container dns

rm dns

machines/dev/fedi203/woodpecker.nix

@@ -10,6 +10,8 @@
     defaults.email = "something@fediversity.eu";
   };
 
+  users.groups.woodpecker-agent-docker = { };
+
   age.secrets =
     lib.mapAttrs
       (_: group: {
@@ -20,7 +22,6 @@
       {
         woodpecker-gitea-client = "woodpecker-server";
         woodpecker-gitea-secret = "woodpecker-server";
-        woodpecker-agent-exec = "woodpecker-agent-exec";
         woodpecker-agent-container = "woodpecker-agent-docker";
       };
 
@@ -51,7 +52,6 @@
       fileNames = [
         "woodpecker-gitea-client"
         "woodpecker-gitea-secret"
-        "woodpecker-agent-exec"
         "woodpecker-agent-container"
       ];
     in
@@ -71,7 +71,7 @@
     };
 
   # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
-  # `woodpecker-agents.agents.exec.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;`
+  # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
   vars.generators."templates" = rec {
     dependencies = [
       "woodpecker"
@@ -143,22 +143,6 @@
             WOODPECKER_GRPC_ADDR=:9000
           '';
         };
-
-        # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
-        "woodpecker-agent-exec.conf" = {
-          secret = true;
-          template = pkgs.writeText "woodpecker-agent-exec.conf" (
-            lib.concatStringsSep "\n" [
-              shared
-              ''
-                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
-                WOODPECKER_BACKEND=local
-                WOODPECKER_AGENT_LABELS=type=local
-              ''
-            ]
-          );
-        };
-
         # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
         "woodpecker-agent-podman.conf" = {
           secret = true;
@@ -206,47 +190,50 @@
 
     # https://woodpecker-ci.org/docs/administration/configuration/agent
     woodpecker-agents.agents = {
-      exec = {
-        enable = true;
-        path = with pkgs; [
-          git
-          git-lfs
-          woodpecker-plugin-git
-          bash
-          coreutils
-          nix
-          attic-client
-        ];
-        environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
-      };
       docker = {
         enable = true;
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
+        extraGroups = [
+          "podman"
+          "woodpecker-agent-docker"
+        ];
       };
     };
   };
 
   networking = {
     nftables.enable = lib.mkForce false;
+    firewall = {
+      enable = lib.mkForce true;
+      allowedTCPPorts = [
+        22
+        80
+        443
+      ];
+      # needed for podman to be able to talk over dns
+      interfaces."podman0" = {
+        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
+      };
+    };
   };
 
-  networking.firewall.allowedTCPPorts = [
-    22
-    80
-    443
-  ];
-
   virtualisation.podman = {
     enable = true;
     autoPrune = {
       enable = true;
       dates = "weekly";
     };
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
   };
 
-  systemd.services.woodpecker-agent-docker = {
-    wants = [ "podman.socket" ];
-    after = [ "podman.socket" ];
-    serviceConfig.SupplementaryGroups = [ "podman" ];
+  systemd.services = {
+    woodpecker-agent-docker = {
+      wants = [ "podman.socket" ];
+      after = [ "podman.socket" ];
+    };
   };
 }

secrets/secrets.nix

@@ -35,7 +35,6 @@ concatMapAttrs
       wiki-smtp-password = [ vm02187 ];
       woodpecker-gitea-client = [ fedi203 ];
       woodpecker-gitea-secret = [ fedi203 ];
-      woodpecker-agent-exec = [ fedi203 ];
       woodpecker-agent-container = [ fedi203 ];
     }
   )

secrets/woodpecker-agent-exec.age

@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI
-+qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8
--> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c
-wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo
--> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8
-cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg
--> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs
-Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0
--> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU
-LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64
--> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo
-RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8
--> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY
-k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM
--> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM
-QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY
---- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo
-µiÅ7 VìëCº_þ!œð¾ô¤ÞEüZØ<5A>‘@+;ãáåo‚†¹ÑN†é€<C3A9>|	Kñ©À÷´ÞK–›B‡/û6ºjM$‘¾‡âw¼Î›tük