Add woodpecker host running a woodpecker-server and -agent for CI
This commit is contained in:
parent
dfcb961fd3
commit
df17b25009
15 changed files with 503 additions and 0 deletions
17
.sops.yaml
17
.sops.yaml
|
@ -16,6 +16,7 @@ keys:
|
|||
- &host_age_netbox age13fqs76z2vl5l84dvmmlqjj5xkfsfe85xls8uueul7re9j3ksjs0sw2xc9e
|
||||
- &host_age_public_web_static age19s7r8sf7j6zk24x9vumawgxpd2q8epyv7p9qsjntw7v9s3v045mqhmsfp0
|
||||
- &host_age_mjolnir age1ej52kwuj8xraxdq685eejj4dmxpfmpgt4d8jka98rtpal6xcueqq9a6wae
|
||||
- &host_age_woodpecker age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
|
||||
creation_rules:
|
||||
- path_regex: config/hosts/git/.*
|
||||
key_groups:
|
||||
|
@ -113,6 +114,22 @@ creation_rules:
|
|||
- *admin_gpg_dante
|
||||
age:
|
||||
- *host_age_mjolnir
|
||||
- path_regex: config/hosts/woodpecker/.*
|
||||
key_groups:
|
||||
- pgp:
|
||||
- *admin_gpg_djerun
|
||||
- *admin_gpg_stb
|
||||
- *admin_gpg_jtbx
|
||||
- *admin_gpg_yuri
|
||||
- *admin_gpg_june
|
||||
- *admin_gpg_haegar
|
||||
- *admin_gpg_dario
|
||||
- *admin_gpg_echtnurich
|
||||
- *admin_gpg_max
|
||||
- *admin_gpg_c6ristian
|
||||
- *admin_gpg_dante
|
||||
age:
|
||||
- *host_age_woodpecker
|
||||
- key_groups:
|
||||
- pgp:
|
||||
- *admin_gpg_djerun
|
||||
|
|
7
config/hosts/woodpecker/configuration.nix
Normal file
7
config/hosts/woodpecker/configuration.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
networking.hostName = "woodpecker";
|
||||
|
||||
system.stateVersion = "24.05";
|
||||
}
|
11
config/hosts/woodpecker/default.nix
Normal file
11
config/hosts/woodpecker/default.nix
Normal file
|
@ -0,0 +1,11 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./woodpecker-agent
|
||||
./woodpecker-server
|
||||
./configuration.nix
|
||||
./networking.nix
|
||||
./sops.nix
|
||||
];
|
||||
}
|
23
config/hosts/woodpecker/networking.nix
Normal file
23
config/hosts/woodpecker/networking.nix
Normal file
|
@ -0,0 +1,23 @@
|
|||
# Sources for this configuration:
|
||||
# - https://nixos.wiki/wiki/Networking
|
||||
|
||||
{ ... }:
|
||||
|
||||
{
|
||||
networking.interfaces.net0 = {
|
||||
ipv4.addresses = [
|
||||
{
|
||||
address = "172.31.17.160";
|
||||
prefixLength = 25;
|
||||
}
|
||||
];
|
||||
};
|
||||
networking.defaultGateway = "172.31.17.129";
|
||||
networking.nameservers = [ "212.12.50.158" "192.76.134.90" ];
|
||||
networking.search = [ "hamburg.ccc.de" ];
|
||||
|
||||
systemd.network.links."10-net0" = {
|
||||
matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
|
||||
linkConfig.Name = "net0";
|
||||
};
|
||||
}
|
234
config/hosts/woodpecker/secrets.yaml
Normal file
234
config/hosts/woodpecker/secrets.yaml
Normal file
|
@ -0,0 +1,234 @@
|
|||
woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
|
||||
woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
azure_kv: []
|
||||
hc_vault: []
|
||||
age:
|
||||
- recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
|
||||
enc: |
|
||||
-----BEGIN AGE ENCRYPTED FILE-----
|
||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRQlN5NmlaUjR5dGJ3Y3BP
|
||||
bW4rWm1KaVFsbytwZDQ1QjV1d1VEOEZlSTJ3Cmgxc1BmMnBmWjRyNmNDWmpWcnJt
|
||||
Q3lBZUFOY3FtREFUYmhJNCtKcTUxY0kKLS0tIHhKbVVBYjN4WHRzdERNbkRQeHlS
|
||||
UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
|
||||
YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-06-22T00:01:07Z"
|
||||
mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str]
|
||||
pgp:
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAxK/JaB2/SdtAQ//QR84p3zGjW2CtPcPxlmdYui5nx8FV3MHog4R24s4RKNK
|
||||
y4n9993z8m3y2at4yIWDi4LBKrhm/6mSLBHfoxnuiptoaSXSWXfaXebXkYiinkyP
|
||||
GMvwegN6KkRZh4stJMD7W0g7w/trkNEAvPDoInqCnvT4NomrKIV+ZrZuCBLd1tXn
|
||||
JRd2tsH8yYzoZr/PJBBDTZtke/nbosb6drjgG6ow/eHyF++HxKNTWfjCiWn4AWSb
|
||||
c/E1VWsigYdBs8XSTbBkfSLr/b5FcXYb8tyy4gpGe9zOrxc7cW5diK5+x4bM8FHz
|
||||
85ShPA5S3PXXEnuifuk/ZK8+CEYWUS3MXUhuEFUo7F3Pt/Eb+5CtfTX6kvMe1xe9
|
||||
iqFAsRce/qm9Evns4ygZ4+LoI2ro2HFwgQ2fu1gi7PyZsDyW5eRL5P+vfxPUOxYY
|
||||
z9cXXo+U1NEzWMDEBWt4mgoW9URye6O3k+WLQmYbQIhDkftUYmvRrPYQvP282m4k
|
||||
NMucRIRUMkx7rpRQQP8yU6AlgZ1LsOmruV4XJYVxsTpSZq7YgTQP4kd3wMgBhwOV
|
||||
j3hGc9gI9Sq06SdyU0C8PuUHt+mZGkVnYIOTw6BXHgY1tK8X5XnWK4NJXL9bR0pY
|
||||
kfzDWLjD0hiiM3QYqieTbnDUiVTDGyf7Cop+EifYvy7um+CPjlYLLkDkEsWcy/HU
|
||||
aAEJAhDEzP5eiU1e01GSNbWL49ghD7DqZiYdo0F/BGMk6jQloM1HUDnkhgBhVSZo
|
||||
TjNPV3UFBxeRnT5DvouD6uJ8SDs42ARdb4F80vJVHknt0yBvGWfCQsXqKwuRDd1j
|
||||
zkj4zG7btJRv
|
||||
=sgSP
|
||||
-----END PGP MESSAGE-----
|
||||
fp: EF643F59E008414882232C78FFA8331EEB7D6B70
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA6EyPtWBEI+2AQ//V6IIW3Hr3xuQWOWitDGn1bo+x95jePPpXNayKGJuaSMf
|
||||
00gaOyMpqP5hRd3lEQRyqHgPtmszlGrxq2y77CxnnZMbE6n+axwQQLoMzROBGyGF
|
||||
iqe6hNbNFZPjWv5BTAl3iOHWrw3x/TpgcNmSBDfctU+CZlMWzCMuXJw1bK57wQd4
|
||||
B6xcoBxidK55Ubc7GQ8mlAEuZ89fYorTRBfv2rBgUh8ZAAsUmn1jEz7HsQMMd2a8
|
||||
5V4TzicdzXO2cZ+0DqU8Xqt5U9C0IjGgZRPzDYkh7slkbyYomAIfCq+zN5ieecz9
|
||||
Mp8vvuMYfT66P+heNRZ7w/sgmGlarcmNKlOcXlakVYm5qVddPMx6M5Ovl4O5sABz
|
||||
V4O4NRehYx0XFbjzXr59LCzpusS9xQoh49288dLTFudOInHUYq6ss0TbGfFJMDYU
|
||||
mjHokzdG3ds8C9/lMR82X9rbyZDchUytHUwX4eGxUDMmhydFpgJko0bbozPbE2ll
|
||||
NTlWegCc1yrkSGn6U9EYKtibitJnIMdas5HapcErMH2vYILsJOl9ifG1GIsuWe1+
|
||||
ipPyZy7jqP7p18WCcDnUhgaGdQ67UjSLqX2zz0SZDcfI46SUeyeSelFVpTlmKriS
|
||||
4bW6hC1FSe+bLkPZ0y5aRLgL5ipK6jdlZepAj/DNXdKAtchLHcddF3rKdBdzsxrS
|
||||
XgFvvZPgj1JleYr+q/+ju4k1d4cE0HnQZIBnkAfKXZHwSPCw1d9vbeLipuRTJrEH
|
||||
2CpOjtiXl3S2ZcCS1ama9lgAqPBOOoH7jgHvoCzqfkBsi3/QlIpQs+C8ro4hXE8=
|
||||
=KZWk
|
||||
-----END PGP MESSAGE-----
|
||||
fp: F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAz5uSgHG2iMJARAA5+vcORn/YX2bHcAno9KCUGTzeiCP/DOoSePMdsCAmABj
|
||||
P8XoYJOyZoZgW3qgvtKZ4pLGB26FuJXC2y6Z3yyQ4Xj2PeBj1og9xM8p7GnF6T6n
|
||||
7wqALwJOamyer3A+OXx2Gc8kZ0ObqgBbbn5QTPnHzsRljC3Irgk+ZZE8ZRshoPmu
|
||||
6TEuMW0NT5INmijtPAxer/eaAor3KKxMTf+sqqr/VGNopAyFUCGZynlnjcei6X+T
|
||||
tVKh6zqr/eaTlnhoP2kr4u+wKcHvLV8an8sfsyIGL90O11LNcX8Sf4EyPDYSXOe7
|
||||
AXTFcvfw9+ALu3cbTVPN0aI2e8fCir2S00F8x28Ffc2xDSrXjWEDCXLuRNVXz5KA
|
||||
Mjq4afyQN6mtVZ6ZmtvaLQoG8D2f2sGzvrsBjaXwxPLHKPpUFZVBiiP0C08yokUR
|
||||
7FrYaOjnvQVALLxGJMAhMf02g2dYDFxMw18cY2a+bLrYUVd9EMbuFwCJNzmU0of7
|
||||
EpSvXrA0wTKddk+vL3JoJgIrOxz2IQbaC24NiCUzbyakhT+qDX/oXXILxL2x0GfR
|
||||
RaTL1inkTQO//ooAjlPeMA3OIDQo5CdoV4VlvSUgagYfDvMfDCAO04Xxvezh1uvz
|
||||
//4Jz13+LFoUgbtVUYiT4oqWyfTKOV0D8ILYWKZJtjJt4TeYpEfbQFEzIYyF3OHS
|
||||
XgE7aGyB0ArPBovSr55eQGmW+FaeG1VtH7TRLU367FyQmGep5O2SUxQXqFFiWyDy
|
||||
bseIYdRqNsmlgdXBnADdkVCFJtF4C/VA2DOk+wOO8XtQoMQ8zrIl+0Viq1s66OY=
|
||||
=xc00
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAw5vwmoEJHQ1AQ//abtgoFEWd+zbeSbiwey8nCNQUSklHV9kbLuBK8+ipX/Q
|
||||
qjweWnnPVN6ODhgfXm93k1tSqeJjYqjqfxVsAEUiXC61UhvS6JBZuVUt4nRUWHk2
|
||||
cdu3eKlBx7Nhm6th1gZ+Wf7PcryT5fmJQP5a8VEM/nUuRjnAmG7RuSiWbNzBbTDx
|
||||
4jh4GTvlFkupxZvLsXYf2T+7qn0eHymdQI8+5WSHQH6kApBvINYoq1m55it5ilEp
|
||||
M0tYNFMzi10OjKVbNRQXuKhROzzYGtW8qWGtc33WBB5rvkRVelSDmleTbRywWjE0
|
||||
rNo7vj97SbmGdCHydzcEwPIBOd11ZgFWpamX/36ALeKCxgHgc3HsnjIkDsEffpoN
|
||||
SFHAhyYqXTDRqq5/HuBQBDBJLVVcIbqlJo3us47gI3rhojjSayzTBd5TnGOZt5N0
|
||||
rFOqoZ1i3vf3C5sjKivTzCJ/P3yFgD271hQjv49jSqXgSF8ZIvzaDr0xLiy+XnZ+
|
||||
EsUyqxZBKWy246BtyZ4qBvRjVKbezpxQFh6MzxccY+toUaG2v2I5muvFJRHe7qEA
|
||||
fT6XDl7W6aQ/RBL/Ij9OWYvCMWS27mzkLQi0uBH5gyA1t6Bg9O6+CjGpK6Mmd8fx
|
||||
1Q2Ml5ClzLnEq94FX3f2hpqLdSlwREPoBYULeJNr+WhayDvfRjuh5+MvN+wjbs/S
|
||||
XgGYwgGCrFmzXN1mWElNGc3+3sMEpiuvJp6Z1nRfr17YvIPUrtCU7zVHWR1lWFKU
|
||||
gjJacBX/Qw9Kly+5jADM0UorWkZxaby+q+j8rN43nPatjDlDRI+BrNta0l0ulOA=
|
||||
=2cbn
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA4HMJd/cQYrVARAAu8l79uJlVLz++foLhk83zrPSZsX+1TQduJl06Kx2VrJ+
|
||||
dZX/0okzpHmHeZGhGH+e1Gv7MpyM4UxAGwE03NIk32p43LF/biad0zc4TB8yr9r6
|
||||
N3Sr/ZbaB0oYC/K4r1Sj8W1XWmuYZB8lc1dyfwhf96KIXGutvG22O5XI0pOA9yHL
|
||||
x4AWt8OHYsaWCt941M6pbFtBsJEl/TaKgYF7YNITvsfj/oG7cPESKLOkcJdmhN1r
|
||||
ADpJRcs6rVvMLWxUBjZICqZvDlwnXK5gCu30MmLs/oQbFmHjBRB01Ird+Mb5e6l4
|
||||
vrYC+zO3RG3dZ+VXJD0rBn+56nDMtiKISJCy4I4Vz/ekwx94cIci+BlD9/3YYix7
|
||||
HVgR6flBgInZEvaBxyj2e0G5i2gKvYTfea5+6bwPpszLUaYba/YLQQ2mSXcwWPsV
|
||||
ipuNSjJ8swK2OpOFTfzs7Ua1OZChCOhhduxiKCwASYrbncfexObsQfeobj3wrwXH
|
||||
N4M+h5ghm+y7UFKDW+gfN79WGfltWiMdy9vZNwwEYF0NE8jkwPfIt2dLvyU73MFU
|
||||
NivYWp6kUj+gbLkb3gLClAi4CyYqNQyBjbKEbt+470UIMZ44WWMEJy7bMwAVzLBk
|
||||
VxBHphqSuP04pgb5a+PHPApCZC6KEntnW1zX+DKrCn3/+NhoD6COhCvetWxq4f7S
|
||||
XgFop4XZPWYJb6ypqkFLbkHIg7tCbr/xae4HABncVj0BaS1Z7TBdMiGi8SQvHti5
|
||||
70rNGZIpQe/59DmBrLT06VdQRY5rt20bDoN+DaUrE2tc0k5h+uwI71TG4//Db2A=
|
||||
=m4ec
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAxjNhCKPP69fAQ//Tz2g90bOkkY942MaLO5/k8MFMf4QEDMZAiw9tVZ39Rqf
|
||||
udMTcGyOX6zLzr+xxNX3gwn8X+bl0yw4Tg/FiyOzl9RjMZDxvzUaj1gYZI9kKPne
|
||||
aEmAYcP2mv+ITUDnApZonDZE5hUnLGAyfEZMU6ExF9XkU94dXFdU4nd+gF5XHzou
|
||||
STiNryBYaxWP1WMkW4SlZqdJiCfrkI0Z7iTF86QtXN5S8qLSIyjP3hIv5QxJg5Xo
|
||||
NwK5IXQhV/0ZHp1Wl8Xys2iUw3iuwPga7sBrMHdJ0PHVBg3Wg/bG7YtrfEAfUbcr
|
||||
UHt9rNGFZluuqNctvcvkSUjv5DISCgl8lSSbzC8DK/vT9o0DQYWvySNpVwXO3tqs
|
||||
9aCxKc8trCXrd9qePnO259Ni0ALRjyh/GHZipzhZo/mgyUWc5nAdTLM49MsmAKHc
|
||||
PnBBSntXnVHfFoFvgyBAmyISVuH/L5j8mezQ/37AevcTfuWemjDRGWIiIJZ73CyF
|
||||
tG6ida5En9QouMO18gKBBzfR/2s6tt60bEp4bE3j2rRgEhwblBfl1NtGSw2WGVVZ
|
||||
bU8KormLDT8aurMIp/Rd1pzAxDpEhDa13TV1IfRECOQvY35aBC59upt+XLwJ83ch
|
||||
Zgi5cRGtSoj1G9OziQGCtJjGqkZoFy7Htou6AyFUEln+2Px0EKGJC3yCUcOF0orS
|
||||
XgEtK2wEJNnJ84LctjrRM4ZSeb/8nycfWiR9riJi1lq6J+WSeiGME3cvhgObDTtG
|
||||
EwuAjG6vhwUdr3aovsENQhvHnQWID844CeBtB9jMHbFJy41vbt0rC0JJG/6RoRg=
|
||||
=5Ijl
|
||||
-----END PGP MESSAGE-----
|
||||
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA1Hthzn+T1OoAQ//dwisvTFgYUCFICbaNZ+8jttF4lTQ2fjdP6UHb0evav84
|
||||
PUYpqUfmMF1BUvxDx0rwzzP1OaSKuesxAG46i1Nha1Tq/LOURtzZtXPW4+xSHWge
|
||||
ifbcbGTBkACviKkRuVUqaQBAbzDnFIHtcQy7nbILmzM0aRwm1IC1WzKpPRBgzAy0
|
||||
o/UE4geZjPuNqkix4mcLz8sXvKMz11FE3QpZ44JqiRhmAITTDVo2ymhbvA6R2C1w
|
||||
AL0tjJwKRb0qfoBegyPbuUW399l3CCtEE7voW8AxZ3Y6EGO8DQ1i/MkR81zymFep
|
||||
PUDVYDmhqmh38Z79v5iKqnruzS+rOaitzMRqsUfOJfa4UoFkjO6tYdi5cOY8T4cD
|
||||
w0rgCpvWriaGKGHDuRIdu031GFyf26+SvOWEbiOhMv+h18Hj5P7uT+Is+VuEhHEo
|
||||
i7EYTqzsRwyIfybNkb0mBVluvXb4CpZRdRq5AzC49qu4IezvKoAT99KG1yf7XJvI
|
||||
Ijc/ZITFqCBxE7REA4JBDuivPHfML4CgxG+5PiBJ3JDdaP+xRuoVQQv5E55Y4YwF
|
||||
NM+NTNcvsTv2vKXJ8mmWLBn9xMxN32gmDyy7jW0elW46AQidIL6C+W2Zhxn6GNvc
|
||||
2faDhNQ3yV0A9mIsgQjdWeQemqhsiVU6Sg4Mmattm/b6plGCM1DIcJgMV2RRAobS
|
||||
XgGt7zD15Ju4S+fQqL7MVGGD3y5v0C5eLx78MScygpNQKS0vfTfTE2+wRCzCjZAG
|
||||
/6HU85E6ru1VeXc0TwQBrpX3Wi2ga/momalsCGoh3oHBd+jRqzwpRxojKLy65qU=
|
||||
=g4RA
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA46L6MuPqfJqARAAmTOXbn+qa0wgjSvK3juGqVemxKvaD2zFG57ivYdC1Jdn
|
||||
PIVi5aBCvZ8KY/0W9k83LVcGUY1f8eRkCU8ohJU+rmRbiTvT0qo1hfLzxrqaNbke
|
||||
gN+YsYW8bgXioF6nHVWI158GvqNfmvRl4WyJzBQ41cAyMpdGXiIzUoCba3Y6f+1N
|
||||
muljMhgvEtWUddf4zheZX89xV+aLa9Mga6aQbwRcL451UcKxmE2nk4+00rMn7R7R
|
||||
vmsC677/RrKkI7RxubzCVFFlzaH+ZZ1Ott6ozKUWs2vCcB6vTzwwvmrJwmr760lC
|
||||
pozfNp/+WzLZOkA3rO2qAvIUc1DxYA6CgukrAAObCbvmcgMeLtVR29wwWs01qxI+
|
||||
cTxmH+btbiM0PL8+/sW2KlC19hfMmeryiJXxbUN30a3fMDJz1wVor54DsaqG9kIJ
|
||||
zIxGsQ6t8fzfaVfeQwoxODnTWqUClWCY4is251O4Gxw3C0oPWZvzoPvxljaPrYYY
|
||||
SE3dcktWmGoOxLj56lLfceKq0qAtYmJD4Q5k2GDYYU+8dwp95UTf0lbRwauMBROT
|
||||
OMe4r/emH4Z1LiG2/HLoM4QuV5VVQGSAqoE3c42YjjS9uh/aOtmeNNLehwS93F5E
|
||||
J/bXNY6VnHcALRGMZF60g5OxM3QUioNkGqcCWGjSaRPcKhwaXvvIaTCdz8apnBHS
|
||||
XgHeuszpU9/O1nCsNPF2vQUjcNxz+KsL39RwHCVJBVJskxd4HcJQUM7uArV1Fjbk
|
||||
fl4nQuueBrZ4tXzimRK2QOjgy8F2n/Kxpjlr4rXn+Pi9jyhx0Jq4Blu3wrR4LAg=
|
||||
=4Xvm
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMA4EEKdYEzV0pAQ//fo1yfBspyD2O84d8UCHWoUJTNYql2p26H/vC2BsVzAmL
|
||||
6nylQACeslISLlXbrW+ILPOFZ5x21THOFcJdvCGAQAkY+jC7Ry3D2gwsZi/RLFpP
|
||||
wbEgbzk9hcimmvuHW/NJtrqvXiTJy7GH7el5Zwqe6rtUkTW5IUtaOmZjn2fQBVoq
|
||||
9mMT86vOYlqgIISG1o5x4pciRd+fb3JPiPeJiLcyUBEXYqg2THlyYwwp2paFomYf
|
||||
a6Ls/pVT9ICSblFlnfILOexDpqhxcPH+V2nwlbSlOETq3ACcVIgufIRndTkGhDzi
|
||||
HS3GlD5nIb/ep12Gj+qOgKZBsbUdNIAVojNY2qlK2yQJpE5B1aDjmkAZUkk/LqF3
|
||||
76ZRBDzigU0jfYKh2iGDY3F8cWDsRqjqcTjVB9KF32+1SeUAO4NqDnDpMZgBh2i5
|
||||
rvDOJCJfTgo7DfPqWPyeFM58sow9EEglygASA/XTaDV+CmLzRlqxwlJwpbRrz3OV
|
||||
Mp1gewfGASLPS4xh6gtROac9DAuokmN5VgNg2g+emN8lUNJ/7V7u30TvCEfGP0j0
|
||||
1Sd6RrNn/ZDMJtOoE8gDua6njbOi9Zk/RN4Y4NKWcmiNZxz/Xi/8XU7F0yk0yEL1
|
||||
DUxYsCEHImib+lAESQ0fF4VMXx3DSXq2/Yt5z782ZvgNrGoGw3B9qVA5FyG5Bt3S
|
||||
XgGgfz/6fGZ0DEtTv3B8Rhqbm6TvwPFgIg+3WuQRXxf3rjjoX1AN0jcuz8OIIfGk
|
||||
o1GuRG0/sYg7P32ysgQMvS1F+rX2PR/myHsz4YMM10soG7OduHgXmiJ0eUq8EtM=
|
||||
=WLCQ
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 9DFA033E3DAEBAD7FDD71B056C7AAA54BE05F7BA
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hF4DQrf1tCqiJxoSAQdAUMjy8rV2Zy5nmeMOBsANIUVyhAvVBUF1yunc+EgVeVQw
|
||||
yd4hPHMnQSkasXmcMDS0y2gwixgTOeQbG5PaOr0FA7eGEItLlqwSxz3+GnuD/gEw
|
||||
0l4BFrUbimEX+/tfI8aymapMVYXFXWe4dUZw9foKN5HqkpPKhusozd9bqPPNKggZ
|
||||
09tvIJViKP/QufK0WyLYZGWrG+leogDX39GBtAU1SOllFqtq2G0X1qH+s88GVpaO
|
||||
=hxWV
|
||||
-----END PGP MESSAGE-----
|
||||
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
|
||||
- created_at: "2024-06-21T22:42:59Z"
|
||||
enc: |-
|
||||
-----BEGIN PGP MESSAGE-----
|
||||
|
||||
hQIMAzdAjw8ldn6CAQ//SK6MVXhRsRxYV8jL9HrVTovc84kNFr24nbHHi5z6fuCA
|
||||
6ZjPr5Btx5Xxi716mEmdDBUSGfeJOOSt6hw4fCqj5ehnCeMLr9GvmJdZx9s2n88m
|
||||
h4Fzd1XF67NMbSAYMPrXpk5dlxBNsgmsAWTaEet9gqGWWYsrZHWPvae7z+GaJJzz
|
||||
h3dix5oVV3tM2OVP9hFhRtu9tv9a0sj5Eu6mz8UsDFwEPynlSDPKUQA0jFTXJnYo
|
||||
yT8UTPSZAUlwnU88JPIhHKCmU8nqUIgDURVNgK4BsuoKSAZ27ueSHr/4IzBiavVD
|
||||
6V1b1Ttt8usKFp21OCqfNuoiIeEipUdLMFSTjSXqOp38QTaqoDaCsAPc6j3HCvlV
|
||||
vMm1lbSKK+Llpk9WOmqvHQriL50lQGYpa2X/jS8FtlotKFm0uGJoJXZ5Ujc4Wmy9
|
||||
J79/cXLULGFCxdPsoxmd8wJFqz0eiVPHIBFB2Y8Tan+Mg44WeBuY8sAWGzYPp+kB
|
||||
sEOIQ5I9N1Gt+58i1hDTRlqO4I8ihusqKeRemJa954rlzz8YTmZL+JAD5gsMtzuH
|
||||
gMjnfBnNJKw3UmnHMMQm348CRB6SuF6rmjc7Xk1qsnie87HtYbM3dJYh7ixddr/a
|
||||
kTHy66zDX4j3e/y2JdEPQw8/WhhdGnyj6eDioQLNFfvApI7doi5C+XDCR08YxJnS
|
||||
XgG0kP/bfDBkwzzHkr3khuvdtmUEmsxGbR/3abyjLfvM+g3HM6Eqq0uDwuGgYinR
|
||||
DYfWUZTas5uWrgxAWYbBCbhPcevu7CsyJFsBtG4ExTXPSsP2c79+LwtmJjbLQqo=
|
||||
=9C2P
|
||||
-----END PGP MESSAGE-----
|
||||
fp: 3D70F61E07F64EC4E4EF417BEFCD9D20F58784EF
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
7
config/hosts/woodpecker/sops.nix
Normal file
7
config/hosts/woodpecker/sops.nix
Normal file
|
@ -0,0 +1,7 @@
|
|||
{ ... }:
|
||||
|
||||
{
|
||||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
};
|
||||
}
|
8
config/hosts/woodpecker/woodpecker-agent/default.nix
Normal file
8
config/hosts/woodpecker/woodpecker-agent/default.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./podman.nix
|
||||
./woodpecker-agent.nix
|
||||
];
|
||||
}
|
13
config/hosts/woodpecker/woodpecker-agent/podman.nix
Normal file
13
config/hosts/woodpecker/woodpecker-agent/podman.nix
Normal file
|
@ -0,0 +1,13 @@
|
|||
# Sources for this configuration:
|
||||
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
|
||||
# - https://woodpecker-ci.org/docs/administration/backends/docker
|
||||
# - https://nixos.wiki/wiki/Podman
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
virtualisation.podman = {
|
||||
enable = true;
|
||||
defaultNetwork.settings.dns_enabled = true;
|
||||
};
|
||||
}
|
|
@ -0,0 +1,27 @@
|
|||
# Sources for this configuration:
|
||||
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
|
||||
# - https://woodpecker-ci.org/docs/administration/agent-config
|
||||
# - https://woodpecker-ci.org/docs/administration/backends/docker
|
||||
|
||||
{ config, pkgs, pkgs-unstable, ... }:
|
||||
|
||||
{
|
||||
services.woodpecker-agents.agents."podman" = {
|
||||
enable = true;
|
||||
# Since we use woodpecker-server from unstable, use the agent from unstable as well.
|
||||
package = pkgs-unstable.woodpecker-agent;
|
||||
extraGroups = [ "podman" ];
|
||||
environment = {
|
||||
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
|
||||
WOODPECKER_MAX_WORKFLOWS = "4";
|
||||
WOODPECKER_BACKEND = "docker";
|
||||
DOCKER_HOST = "unix:///run/podman/podman.sock";
|
||||
# Set via enviornmentFile:
|
||||
# WOODPECKER_AGENT_SECRET
|
||||
};
|
||||
environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ];
|
||||
};
|
||||
|
||||
# Remainder defined in ../woodpecker-server/woodpecker-server.nix
|
||||
sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ];
|
||||
}
|
9
config/hosts/woodpecker/woodpecker-server/default.nix
Normal file
9
config/hosts/woodpecker/woodpecker-server/default.nix
Normal file
|
@ -0,0 +1,9 @@
|
|||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
./nginx.nix
|
||||
./postgresql.nix
|
||||
./woodpecker-server.nix
|
||||
];
|
||||
}
|
57
config/hosts/woodpecker/woodpecker-server/nginx.nix
Normal file
57
config/hosts/woodpecker/woodpecker-server/nginx.nix
Normal file
|
@ -0,0 +1,57 @@
|
|||
# Sources for this configuration:
|
||||
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
|
||||
# - https://woodpecker-ci.org/docs/administration/proxy
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
|
||||
virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
|
||||
default = true;
|
||||
enableACME = true;
|
||||
serverName = "woodpecker.hamburg.ccc.de";
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 31820;
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
virtualHosts."woodpecker.hamburg.ccc.de" = {
|
||||
default = true;
|
||||
forceSSL = true;
|
||||
useACMEHost = "woodpecker.hamburg.ccc.de";
|
||||
|
||||
listen = [
|
||||
{
|
||||
addr = "0.0.0.0";
|
||||
port = 8443;
|
||||
ssl = true;
|
||||
proxyProtocol = true;
|
||||
}
|
||||
];
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
|
||||
};
|
||||
|
||||
extraConfig = ''
|
||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||||
# $remote_port to the client address and client port, when using proxy
|
||||
# protocol.
|
||||
# First set our proxy protocol proxy as trusted.
|
||||
set_real_ip_from 172.31.17.140;
|
||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
||||
# header.
|
||||
real_ip_header proxy_protocol;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
|
||||
networking.firewall.allowedUDPPorts = [ 8443 ];
|
||||
}
|
18
config/hosts/woodpecker/woodpecker-server/postgresql.nix
Normal file
18
config/hosts/woodpecker/woodpecker-server/postgresql.nix
Normal file
|
@ -0,0 +1,18 @@
|
|||
# Sources for this configuration:
|
||||
# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
|
||||
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
services.postgresql = {
|
||||
enable = true;
|
||||
package = pkgs.postgresql_15;
|
||||
ensureDatabases = [ "woodpecker-server" ];
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "woodpecker-server";
|
||||
ensureDBOwnership = true;
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
|
@ -0,0 +1,56 @@
|
|||
# Sources for this configuration:
|
||||
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
|
||||
# - https://woodpecker-ci.org/docs/administration/server-config
|
||||
# - https://woodpecker-ci.org/docs/administration/database
|
||||
# - https://woodpecker-ci.org/docs/administration/forges/forgejo
|
||||
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
|
||||
|
||||
{ config, pkgs, pkgs-unstable, ... }:
|
||||
|
||||
{
|
||||
services.woodpecker-server = {
|
||||
enable = true;
|
||||
# Use package from unstable to get at least version 2.6.0 for native Forgejo support.
|
||||
# https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
|
||||
package = pkgs-unstable.woodpecker-server;
|
||||
environment = {
|
||||
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
|
||||
WOODPECKER_SERVER_ADDR = ":8001";
|
||||
WOODPECKER_GRPC_ADDR = ":9000";
|
||||
WOODPECKER_ADMIN = "june";
|
||||
WOODPECKER_OPEN = "true";
|
||||
WOODPECKER_ORGS = "CCCHH";
|
||||
WOODPECKER_DATABASE_DRIVER = "postgres";
|
||||
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
|
||||
WOODPECKER_FORGEJO = "true";
|
||||
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
|
||||
# Set via enviornmentFile:
|
||||
# WOODPECKER_FORGEJO_CLIENT
|
||||
# WOODPECKER_FORGEJO_SECRET
|
||||
# WOODPECKER_AGENT_SECRET
|
||||
};
|
||||
environmentFile = [
|
||||
"/run/secrets/woodpecker_server_environment_file"
|
||||
"/run/secrets/woodpecker_agent_secret_environment_file"
|
||||
];
|
||||
};
|
||||
|
||||
systemd.services.woodpecker-server.serviceConfig = {
|
||||
User = "woodpecker-server";
|
||||
Group = "woodpecker-server";
|
||||
};
|
||||
|
||||
sops.secrets."woodpecker_server_environment_file" = {
|
||||
mode = "0440";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
restartUnits = [ "woodpecker-server.service" ];
|
||||
};
|
||||
|
||||
sops.secrets."woodpecker_agent_secret_environment_file" = {
|
||||
mode = "0440";
|
||||
owner = "root";
|
||||
group = "root";
|
||||
restartUnits = [ "woodpecker-server.service" ];
|
||||
};
|
||||
}
|
|
@ -26,6 +26,9 @@
|
|||
},
|
||||
"mjolnir": {
|
||||
"targetHostname": "mjolnir-intern.hamburg.ccc.de"
|
||||
},
|
||||
"woodpecker": {
|
||||
"targetHostname": "woodpecker-intern.hamburg.ccc.de"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
13
flake.nix
13
flake.nix
|
@ -211,6 +211,19 @@
|
|||
./config/hosts/mjolnir
|
||||
];
|
||||
};
|
||||
|
||||
woodpecker = nixpkgs.lib.nixosSystem {
|
||||
inherit system;
|
||||
modules = [
|
||||
./config/common
|
||||
./config/proxmox-vm
|
||||
sops-nix.nixosModules.sops
|
||||
./config/hosts/woodpecker
|
||||
];
|
||||
specialArgs = {
|
||||
inherit pkgs-unstable;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
packages.x86_64-linux = {
|
||||
|
|
Loading…
Reference in a new issue