container dns

rm dns

machines/dev/fedi203/woodpecker.nix

@@ -5,19 +5,26 @@
   ...
 }:
 {
-  networking = {
-    firewall.allowedTCPPorts = [
-      22
-      80
-      443
-    ];
-  };
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "something@fediversity.eu";
   };
 
+  users.groups.woodpecker-agent-docker = { };
+
+  age.secrets =
+    lib.mapAttrs
+      (_: group: {
+        owner = "root";
+        inherit group;
+        mode = "440";
+      })
+      {
+        woodpecker-gitea-client = "woodpecker-server";
+        woodpecker-gitea-secret = "woodpecker-server";
+        woodpecker-agent-container = "woodpecker-agent-docker";
+      };
+
   # needs `sudo generate-vars`
   vars.settings.on-machine.enable = true;
 
@@ -45,7 +52,6 @@
       fileNames = [
         "woodpecker-gitea-client"
         "woodpecker-gitea-secret"
-        "woodpecker-agent-exec"
         "woodpecker-agent-container"
       ];
     in
@@ -64,6 +70,8 @@
       '';
     };
 
+  # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
+  # `woodpecker-agents.agents.docker.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-docker.path;`
   vars.generators."templates" = rec {
     dependencies = [
       "woodpecker"
@@ -96,29 +104,9 @@
       '') files
     );
 
-    # files."woodpecker-server.conf" = {
-    #   secret = true;
-    #   template = pkgs.writeText "woodpecker-server.conf" ''
-    #     WOODPECKER_DATABASE_DRIVER=sqlite3
-    #     WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
-    #     WOODPECKER_OPEN=false
-    #     WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
-    #     WOODPECKER_HOST=https://woodpecker.fediversity.eu
-    #     WOODPECKER_GITEA=true
-    #     WOODPECKER_GITEA_URL=https://git.fediversity.eu
-    #     WOODPECKER_GITEA_CLIENT_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
-    #     WOODPECKER_GITEA_SECRET_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
-    #     WOODPECKER_AGENT_SECRET_FILE=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
-    #     WOODPECKER_GRPC_SECRET_FILE=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
-    #     WOODPECKER_LOG_LEVEL=info
-    #     WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
-    #     WOODPECKER_SERVER_ADDR=:8000
-    #     WOODPECKER_GRPC_ADDR=:9000
-    #   '';
-    # };
-
     files =
       let
+        # https://woodpecker-ci.org/docs/administration/configuration/agent
         shared = ''
           WOODPECKER_SERVER=localhost:9000
           WOODPECKER_USERNAME=x-oauth-basic
@@ -134,21 +122,28 @@
         '';
       in
       {
-
+        # https://woodpecker-ci.org/docs/administration/configuration/server
-        "woodpecker-agent-exec.conf" = {
+        "woodpecker-server.conf" = {
           secret = true;
-          template = pkgs.writeText "woodpecker-agent-exec.conf" (
+          template = pkgs.writeText "woodpecker-server.conf" ''
-            lib.concatStringsSep "\n" [
+            WOODPECKER_DATABASE_DRIVER=sqlite3
-              shared
+            WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
-              ''
+            WOODPECKER_OPEN=false
-                WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-exec.placeholder}
+            WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
-                WOODPECKER_BACKEND=local
+            WOODPECKER_HOST=https://woodpecker.fediversity.eu
-                WOODPECKER_AGENT_LABELS=type=local
+            WOODPECKER_GITEA=true
-              ''
+            WOODPECKER_GITEA_URL=https://git.fediversity.eu
-            ]
+            WOODPECKER_GITEA_CLIENT=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
-          );
+            WOODPECKER_GITEA_SECRET=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
+            WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
+            WOODPECKER_GRPC_SECRET=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
+            WOODPECKER_LOG_LEVEL=info
+            WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
+            WOODPECKER_SERVER_ADDR=:8000
+            WOODPECKER_GRPC_ADDR=:9000
+          '';
         };
-
+        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
         "woodpecker-agent-podman.conf" = {
           secret = true;
           template = pkgs.writeText "woodpecker-agent-podman.conf" (
@@ -190,102 +185,39 @@
 
     woodpecker-server = {
       enable = true;
-
+      environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
-      # environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
-      # https://woodpecker-ci.org/docs/administration/configuration/server
-      environment = {
-        WOODPECKER_DATABASE_DRIVER = "sqlite3";
-        WOODPECKER_DISABLE_USER_AGENT_REGISTRATION = "false";
-
-        WOODPECKER_OPEN = "false";
-        WOODPECKER_ADMIN = "kiara,fricklerhandwerk,niols";
-        WOODPECKER_HOST = "https://woodpecker.fediversity.eu";
-
-        WOODPECKER_GITEA = "true";
-        WOODPECKER_GITEA_URL = "https://git.fediversity.eu";
-        WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path;
-        WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path;
-
-        WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
-        WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path;
-
-        WOODPECKER_LOG_LEVEL = "info";
-        WOODPECKER_DEFAULT_CLONE_PLUGIN = "docker.io/woodpeckerci/plugin-git";
-        WOODPECKER_SERVER_ADDR = ":8000";
-        WOODPECKER_GRPC_ADDR = ":9000";
-      };
     };
 
     # https://woodpecker-ci.org/docs/administration/configuration/agent
-    woodpecker-agents.agents =
+    woodpecker-agents.agents = {
-      # let
-      #   shared = {
-      #     WOODPECKER_SERVER = "localhost:9000";
-      #     # TODO: separate to agent-specific tokens?
-      #     # TODO: why will it only accept `WOODPECKER_AGENT_SECRET`, not `WOODPECKER_AGENT_SECRET_FILE`?
-      #     # WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
-      #     WOODPECKER_USERNAME = "x-oauth-basic";
-      #     WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
-      #     WOODPECKER_MAX_WORKFLOWS = "4";
-      #     WOODPECKER_LOG_LEVEL = "info";
-      #     WOODPECKER_DEBUG_PRETTY = "false";
-      #     WOODPECKER_DEBUG_NOCOLOR = "true";
-      #     WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
-      #     WOODPECKER_GRPC_VERIFY = "false";
-      #     WOODPECKER_HEALTHCHECK = "false";
-      #   };
-      # in
-      {
-
-        # local
-
-        exec = {
-          enable = true;
-          path = with pkgs; [
-            git
-            git-lfs
-            woodpecker-plugin-git
-            bash
-            coreutils
-            nix
-            attic-client
-          ];
-          environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
-          # # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
-          # environment = lib.mkMerge [
-          #   shared
-          #   {
-          #     WOODPECKER_BACKEND = "local";
-          #     WOODPECKER_AGENT_LABELS = "type=local";
-          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;
-          #   }
-          # ];
-        };
-
-        # container
-
       docker = {
         enable = true;
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
-          # # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
+        extraGroups = [
-          # environment = lib.mkMerge [
+          "podman"
-          #   shared
+          "woodpecker-agent-docker"
-          #   {
+        ];
-          #     WOODPECKER_BACKEND = "docker";
-          #     DOCKER_HOST = "unix:///run/podman/podman.sock";
-          #     WOODPECKER_AGENT_LABELS = "type=docker";
-          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-container.path;
-          #   }
-          # ];
       };
     };
   };
 
-  networking.firewall.allowedTCPPorts = [
+  networking = {
+    firewall = {
+      enable = lib.mkForce true;
+      allowedTCPPorts = [
         22
         80
         443
       ];
+      # needed for podman to be able to talk over dns
+      interfaces."podman0" = {
+        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
+      };
+    };
+    # helps make sure DNS resolves from the containers
+    nftables.enable = lib.mkForce false;
+  };
 
   virtualisation.podman = {
     enable = true;
@@ -293,11 +225,16 @@
       enable = true;
       dates = "weekly";
     };
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
   };
 
-  systemd.services.woodpecker-agent-docker = {
+  systemd.services = {
+    woodpecker-agent-docker = {
       wants = [ "podman.socket" ];
       after = [ "podman.socket" ];
-    serviceConfig.SupplementaryGroups = [ "podman" ];
+    };
   };
 }

secrets/secrets.nix

@@ -35,7 +35,6 @@ concatMapAttrs
       wiki-smtp-password = [ vm02187 ];
       woodpecker-gitea-client = [ fedi203 ];
       woodpecker-gitea-secret = [ fedi203 ];
-      woodpecker-agent-exec = [ fedi203 ];
       woodpecker-agent-container = [ fedi203 ];
     }
   )

secrets/woodpecker-agent-exec.age

@@ -1,19 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 Jpc21A RkvPufUflL629g98PVMAPBhP8k53I7Q8I9Ij72ArdGI
-+qsdje9Mir5g8p7vwCJRjSVlWgklnCwjQxxKxnEWaz8
--> ssh-ed25519 BAs8QA ezKlcV2uxteAeQSb90DuqN3pvEjQs/yHnApD5s+Kr2c
-wtlZh2Q8nGL2FgaO1vcYIX+C8gplRGJovccGG7GbTZo
--> ssh-ed25519 ofQnlg esuCVxgKkSKR/58Rh8G7QBpa2WBY0Exh7yYqwFjJJS8
-cmpO/zbhNqDxIzNlkTbeGazyI2rF6tG5asQgRIdLDdg
--> ssh-ed25519 COspvA x7OFSXwP27SgybnYy5b8WENz7moSRQDfr4QILI42SSs
-Z9kSpxkon8xDCBzhZ98SG4rFnk1yGtG+qtAx3KdTBz0
--> ssh-ed25519 2XrTgw FrPAtSkVm6yspzCfXhrOTpXLiG4P4QRDTW9csbYeBnU
-LVtwkz2GLfhnoB9tKorIC1U3THiPh+SURurxiDY9R64
--> ssh-ed25519 awJeHA Ra70XBRR/B2UdIQRzuNVlHzZ33FNRdwG8hCmlCrrIgo
-RGe+toNMf9poReiLxYhJdKObNsGUF+D/iA/FZgVmwX8
--> ssh-ed25519 S1E+mw QriB2nKELdgIE6vUmA+GF+K2DKnIxliutWpzNjd+pwY
-k9iA0OP2Meu9XewGABqTE1S5ohUQXvUTpyqhvPiOpVM
--> ssh-ed25519 i+ecmQ y3fiMshCkdSedW0zIp+xbgAHIYhKjtqrK6Aaif+DUnM
-QuEkd8UXYDwWxvc0HRQFyJDdZh7QWBF2tl5xkEtOCaY
---- uxOW1G8fpvSDnwJDrYX+XS7FQZjmQwQddA50zax7qGo
-µiÅ7 VìëCº_þ!œð¾ô¤ÞEüZØ<5A>‘@+;ãáåo‚†¹ÑN†é€<C3A9>|	Kñ©À÷´ÞK–›B‡/û6ºjM$‘¾‡âw¼Î›tük