un-template

machines/dev/fedi203/woodpecker.nix

@@ -5,14 +5,6 @@
   ...
 }:
 {
-  networking = {
-    firewall.allowedTCPPorts = [
-      22
-      80
-      443
-    ];
-  };
-
   security.acme = {
     acceptTerms = true;
     defaults.email = "something@fediversity.eu";
@@ -64,6 +56,8 @@
       '';
     };
 
+  # FIXME: make `WOODPECKER_AGENT_SECRET_FILE` work so i can just do the following again instead of using templates:
+  # `woodpecker-agents.agents.exec.environment.WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;`
   vars.generators."templates" = rec {
     dependencies = [
       "woodpecker"
@@ -96,29 +90,9 @@
       '') files
     );
 
-    # files."woodpecker-server.conf" = {
-    #   secret = true;
-    #   template = pkgs.writeText "woodpecker-server.conf" ''
-    #     WOODPECKER_DATABASE_DRIVER=sqlite3
-    #     WOODPECKER_DISABLE_USER_AGENT_REGISTRATION=false
-    #     WOODPECKER_OPEN=false
-    #     WOODPECKER_ADMIN=kiara,fricklerhandwerk,niols
-    #     WOODPECKER_HOST=https://woodpecker.fediversity.eu
-    #     WOODPECKER_GITEA=true
-    #     WOODPECKER_GITEA_URL=https://git.fediversity.eu
-    #     WOODPECKER_GITEA_CLIENT_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-client.placeholder}
-    #     WOODPECKER_GITEA_SECRET_FILE=${config.vars.generators.woodpecker.files.woodpecker-gitea-secret.placeholder}
-    #     WOODPECKER_AGENT_SECRET_FILE=${config.vars.generators.woodpecker-agent-secret.files.my-secret.placeholder}
-    #     WOODPECKER_GRPC_SECRET_FILE=${config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.placeholder}
-    #     WOODPECKER_LOG_LEVEL=info
-    #     WOODPECKER_DEFAULT_CLONE_PLUGIN=docker.io/woodpeckerci/plugin-git
-    #     WOODPECKER_SERVER_ADDR=:8000
-    #     WOODPECKER_GRPC_ADDR=:9000
-    #   '';
-    # };
-
     files =
       let
+        # https://woodpecker-ci.org/docs/administration/configuration/agent
         shared = ''
           WOODPECKER_SERVER=localhost:9000
           WOODPECKER_USERNAME=x-oauth-basic
@@ -135,6 +109,7 @@
       in
       {
 
+        # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
         "woodpecker-agent-exec.conf" = {
           secret = true;
           template = pkgs.writeText "woodpecker-agent-exec.conf" (
@@ -149,6 +124,7 @@
           );
         };
 
+        # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
         "woodpecker-agent-podman.conf" = {
           secret = true;
           template = pkgs.writeText "woodpecker-agent-podman.conf" (
@@ -157,8 +133,8 @@
               ''
                 WOODPECKER_AGENT_SECRET=${config.vars.generators.woodpecker.files.woodpecker-agent-container.placeholder}
                 WOODPECKER_BACKEND=docker
-                DOCKER_HOST=unix:///run/podman/podman.sock
                 WOODPECKER_AGENT_LABELS=type=docker
+                DOCKER_HOST=unix:///run/podman/podman.sock
               ''
             ]
           );
@@ -191,7 +167,6 @@
     woodpecker-server = {
       enable = true;
 
-      # environmentFile = config.vars.generators."templates".files."woodpecker-server.conf".path;
       # https://woodpecker-ci.org/docs/administration/configuration/server
       environment = {
         WOODPECKER_DATABASE_DRIVER = "sqlite3";
@@ -217,28 +192,7 @@
     };
 
     # https://woodpecker-ci.org/docs/administration/configuration/agent
-    woodpecker-agents.agents =
+    woodpecker-agents.agents = {
-      # let
-      #   shared = {
-      #     WOODPECKER_SERVER = "localhost:9000";
-      #     # TODO: separate to agent-specific tokens?
-      #     # TODO: why will it only accept `WOODPECKER_AGENT_SECRET`, not `WOODPECKER_AGENT_SECRET_FILE`?
-      #     # WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
-      #     WOODPECKER_USERNAME = "x-oauth-basic";
-      #     WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
-      #     WOODPECKER_MAX_WORKFLOWS = "4";
-      #     WOODPECKER_LOG_LEVEL = "info";
-      #     WOODPECKER_DEBUG_PRETTY = "false";
-      #     WOODPECKER_DEBUG_NOCOLOR = "true";
-      #     WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
-      #     WOODPECKER_GRPC_VERIFY = "false";
-      #     WOODPECKER_HEALTHCHECK = "false";
-      #   };
-      # in
-      {
-
-        # local
-
       exec = {
         enable = true;
         path = with pkgs; [
@@ -251,37 +205,21 @@
           attic-client
         ];
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-exec.conf".path ];
-          # # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
-          # environment = lib.mkMerge [
-          #   shared
-          #   {
-          #     WOODPECKER_BACKEND = "local";
-          #     WOODPECKER_AGENT_LABELS = "type=local";
-          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-exec.path;
-          #   }
-          # ];
       };
-
+      docker = {
-        # container
-
-        podman = {
         enable = true;
         environmentFile = [ config.vars.generators."templates".files."woodpecker-agent-podman.conf".path ];
-          # # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
-          # environment = lib.mkMerge [
-          #   shared
-          #   {
-          #     WOODPECKER_BACKEND = "docker";
-          #     DOCKER_HOST = "unix:///run/podman/podman.sock";
-          #     WOODPECKER_AGENT_LABELS = "type=docker";
-          #     WOODPECKER_AGENT_SECRET_FILE = config.age.secrets.woodpecker-agent-container.path;
-          #   }
-          # ];
       };
     };
   };
 
-  virtualisation.docker = {
+  networking.firewall.allowedTCPPorts = [
+    22
+    80
+    443
+  ];
+
+  virtualisation.podman = {
     enable = true;
     autoPrune = {
       enable = true;
@@ -290,10 +228,8 @@
   };
 
   systemd.services.woodpecker-agent-docker = {
-    after = [ "docker.socket" ];
+    wants = [ "podman.socket" ];
-    restartIfChanged = false;
+    after = [ "podman.socket" ];
-    serviceConfig = {
+    serviceConfig.SupplementaryGroups = [ "podman" ];
-      BindPaths = [ "/var/run/docker.sock" ];
-    };
   };
 }