{ lib, pkgs, config, ... }: { networking = { firewall.allowedTCPPorts = [ 22 80 443 ]; }; security.acme = { acceptTerms = true; defaults.email = "something@fediversity.eu"; }; vars.settings.on-machine.enable = true; vars.generators.woodpecker-agent-secret = { runtimeInputs = [ pkgs.openssl ]; files.my-secret.secret = true; script = '' openssl rand -hex 32 > "$out"/my-secret ''; }; vars.generators.woodpecker-rpc-secret = { runtimeInputs = [ pkgs.coreutils ]; files.rpc-secret.secret = true; script = '' tr -dc 'A-Za-z0-9!?%=' < /dev/urandom | head -c 32 > "$out"/rpc-secret ''; }; # enable git-lfs programs.git = { enable = true; lfs.enable = true; }; services = { nginx = { enable = true; recommendedProxySettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; virtualHosts."woodpecker.fediversity.eu" = { enableACME = true; forceSSL = true; locations."/" = { recommendedProxySettings = true; proxyPass = "http://127.0.0.1:8000"; }; }; }; woodpecker-server = { enable = true; # https://woodpecker-ci.org/docs/administration/configuration/server environment = { WOODPECKER_DATABASE_DRIVER = "sqlite3"; WOODPECKER_DISABLE_USER_AGENT_REGISTRATION = "false"; WOODPECKER_OPEN = "false"; WOODPECKER_ADMIN = "kiara,fricklerhandwerk,niols"; WOODPECKER_HOST = "https://woodpecker.fediversity.eu"; WOODPECKER_GITEA = "true"; WOODPECKER_GITEA_URL = "https://git.fediversity.eu"; WOODPECKER_GITEA_CLIENT = "fd4bf276-84fb-463c-af0e-7d70d1137718"; WOODPECKER_GITEA_SECRET = "gto_ce2bfavyahzlnfe6q3gdgr3rnvrbreqne2a77mhesbikqyfpse4q"; # WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path; # WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path; WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path; WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path; WOODPECKER_LOG_LEVEL = "info"; WOODPECKER_DEFAULT_CLONE_PLUGIN = "docker.io/woodpeckerci/plugin-git"; WOODPECKER_SERVER_ADDR = ":8000"; WOODPECKER_GRPC_ADDR = ":9000"; }; }; # https://woodpecker-ci.org/docs/administration/configuration/agent woodpecker-agents.agents = let shared = { WOODPECKER_SERVER = "localhost:9000"; WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path; # ^ either use the server's or separate to config.age.woodpecker-agent-token-exec.path / config.age.woodpecker-agent-token-container.path WOODPECKER_USERNAME = "x-oauth-basic"; WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu"; WOODPECKER_MAX_WORKFLOWS = "4"; WOODPECKER_LOG_LEVEL = "info"; WOODPECKER_DEBUG_PRETTY = "false"; WOODPECKER_DEBUG_NOCOLOR = "true"; WOODPECKER_GRPC_SECURE = "false"; # TODO: fix WOODPECKER_GRPC_VERIFY = "false"; WOODPECKER_HEALTHCHECK = "false"; }; in { # local exec = { enable = true; # TODO: enquote in docs path = with pkgs; [ git git-lfs woodpecker-plugin-git bash coreutils nix attic-client ]; # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables environment = lib.mkMerge [ shared { WOODPECKER_BACKEND = "local"; WOODPECKER_AGENT_LABELS = "type=local"; # WOODPECKER_BACKEND_LOCAL_TEMP_DIR=""; # NIX_REMOTE = "daemon"; # PAGER = "cat"; } ]; }; # container podman = { enable = true; # extraGroups = [ "podman" ]; # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ]; # WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"; # openssl rand -hex 32 # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables environment = lib.mkMerge [ shared { WOODPECKER_BACKEND = "docker"; DOCKER_HOST = "unix:///run/podman/podman.sock"; WOODPECKER_AGENT_LABELS = "type=docker"; } ]; }; }; }; virtualisation.docker = { enable = true; autoPrune = { enable = true; dates = "weekly"; }; }; systemd.services.woodpecker-agent-docker = { after = [ "docker.socket" ]; restartIfChanged = false; serviceConfig = { BindPaths = [ "/var/run/docker.sock" ]; }; }; }