Revert "try store mounted read-only"

This reverts commit 586be6f309.
try store mounted read-only
2025-08-04 18:01:48 +02:00 · 2025-08-04 18:01:48 +02:00 · 2025-08-04 18:01:48 +02:00 · 2025-08-04 18:01:48 +02:00 · 2025-08-04 18:01:48 +02:00 · 2025-08-04 18:01:48 +02:00
11 changed files with 30 additions and 8 deletions
--- a/.woodpecker/cd.yaml
+++ b/.woodpecker/cd.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: push
@ -7,16 +9,12 @@ steps:
  - name: build
    image: nixos/nix
    commands:
-      - whoami
-      - pwd
-      - ls
-      - env
      - |
        mkdir -p ~/.ssh
        echo "$CD_SSH_KEY" > ~/.ssh/id_ed25519
        ls -l ~/.ssh/id_ed25519
        chmod 600 ~/.ssh/id_ed25519
-      - bash -c "nix-shell -p strace --run 'strace -f -o ssh-agent.log ssh-agent -s'"
+      - nix-shell -p strace --run 'strace -f -o ssh-agent.log ssh-agent -s'
      - cat ssh-agent.log
      - |
        eval "$(ssh-agent -s)"
--- a/.woodpecker/check-data-model.yaml
+++ b/.woodpecker/check-data-model.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-deployment-basic.yaml
+++ b/.woodpecker/check-deployment-basic.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-deployment-cli.yaml
+++ b/.woodpecker/check-deployment-cli.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-deployment-panel.yaml
+++ b/.woodpecker/check-deployment-panel.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-mastodon.yaml
+++ b/.woodpecker/check-mastodon.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-panel.yaml
+++ b/.woodpecker/check-panel.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-peertube.yaml
+++ b/.woodpecker/check-peertube.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-pre-commit.yaml
+++ b/.woodpecker/check-pre-commit.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: pull_request
--- a/.woodpecker/check-resources.yaml
+++ b/.woodpecker/check-resources.yaml
@ -1,3 +1,5 @@
+$schema: https://raw.githubusercontent.com/woodpecker-ci/woodpecker/refs/heads/main/pipeline/frontend/yaml/linter/schema/schema.json
+
 when:
  - event: manual
  - event: push
--- a/machines/dev/fedi203/woodpecker.nix
+++ b/machines/dev/fedi203/woodpecker.nix
@ -111,7 +111,7 @@
          WOODPECKER_SERVER=localhost:9000
          WOODPECKER_USERNAME=x-oauth-basic
          WOODPECKER_HOSTNAME=https://woodpecker.fediversity.eu
-          WOODPECKER_MAX_WORKFLOWS=4
+          WOODPECKER_MAX_WORKFLOWS=5
          WOODPECKER_LOG_LEVEL=info
          WOODPECKER_DEBUG_PRETTY=false
          WOODPECKER_DEBUG_NOCOLOR=true
@ -202,19 +202,21 @@
  };

  networking = {
-    nftables.enable = lib.mkForce false;
    firewall = {
+      enable = lib.mkForce true;
      allowedTCPPorts = [
        22
        80
        443
      ];
      # needed for podman to be able to talk over dns
-      interfaces."podman0" = {
+      interfaces."podman+" = {
        allowedUDPPorts = [ 53 ];
        allowedTCPPorts = [ 53 ];
      };
    };
+    # helps make sure DNS resolves from the containers
+    nftables.enable = lib.mkForce false;
  };

  virtualisation.podman = {
@ -223,6 +225,10 @@
      enable = true;
      dates = "weekly";
    };
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      ipv6_enabled = true;
+    };
  };

  systemd.services = {
Author	SHA1	Message	Date
Kiara Grouwstra	9e32af4257	Revert "try store mounted read-only" This reverts commit `586be6f309`.	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	134692f500	try store mounted read-only - `--store` as per https://blog.kotatsu.dev/posts/2023-04-21-woodpecker-nix-caching/ - `--eval-store` as per https://kevincox.ca/2022/01/02/nix-in-docker-caching/	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	eab27d7cf8	schema	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	99b8278ea4	max 5	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	12d1089cd5	un-bash strace	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	784e5820f9	container dns rm dns	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	f18cbfeb9a	enable firewall	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	e2a28a9b6e	document nftables	2025-08-04 18:01:48 +02:00
Kiara Grouwstra	65afda1d49	generalize firewall hole	2025-08-04 18:01:48 +02:00