1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

{ pkgs, config, ... }:
{
  age.secrets.woodpecker.file = ../secrets/woodpecker.age;
  services = {
    woodpecker-server = {
      enable = true;
      environment = {
        WOODPECKER_HOST = "https://cicd";
        WOODPECKER_OPEN = "true";
        WOODPECKER_ADDON_FORGE = "${pkgs.lib.getExe pkgs.jolheiser.gitpecker}";
        WOODPECKER_ADMIN = "jolheiser";
        WOODPECKER_SERVER_ADDR = ":2423";

        GITPECKER_REPOS = "/var/lib/ugit/repos";
        GITPECKER_URL = "https://git.jolheiser.com";
        GITPECKER_PROVIDER = "https://id.jolheiser.com";
        GITPECKER_CLIENT_ID = "6975ecea-ce29-48f0-ad8d-323e419f7732";
        GITPECKER_REDIRECT = "https://cicd/authorize";
        GITPECKER_LOG_FILE = "/var/lib/woodpecker-server/gitpecker.log";
      };
      environmentFile = [ config.age.secrets.woodpecker.path ];
    };
    woodpecker-agents.agents."007" = {
      enable = true;
      path = with pkgs; [
        git
        git-lfs
        bash
        coreutils
        woodpecker-plugin-git
      ];
      environment = {
        WOODPECKER_BACKEND = "docker";
        DOCKER_HOST = "unix:///run/podman/podman.sock";
      };
      extraGroups = [ "podman" ];
      environmentFile = [ config.age.secrets.woodpecker.path ];
    };
    tailproxy.woodpecker = {
      enable = true;
      hostname = "cicd";
      port = 2423;
      authKey = "tskey-auth-kgrGNGArZw11CNTRL-rA3rdahB1dEobvWZraPhcEpHp2BVBcYh"; # One-time key
    };
  };
  systemd.services.woodpecker-server.serviceConfig.SupplementaryGroups = [ "ugit" ];

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      dockerCompat = true;
      defaultNetwork.settings.dns_enable = true;
    };
  };
  networking.firewall.interfaces."podman+" = {
    allowedUDPPorts = [ 53 ];
    allowedTCPPorts = [ 53 ];
  };
}