+30 -42

hosts/profiles/woodpecker-agent/default.nix

reviewed

··· 5 5 group = "woodpecker-runner"; 6 6 home = "/var/lib/woodpecker"; 7 7 createHome = true; 8 8 + extraGroups = [ "docker" ]; 8 9 }; 9 10 users.groups.woodpecker-runner = { }; 10 11 # Allow the exec runner to write to build with nix ··· 13 14 age.secrets.woodpecker-agent-secret.owner = "woodpecker-runner"; 14 15 age.secrets.woodpecker-agent-secret.file = "${self}/secrets/woodpecker-agent-secret.age"; 15 16 16 16 - systemd.services.woodpecker-runner-exec = { 17 17 + systemd.services.woodpecker-agent = { 17 18 enable = true; 18 18 - wantedBy = [ "multi-user.target" ]; 19 19 ### MANUALLY RESTART SERVICE IF CHANGED 20 20 restartIfChanged = true; 21 21 - confinement.enable = true; 22 22 - confinement.packages = [ 23 23 - pkgs.git 24 24 - pkgs.gnutar 25 25 - pkgs.bash 26 26 - pkgs.nixFlakes 27 27 - pkgs.gzip 28 28 - ]; 29 29 - path = [ 30 30 - pkgs.git 31 31 - pkgs.gnutar 32 32 - pkgs.bash 33 33 - pkgs.nixFlakes 34 34 - pkgs.gzip 35 35 - ]; 21 21 + # confinement.enable = true; 22 22 + # confinement.packages = [ 23 23 + # pkgs.git 24 24 + # pkgs.gnutar 25 25 + # pkgs.bash 26 26 + # pkgs.nixFlakes 27 27 + # pkgs.gzip 28 28 + # ]; 29 29 + # path = [ 30 30 + # pkgs.git 31 31 + # pkgs.gnutar 32 32 + # pkgs.bash 33 33 + # pkgs.nixFlakes 34 34 + # pkgs.gzip 35 35 + # ]; 36 36 serviceConfig = { 37 37 + Type = "simple"; 37 38 Environment = [ 38 39 "WOODPECKER_RUNNER_CAPACITY=6" 39 39 - "WOODPECKER_RUNNER_NAME=woodpecker-agent" 40 40 + # "WOODPECKER_RUNNER_NAME=woodpecker-agent" 40 41 "WOODPECKER_SERVER=https://ci.sealight.xyz/" 41 41 - "WOODPECKER_HOSTNAME=mossnet" 42 42 - "WOODPECKER_BACKEND=local" 43 43 - "NIX_REMOTE=daemon" 44 44 - "PAGER=cat" 45 45 - ]; 46 46 - BindPaths = [ 47 47 - "/nix/var/nix/daemon-socket/socket" 48 48 - "/run/nscd/socket" 49 49 - "/var/lib/woodpecker" 50 50 - "/var/empty/usr" 51 51 - ]; 52 52 - BindReadOnlyPaths = [ 53 53 - "/etc/passwd:/etc/passwd" 54 54 - "/etc/group:/etc/group" 55 55 - "/nix/var/nix/profiles/system/etc/nix:/etc/nix" 56 56 - "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" 57 57 - "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts" 58 58 - "${builtins.toFile "ssh_config" '' 59 59 - Host git.sealight.xyz 60 60 - ForwardAgent yes 61 61 - ''}:/etc/ssh/ssh_config" 62 62 - "/etc/machine-id" 63 63 - "/etc/resolv.conf" 64 64 - "/nix/" 42 42 + # "WOODPECKER_HOSTNAME=mossnet" 43 43 + # "WOODPECKER_BACKEND=local" 44 44 + # "NIX_REMOTE=daemon" 45 45 + # "PAGER=cat" 46 46 + # "WOODPECKER_LOG_LEVEL=debug" 65 47 ]; 48 48 + WorkingDirectory = "/var/lib/woodpecker"; 49 49 + # Runtime directory and mode 50 50 + RuntimeDirectory = "woodpecker"; 51 51 + RuntimeDirectoryMode = "0755"; 52 52 + # Access write directories 53 53 + ReadWritePaths = [ "/var/lib/woodpecker" ]; 66 54 EnvironmentFile = [ 67 55 /run/agenix/woodpecker-agent-secret 68 56 ];

+11 -12

hosts/profiles/woodpecker-server/default.nix

reviewed

··· 1 1 - { self, ... }: 1 1 + { self, pkgs, config, ... }: 2 2 { 3 3 age.secrets.woodpecker-server-secrets.owner = "woodpecker"; 4 4 age.secrets.woodpecker-server-secrets.file = "${self}/secrets/woodpecker-server-secrets.age"; ··· 10 10 description = "woodpecker user"; 11 11 home = "/var/lib/woodpecker"; 12 12 createHome = true; 13 13 + isNormalUser = true; 13 14 }; 14 15 15 16 users.groups.woodpecker = { }; ··· 17 18 services.nginx.virtualHosts."ci.sealight.xyz" = { 18 19 enableACME = true; 19 20 forceSSL = true; 20 20 - locations."/".proxyPass = "http://localhost:3030/"; 21 21 + locations."/".proxyPass = "http://localhost:38125"; 21 22 }; 22 23 24 24 + networking.firewall.allowedTCPPorts = [ 80 443 22 ]; 25 25 + 23 26 services.postgresql = { 24 27 ensureDatabases = [ "woodpecker" ]; 25 28 ensureUsers = [{ ··· 33 36 systemd.services.woodpecker-server = { 34 37 wantedBy = [ "multi-user.target" ]; 35 38 serviceConfig = { 39 39 + WorkingDirectory = "/var/lib/woodpecker"; 36 40 EnvironmentFile = [ 37 41 /run/agenix/woodpecker-server-secrets 38 42 /run/agenix/woodpecker-agent-secret 39 43 ]; 40 44 Environment = [ 41 41 - "WOODPECKER_OPEN=true" 45 45 + "WOODPECKER_OPEN=false" 46 46 + "WOODPECKER_HOST=https://ci.sealight.xyz" 47 47 + "WOODPECKER_SERVER_ADDR=:38125" 42 48 43 49 "WOODPECKER_GITEA=true" 44 50 "WOODPECKER_GITEA_URL=https://git.sealight.xyz" 45 51 46 52 "WOODPECKER_DATABASE_DATASOURCE=postgres:///woodpecker?host=/run/postgresql" 47 53 "WOODPECKER_DATABASE_DRIVER=postgres" 48 48 - "WOODPECKER_SERVER_PORT=:3030" 49 54 "WOODPECKER_USER_CREATE=username:aynish,admin:true" # set your admin username 50 50 - "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" 51 51 - "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts" 52 52 - "${builtins.toFile "ssh_config" '' 53 53 - Host git.sealight.xyz 54 54 - ForwardAgent yes 55 55 - ''}:/etc/ssh/ssh_config" 56 55 ]; 57 56 ExecStart = "${pkgs.woodpecker-server}/bin/woodpecker-server"; 58 58 - User = woodpecker; 59 59 - Group = woodpecker; 57 57 + User = "woodpecker"; 58 58 + Group = "woodpecker"; 60 59 }; 61 60 }; 62 61