diff --git a/nixos/boxes/vpsfree1/woodpecker.nix b/nixos/boxes/vpsfree1/woodpecker.nix index 51908401..4fa39e72 100644 --- a/nixos/boxes/vpsfree1/woodpecker.nix +++ b/nixos/boxes/vpsfree1/woodpecker.nix @@ -10,22 +10,38 @@ domain = "ci.cyplo.dev"; path = "/var/lib/woodpecker"; serverContainerName = "woodpecker-server"; - agent = { - dependsOn = ["${serverContainerName}"]; - volumes = ["/var/run/podman/podman.sock:/var/run/docker.sock"]; - image = "woodpeckerci/woodpecker-agent@sha256:9a98e25ca6fcf7c437ad355cfce53a696c55b9864399a4d456429a20bfb44545"; - environmentFiles = ["${config.sops.secrets.gitea-env.path}"]; - environment = { - WOODPECKER_SERVER = "${serverContainerName}:${toString agentPort}"; - WOODPECKER_MAX_PROCS = "1"; - WOODPECKER_DEBUG_PRETTY = "true"; - WOODPECKER_LOG_LEVEL = "info"; - }; - extraOptions = ["--network=woodpecker"]; + uid = 2061; + gid = 3061; + systemUserName = "woodpecker"; + systemGroupName = "woodpecker"; + podmanGid = 994; + secretSettings = { + owner = systemUserName; + group = systemGroupName; }; + woodpeckerEnvSecretName = "woodpecker-env"; + woodpeckerEnvSecretPath = "/run/secrets/${woodpeckerEnvSecretName}"; in { imports = [../nginx.nix]; + users = { + users."${systemUserName}" = { + inherit uid; + isSystemUser = true; + isNormalUser = false; + group = systemGroupName; + extraGroups = ["podman"]; + }; + groups."${systemGroupName}" = { + inherit gid; + members = ["${systemUserName}"]; + }; + groups."podman" = { + gid = podmanGid; + members = ["${systemUserName}"]; + }; + }; + services.nginx = { virtualHosts = { "${domain}" = { @@ -43,7 +59,19 @@ in { format = "binary"; }; - virtualisation.podman.defaultNetwork.dnsname.enable = true; + sops.secrets."woodpecker-env" = + { + sopsFile = ./gitea.sops; + format = "binary"; + path = woodpeckerEnvSecretPath; + } + // secretSettings; + + virtualisation.podman = { + enable = true; + defaultNetwork.dnsname.enable = true; + }; + networking.firewall.allowedTCPPorts = [agentPort]; virtualisation.oci-containers.containers = { "${serverContainerName}" = { image = "woodpeckerci/woodpecker-server@sha256:e6027e46a782d50790183b7274a2a2ad3a6c6fb9a645e6af81a16419613c28ea"; @@ -56,12 +84,69 @@ in { WOODPECKER_GITEA = "true"; WOODPECKER_GITEA_URL = "https://git.cyplo.dev"; }; - ports = ["${toString httpPort}:${toString httpPort}"]; - extraOptions = ["--network=woodpecker"]; + ports = [ + "${toString httpPort}:${toString httpPort}" + "${toString agentPort}:${toString agentPort}" + ]; + }; + }; + containers.woodpecker-agent1 = { + autoStart = true; + forwardPorts = [ + ]; + bindMounts = { + "${woodpeckerEnvSecretPath}" = { + hostPath = "${woodpeckerEnvSecretPath}"; + isReadOnly = true; + }; + "/var/run/docker.sock" = { + hostPath = "/var/run/podman/podman.sock"; + isReadOnly = false; + }; + }; + config = { + config, + pkgs, + lib, + ... + }: { + system.stateVersion = "22.11"; + users = { + mutableUsers = false; + allowNoPasswordLogin = true; + users."${systemUserName}" = { + inherit uid; + isSystemUser = true; + isNormalUser = false; + group = systemGroupName; + }; + groups."${systemGroupName}" = { + inherit gid; + members = ["${systemUserName}"]; + }; + groups."podman" = { + gid = podmanGid; + members = ["${systemUserName}"]; + }; + }; + + systemd.services.woodpecker-agent = { + wantedBy = ["multi-user.target"]; + environment = { + WOODPECKER_SERVER = "${domain}:${toString agentPort}"; + WOODPECKER_MAX_PROCS = "1"; + WOODPECKER_DEBUG_PRETTY = "true"; + WOODPECKER_LOG_LEVEL = "info"; + }; + serviceConfig = { + EnvironmentFile = [ + woodpeckerEnvSecretPath + ]; + ExecStart = "${pkgs.woodpecker-agent}/bin/woodpecker-agent"; + User = systemUserName; + Group = systemGroupName; + }; + }; }; - woodpecker-agent1 = agent; - woodpecker-agent2 = agent; - woodpecker-agent3 = agent; - woodpecker-agent4 = agent; }; }