diff --git a/.sops.yaml b/.sops.yaml index 9e0715b..93fe38f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -17,6 +17,7 @@ keys: - &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0 - &host_age_yate age1kxzl00cfa5v926cvtcp0l3fncwh6fgmk8jvpf4swkl4vh3hv9e5qyqsrnt - &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae + - &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch creation_rules: - path_regex: config/hosts/git/.* key_groups: @@ -130,6 +131,22 @@ creation_rules: - *admin_gpg_dante age: - *host_age_mjolnir + - path_regex: config/hosts/woodpecker/.* + key_groups: + - pgp: + - *admin_gpg_djerun + - *admin_gpg_stb + - *admin_gpg_jtbx + - *admin_gpg_yuri + - *admin_gpg_june + - *admin_gpg_haegar + - *admin_gpg_dario + - *admin_gpg_echtnurich + - *admin_gpg_max + - *admin_gpg_c6ristian + - *admin_gpg_dante + age: + - *host_age_woodpecker - key_groups: - pgp: - *admin_gpg_djerun diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix new file mode 100644 index 0000000..45e228e --- /dev/null +++ b/config/hosts/woodpecker/configuration.nix @@ -0,0 +1,7 @@ +{ config, pkgs, ... }: + +{ + networking.hostName = "woodpecker"; + + system.stateVersion = "24.05"; +} diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix new file mode 100644 index 0000000..1db0c8c --- /dev/null +++ b/config/hosts/woodpecker/default.nix @@ -0,0 +1,11 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./woodpecker-agent + ./woodpecker-server + ./configuration.nix + ./networking.nix + ./sops.nix + ]; +} diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix new file mode 100644 index 0000000..17fa56c --- /dev/null +++ b/config/hosts/woodpecker/networking.nix @@ -0,0 +1,23 @@ +# Sources for this configuration: +# - https://nixos.wiki/wiki/Networking + +{ ... }: + +{ + networking.interfaces.net0 = { + ipv4.addresses = [ + { + address = "172.31.17.160"; + prefixLength = 25; + } + ]; + }; + networking.defaultGateway = "172.31.17.129"; + networking.nameservers = [ "212.12.50.158" "192.76.134.90" ]; + networking.search = [ "hamburg.ccc.de" ]; + + systemd.network.links."10-net0" = { + matchConfig.MACAddress = "BC:24:11:5F:A9:B7"; + linkConfig.Name = "net0"; + }; +} diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml new file mode 100644 index 0000000..f7b11ce --- /dev/null +++ b/config/hosts/woodpecker/secrets.yaml @@ -0,0 +1,234 @@ +woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str] +woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP + bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt + Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS + UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0 + YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-22T00:01:07Z" + mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str] + pgp: + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK + y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP + GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn + JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb + c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz + 85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9 + iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY + z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k + NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV + j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY + kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU + aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo + TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j + zkj4zG7btJRv + =sgSP + -----END PGP MESSAGE----- + fp: EF643F59E008414882232C78FFA8331EEB7D6B70 + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf + 00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF + iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4 + B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8 + 5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9 + Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz + V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU + mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll + NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+ + ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS + 4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS + XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH + 2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8= + =KZWk + -----END PGP MESSAGE----- + fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj + P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n + 7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu + 6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T + tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7 + AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA + Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR + 7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7 + EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR + RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz + //4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS + XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy + bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY= + =xc00 + -----END PGP MESSAGE----- + fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q + qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2 + cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx + 4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp + M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0 + rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN + SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0 + rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+ + EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA + fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx + 1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S + XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU + gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA= + =2cbn + -----END PGP MESSAGE----- + fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+ + dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6 + N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL + x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r + ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4 + vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7 + HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV + ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH + N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU + NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk + VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S + XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5 + 70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A= + =m4ec + -----END PGP MESSAGE----- + fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf + udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne + aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou + STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo + NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr + UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs + 9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc + PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF + tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ + bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch + Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS + XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG + EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg= + =5Ijl + -----END PGP MESSAGE----- + fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84 + PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge + ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0 + o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w + AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep + PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD + w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo + i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI + Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF + NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc + 2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS + XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG + /6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU= + =g4RA + -----END PGP MESSAGE----- + fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn + PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke + gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N + muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R + vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC + pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+ + cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ + zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY + SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT + OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E + J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS + XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk + fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg= + =4Xvm + -----END PGP MESSAGE----- + fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL + 6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP + wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq + 9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf + a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi + HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3 + 76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5 + rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV + Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0 + 1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1 + DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S + XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk + o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM= + =WLCQ + -----END PGP MESSAGE----- + fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw + yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw + 0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ + 09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO + =hxWV + -----END PGP MESSAGE----- + fp: B71138A6A8964A3C3B8899857B4F70C356765BAB + - created_at: "2024-06-21T22:42:59Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA + 6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m + h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz + h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo + yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD + 6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV + vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9 + J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB + sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH + gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a + kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS + XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR + DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo= + =9C2P + -----END PGP MESSAGE----- + fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix new file mode 100644 index 0000000..b4548ed --- /dev/null +++ b/config/hosts/woodpecker/sops.nix @@ -0,0 +1,7 @@ +{ ... }: + +{ + sops = { + defaultSopsFile = ./secrets.yaml; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix new file mode 100644 index 0000000..1b51267 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/default.nix @@ -0,0 +1,8 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./podman.nix + ./woodpecker-agent.nix + ]; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/podman.nix b/config/hosts/woodpecker/woodpecker-agent/podman.nix new file mode 100644 index 0000000..08b0312 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/podman.nix @@ -0,0 +1,13 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/backends/docker +# - https://nixos.wiki/wiki/Podman + +{ config, pkgs, ... }: + +{ + virtualisation.podman = { + enable = true; + defaultNetwork.settings.dns_enabled = true; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix new file mode 100644 index 0000000..6ad5cbf --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix @@ -0,0 +1,27 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/agent-config +# - https://woodpecker-ci.org/docs/administration/backends/docker + +{ config, pkgs, pkgs-unstable, ... }: + +{ + services.woodpecker-agents.agents."podman" = { + enable = true; + # Since we use woodpecker-server from unstable, use the agent from unstable as well. + package = pkgs-unstable.woodpecker-agent; + extraGroups = [ "podman" ]; + environment = { + WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; + WOODPECKER_MAX_WORKFLOWS = "4"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///run/podman/podman.sock"; + # Set via enviornmentFile: + # WOODPECKER_AGENT_SECRET + }; + environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ]; + }; + + # Remainder defined in ../woodpecker-server/woodpecker-server.nix + sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ]; +} diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix new file mode 100644 index 0000000..a713746 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/default.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: + +{ + imports = [ + ./nginx.nix + ./postgresql.nix + ./woodpecker-server.nix + ]; +} diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix new file mode 100644 index 0000000..962183c --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/nginx.nix @@ -0,0 +1,57 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/proxy + +{ config, pkgs, ... }: + +{ + services.nginx = { + enable = true; + + virtualHosts."acme-woodpecker.hamburg.ccc.de" = { + default = true; + enableACME = true; + serverName = "woodpecker.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + virtualHosts."woodpecker.hamburg.ccc.de" = { + default = true; + forceSSL = true; + useACMEHost = "woodpecker.hamburg.ccc.de"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + locations."/" = { + proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}"; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + networking.firewall.allowedTCPPorts = [ 8443 31820 ]; + networking.firewall.allowedUDPPorts = [ 8443 ]; +} diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix new file mode 100644 index 0000000..e715650 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/postgresql.nix @@ -0,0 +1,18 @@ +# Sources for this configuration: +# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069 + +{ config, pkgs, ... }: + +{ + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ "woodpecker-server" ]; + ensureUsers = [ + { + name = "woodpecker-server"; + ensureDBOwnership = true; + } + ]; + }; +} diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix new file mode 100644 index 0000000..baff752 --- /dev/null +++ b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix @@ -0,0 +1,56 @@ +# Sources for this configuration: +# - https://woodpecker-ci.org/docs/administration/deployment/nixos +# - https://woodpecker-ci.org/docs/administration/server-config +# - https://woodpecker-ci.org/docs/administration/database +# - https://woodpecker-ci.org/docs/administration/forges/forgejo +# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING + +{ config, pkgs, pkgs-unstable, ... }: + +{ + services.woodpecker-server = { + enable = true; + # Use package from unstable to get at least version 2.6.0 for native Forgejo support. + # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0 + package = pkgs-unstable.woodpecker-server; + environment = { + WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; + WOODPECKER_SERVER_ADDR = ":8001"; + WOODPECKER_GRPC_ADDR = ":9000"; + WOODPECKER_ADMIN = "june"; + WOODPECKER_OPEN = "true"; + WOODPECKER_ORGS = "CCCHH"; + WOODPECKER_DATABASE_DRIVER = "postgres"; + WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; + WOODPECKER_FORGEJO = "true"; + WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; + # Set via enviornmentFile: + # WOODPECKER_FORGEJO_CLIENT + # WOODPECKER_FORGEJO_SECRET + # WOODPECKER_AGENT_SECRET + }; + environmentFile = [ + "/run/secrets/woodpecker_server_environment_file" + "/run/secrets/woodpecker_agent_secret_environment_file" + ]; + }; + + systemd.services.woodpecker-server.serviceConfig = { + User = "woodpecker-server"; + Group = "woodpecker-server"; + }; + + sops.secrets."woodpecker_server_environment_file" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "woodpecker-server.service" ]; + }; + + sops.secrets."woodpecker_agent_secret_environment_file" = { + mode = "0440"; + owner = "root"; + group = "root"; + restartUnits = [ "woodpecker-server.service" ]; + }; +} diff --git a/deployment_configuration.json b/deployment_configuration.json index 94ff2f0..eb59412 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -26,6 +26,9 @@ }, "mjolnir": { "targetHostname": "mjolnir-intern.hamburg.ccc.de" + }, + "woodpecker": { + "targetHostname": "woodpecker-intern.hamburg.ccc.de" } } } diff --git a/flake.nix b/flake.nix index 9abe577..6b3303a 100644 --- a/flake.nix +++ b/flake.nix @@ -212,6 +212,19 @@ ./config/hosts/mjolnir ]; }; + + woodpecker = nixpkgs.lib.nixosSystem { + inherit system; + modules = [ + ./config/common + ./config/proxmox-vm + sops-nix.nixosModules.sops + ./config/hosts/woodpecker + ]; + specialArgs = { + inherit pkgs-unstable; + }; + }; }; packages.x86_64-linux = {