strace pkg

container dns
rm dns
2025-08-04 16:46:00 +02:00 · 2025-08-04 16:46:00 +02:00 · 2025-08-04 16:46:00 +02:00 · 2025-08-04 16:46:00 +02:00 · 2025-08-04 16:44:46 +02:00
4 changed files with 25 additions and 68 deletions
--- a/.woodpecker/cd.yaml
+++ b/.woodpecker/cd.yaml
@ -16,7 +16,7 @@ steps:
        echo "$CD_SSH_KEY" > ~/.ssh/id_ed25519
        ls -l ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519
-      - bash -c "strace -f -o ssh-agent.log ssh-agent -s"
+      - bash -c "nix-shell -p strace --run 'strace -f -o ssh-agent.log ssh-agent -s'"
      - cat ssh-agent.log
      - |
        eval "$(ssh-agent -s)"
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@ -10,10 +10,7 @@
    defaults.email = "something@fediversity.eu";
  };
-  users.groups = {
+  users.groups.woodpecker-agent-docker = { };
    woodpecker-agent-exec = { };
    woodpecker-agent-docker = { };
  };
  age.secrets =
    lib.mapAttrs
@ -25,7 +22,6 @@
      {
        woodpecker-gitea-client = "woodpecker-server";
        woodpecker-gitea-secret = "woodpecker-server";
        woodpecker-agent-exec = "woodpecker-agent-exec";
        woodpecker-agent-container = "woodpecker-agent-docker";
      };
@ -56,7 +52,6 @@
      fileNames = [
        "woodpecker-gitea-client"
        "woodpecker-gitea-secret"
        "woodpecker-agent-exec"
        "woodpecker-agent-container"
      ];
    in
@ -76,7 +71,7 @@
    };
  # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
-  # `woodpecker-agents.agents.exec.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;`
+  # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
  vars.generators."templates" = rec {
    dependencies = [
      "woodpecker"
@ -148,22 +143,6 @@
            WOODPECKER_GRPC_ADDR=:9000
          '';
        };
        # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
        "woodpecker-agent-exec.conf" = {
          secret = true;
          template = pkgs.writeText "woodpecker-agent-exec.conf" (
            lib.concatStringsSep "\n" [
              shared
              ''
                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
                WOODPECKER_BACKEND=local
                WOODPECKER_AGENT_LABELS=type=local
              ''
            ]
          );
        };
        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
        "woodpecker-agent-podman.conf" = {
          secret = true;
@ -211,20 +190,6 @@
    # https://woodpecker-ci.org/docs/administration/configuration/agent
    woodpecker-agents.agents = {
      exec = {
        enable = true;
        path = with pkgs; [
          git
          git-lfs
          woodpecker-plugin-git
          bash
          coreutils
          nix
          attic-client
        ];
        environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
        extraGroups = [ "woodpecker-agent-exec" ];
      };
      docker = {
        enable = true;
        environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
@ -238,25 +203,37 @@
  networking = {
    nftables.enable = lib.mkForce false;
    firewall = {
      enable = lib.mkForce true;
      allowedTCPPorts = [
        22
        80
        443
      ];
      # needed for podman to be able to talk over dns
      interfaces."podman0" = {
        allowedUDPPorts = [ 53 ];
        allowedTCPPorts = [ 53 ];
      };
    };
  };
  networking.firewall.allowedTCPPorts = [
    22
    80
    443
  ];
  virtualisation.podman = {
    enable = true;
    autoPrune = {
      enable = true;
      dates = "weekly";
    };
    defaultNetwork.settings = {
      dns_enabled = true;
      ipv6_enabled = true;
    };
  };
-  systemd.services.woodpecker-agent-docker = {
+  systemd.services = {
-    wants = [ "podman.socket" ];
+    woodpecker-agent-docker = {
-    after = [ "podman.socket" ];
+      wants = [ "podman.socket" ];
-    serviceConfig.SupplementaryGroups = [ "podman" ];
+      after = [ "podman.socket" ];
    };
  };
 }
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -35,7 +35,6 @@ concatMapAttrs
      wiki-smtp-password = [ vm02187 ];
      woodpecker-gitea-client = [ fedi203 ];
      woodpecker-gitea-secret = [ fedi203 ];
      woodpecker-agent-exec = [ fedi203 ];
      woodpecker-agent-container = [ fedi203 ];
    }
  )
--- a/secrets/woodpecker-agent-exec.age
+++ b/secrets/woodpecker-agent-exec.age
@ -1,19 +0,0 @@
 age-encryption.org/v1
 -> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI
 +qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8
 -> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c
 wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo
 -> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8
 cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg
 -> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs
 Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0
 -> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU
 LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64
 -> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo
 RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8
 -> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY
 k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM
 -> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM
 QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY
 --- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo
 µiÅ7 VìëCº_þ!œð¾ô¤ÞEüZØ<5A>‘@+;ãáåo‚†¹ÑN†é€<C3A9>|	Kñ©À÷´ÞK–›B‡/û6ºjM$‘¾‡âw¼Î›tük
Author	SHA1	Message	Date
Kiara Grouwstra	c0d7867aa5	strace pkg	2025-08-04 16:46:00 +02:00
Kiara Grouwstra	839f528491	container dns rm dns	2025-08-04 16:46:00 +02:00
Kiara Grouwstra	2b75d9adb5	enable firewall	2025-08-04 16:46:00 +02:00
Kiara Grouwstra	ea792d4395	rm agent exec plug hole in firewall format	2025-08-04 16:46:00 +02:00
Kiara Grouwstra	5b4f15c6f0	disable exec agent make service group setting conditional make secrets conditional make things conditional rm group	2025-08-04 16:44:46 +02:00