519 S1E+mw yVifWiLDiFZfjljd5AZmD+rpxMzxVwUGa4Cg9qrIgTk
+M7Nk1Q+bX54RJysTm5uuaxNcf+OI5LaxkeaF4MsNXXk
+-> ssh-ed25519 i+ecmQ K/c0kqipp5Fl4BzMi0G6Fe8ItSvhGLMHQLQZ7kETZ0o
+oHzo/sWjA5aR07dAK6jAz43HEjCDAjCRY5n2zDe7UE8
+--- GEvB7FWwJeWa6i4J/pGvooeAhT2mgWovOViKoMLuSbw
+�������،��ȃ��a��,������p�CY ��3�#(�,ݞ��?$%�l�6�"�Y�h����W��ϤmC߂VZs��]Fݍ�
\ No newline at end of file