Fediversity/machines/dev/fedi203/woodpecker.nix

{
  lib,
  pkgs,
  config,
  ...
}:
{
  networking = {
    firewall.allowedTCPPorts = [
      22
      80
      443
    ];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "something@fediversity.eu";
  };

  vars.settings.on-machine.enable = true;
  vars.generators.woodpecker-agent-secret = {
    runtimeInputs = [ pkgs.openssl ];
    files.my-secret.secret = true;
    script = ''
      openssl rand -hex 32 > "$out"/my-secret
    '';
  };
  vars.generators.woodpecker-rpc-secret = {
    runtimeInputs = [ pkgs.coreutils ];
    files.rpc-secret.secret = true;
    script = ''
      tr -dc 'A-Za-z0-9!?%=' < /dev/urandom | head -c 32 > "$out"/rpc-secret
    '';
  };

  # enable git-lfs
  programs.git = {
    enable = true;
    lfs.enable = true;
  };

  services = {
    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedOptimisation = true;
      recommendedTlsSettings = true;
      virtualHosts."woodpecker.fediversity.eu" = {
        enableACME = true;
        forceSSL = true;
        locations."/" = {
          recommendedProxySettings = true;
          proxyPass = "http://127.0.0.1:8000";
        };
      };
    };

    woodpecker-server = {
      enable = true;

      # https://woodpecker-ci.org/docs/administration/configuration/server
      environment = {
        WOODPECKER_DATABASE_DRIVER = "sqlite3";
        WOODPECKER_DISABLE_USER_AGENT_REGISTRATION = "false";

        WOODPECKER_OPEN = "false";
        WOODPECKER_ADMIN = "kiara,fricklerhandwerk,niols";
        WOODPECKER_HOST = "https://woodpecker.fediversity.eu";

        WOODPECKER_GITEA = "true";
        WOODPECKER_GITEA_URL = "https://git.fediversity.eu";
        WOODPECKER_GITEA_CLIENT = "fd4bf276-84fb-463c-af0e-7d70d1137718";
        WOODPECKER_GITEA_SECRET = "gto_ce2bfavyahzlnfe6q3gdgr3rnvrbreqne2a77mhesbikqyfpse4q";
        # WOODPECKER_GITEA_CLIENT_FILE = config.age.secrets.woodpecker-gitea-client.path;
        # WOODPECKER_GITEA_SECRET_FILE = config.age.secrets.woodpecker-gitea-secret.path;

        WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
        WOODPECKER_GRPC_SECRET_FILE = config.vars.generators.woodpecker-rpc-secret.files.rpc-secret.path;

        WOODPECKER_LOG_LEVEL = "info";
        WOODPECKER_DEFAULT_CLONE_PLUGIN = "docker.io/woodpeckerci/plugin-git";
        WOODPECKER_SERVER_ADDR = ":8000";
        WOODPECKER_GRPC_ADDR = ":9000";
      };
    };

    # https://woodpecker-ci.org/docs/administration/configuration/agent
    woodpecker-agents.agents =
      let
        shared = {
          WOODPECKER_SERVER = "localhost:9000";
          WOODPECKER_AGENT_SECRET_FILE = config.vars.generators.woodpecker-agent-secret.files.my-secret.path;
          # ^ either use the server's or separate to config.age.woodpecker-agent-token-exec.path / config.age.woodpecker-agent-token-container.path
          WOODPECKER_USERNAME = "x-oauth-basic";
          WOODPECKER_HOSTNAME = "https://woodpecker.fediversity.eu";
          WOODPECKER_MAX_WORKFLOWS = "4";
          WOODPECKER_LOG_LEVEL = "info";
          WOODPECKER_DEBUG_PRETTY = "false";
          WOODPECKER_DEBUG_NOCOLOR = "true";
          WOODPECKER_GRPC_SECURE = "false"; # TODO: fix
          WOODPECKER_GRPC_VERIFY = "false";
          WOODPECKER_HEALTHCHECK = "false";
        };
      in
      {

        # local

        exec = {
          enable = true;
          # TODO: enquote in docs
          path = with pkgs; [
            git
            git-lfs
            woodpecker-plugin-git
            bash
            coreutils
            nix
            attic-client
          ];
          # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];
          # https://woodpecker-ci.org/docs/administration/configuration/backends/local#environment-variables
          environment = lib.mkMerge [
            shared
            {
              WOODPECKER_BACKEND = "local";
              WOODPECKER_AGENT_LABELS = "type=local";
              # WOODPECKER_BACKEND_LOCAL_TEMP_DIR="";
              # NIX_REMOTE = "daemon";
              # PAGER = "cat";
            }
          ];
        };

        # container

        podman = {
          enable = true;
          # extraGroups = [ "podman" ];
          # environmentFile = [ "/run/secrets/woodpecker/agent-secret.txt" ];
          # WOODPECKER_AGENT_SECRET="your-shared-secret-goes-here"; # openssl rand -hex 32
          # https://woodpecker-ci.org/docs/administration/configuration/backends/docker#environment-variables
          environment = lib.mkMerge [
            shared
            {
              WOODPECKER_BACKEND = "docker";
              DOCKER_HOST = "unix:///run/podman/podman.sock";
              WOODPECKER_AGENT_LABELS = "type=docker";
            }
          ];
        };
      };
  };

  virtualisation.docker = {
    enable = true;
    autoPrune = {
      enable = true;
      dates = "weekly";
    };
  };

  systemd.services.woodpecker-agent-docker = {
    after = [ "docker.socket" ];
    restartIfChanged = false;
    serviceConfig = {
      BindPaths = [ "/var/run/docker.sock" ];
    };
  };
}