Add woodpecker host running a woodpecker-server and -agent for CI

config/hosts/woodpecker/woodpecker-server/default.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./nginx.nix
+    ./postgresql.nix
+    ./woodpecker-server.nix
+  ];
+}

config/hosts/woodpecker/woodpecker-server/nginx.nix

@@ -0,0 +1,57 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/proxy
+
+{ config, pkgs, ... }:
+
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
+      default = true;
+      enableACME = true;
+      serverName = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    virtualHosts."woodpecker.hamburg.ccc.de" = {
+      default = true;
+      forceSSL = true;
+      useACMEHost = "woodpecker.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      locations."/" = {
+        proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}

config/hosts/woodpecker/woodpecker-server/postgresql.nix

@@ -0,0 +1,18 @@
+# Sources for this configuration:
+# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
+
+{ config, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_15;
+    ensureDatabases = [ "woodpecker-server" ];
+    ensureUsers = [
+      {
+        name = "woodpecker-server";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+}

config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix

@@ -0,0 +1,56 @@
+# Sources for this configuration:
+# - https://woodpecker-ci.org/docs/administration/deployment/nixos
+# - https://woodpecker-ci.org/docs/administration/server-config
+# - https://woodpecker-ci.org/docs/administration/database
+# - https://woodpecker-ci.org/docs/administration/forges/forgejo
+# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+
+{ config, pkgs, pkgs-unstable, ... }:
+
+{
+  services.woodpecker-server = {
+    enable = true;
+    # Use package from unstable to get at least version 2.6.0 for native Forgejo support.
+    # https://github.com/woodpecker-ci/woodpecker/releases/tag/v2.6.0
+    package = pkgs-unstable.woodpecker-server;
+    environment = {
+      WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
+      WOODPECKER_SERVER_ADDR = ":8001";
+      WOODPECKER_GRPC_ADDR = ":9000";
+      WOODPECKER_ADMIN = "june";
+      WOODPECKER_OPEN = "true";
+      WOODPECKER_ORGS = "CCCHH";
+      WOODPECKER_DATABASE_DRIVER = "postgres";
+      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
+      WOODPECKER_FORGEJO = "true";
+      WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
+      # Set via enviornmentFile:
+      # WOODPECKER_FORGEJO_CLIENT
+      # WOODPECKER_FORGEJO_SECRET
+      # WOODPECKER_AGENT_SECRET
+    };
+    environmentFile = [
+      "/run/secrets/woodpecker_server_environment_file"
+      "/run/secrets/woodpecker_agent_secret_environment_file"
+    ];
+  };
+
+  systemd.services.woodpecker-server.serviceConfig = {
+    User = "woodpecker-server";
+    Group = "woodpecker-server";
+  };
+
+  sops.secrets."woodpecker_server_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+
+  sops.secrets."woodpecker_agent_secret_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "woodpecker-server.service" ];
+  };
+}