Use an agent token for Woodpecker agent to stop it from re-registering

With the shared system token, every time the Woodpecker host would
restart, a new Woodpecker agent registration would be created, because
the agent receives a unique ID on first connection using the system
token, which it couldn't store however, because it doesn't have a
writable config file in NixOS.
Use an agent token now, which doesn't require the agent to store a
unique ID in a wrtiable config, therefore not making it re-register.

Also see:
https://woodpecker-ci.org/docs/administration/agent-config#agent-registration
This commit is contained in:
June 2024-06-22 16:26:58 +02:00
parent 1aff46745a
commit f5432bd682
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
3 changed files with 11 additions and 18 deletions

View file

@ -1,5 +1,5 @@
woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str] woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
woodpecker_agent_secret_environment_file: ENC[AES256_GCM,data:iXsElY7/XhHYC3OAHZOY2TUzcL6dyjLkmuVgRUP1W/ZpTYsBuVbPZFX5WGGX1Pw33sPo1SAp6a8k+qqh0HeqyTxnjj/7T/HOE2DbdHoqF3EK/ryhtQVNNm4=,iv:6rrWRFxoZuXstWrKKo4siHqktcuZqrdjM4DwiFdDfJA=,tag:YvyIYFd/N1Z6tpO2O0ewrQ==,type:str] woodpecker_agent_environment_file: ENC[AES256_GCM,data:7K+Q59QM9ZIr/SE8VQ9jmshjVSeXGzk+h2T9oIDJASZrYppTFx2N68wsKyFm/Y1GDLY3QEELGXOCa7nSZcdMJTOJ9jj5u7HMw3e0CQGxMUGP,iv:vyDQO7uMxyHpK/cb739sktuAq3zv2MZ9xexAZHD0Of4=,tag:WzNn4iWGlO63aLeStsCdRA==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -15,8 +15,8 @@ sops:
UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0 UExiNFNCdkQ4YTNMdEdoWTdxOFZOZVEKZZbNpbyH31z5tyXeINqoNyqy8zvS3mp0
YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q== YFq6P8kO8CaqUG7KH6yWV0Vq4DryQ9vMcQBnboZOfPf9pZUvhacE/Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-22T00:01:07Z" lastmodified: "2024-06-22T14:24:28Z"
mac: ENC[AES256_GCM,data:3WLe5X+wMVRth2jnu3xVe209mk+HzFcwkj45N9L0UOgoc5zdBShvdEXcevX98HTldC4kU0IEZZowLHbiDxlIozu2lrkU+0avxzM8jWWcyqMJCLTcBoOHaqKX9EfQ9OvHh2HMz8hJ/AFD/LTDzpTYXpHqSnagt1SRGjUKGZuF3K0=,iv:CPpfAP+bInTtHPRBeVih9s2/YoBJKpwuDq5VUIOkoLs=,tag:0Exia5cJctV6f+mYVgDM/A==,type:str] mac: ENC[AES256_GCM,data:1MCBR0fU1wMwmTqLKi6ybFD5YX/yYFMO1JLUpB+ZB+PYH+lvYUwo7x52BNxDDETq+VtU13CJLIM0LleOWl0h0xP9vbMC/YMn+ffeWVBYC8mjqaKXYVyAW8ksXn+vDQ+ZP/RWGOJdaKIPLgIJiVF5hfkSo6smfH378cH72f5cmU4=,iv:BgKHSsElxULJ2EA+8/5w4J/hNLH2S+jNNRTXAl/96V4=,tag:z1HeWXA6Ryo0SacG9HARhw==,type:str]
pgp: pgp:
- created_at: "2024-06-21T22:42:59Z" - created_at: "2024-06-21T22:42:59Z"
enc: |- enc: |-

View file

@ -19,9 +19,13 @@
# Set via enviornmentFile: # Set via enviornmentFile:
# WOODPECKER_AGENT_SECRET # WOODPECKER_AGENT_SECRET
}; };
environmentFile = [ "/run/secrets/woodpecker_agent_secret_environment_file" ]; environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
}; };
# Remainder defined in ../woodpecker-server/woodpecker-server.nix sops.secrets."woodpecker_agent_environment_file" = {
sops.secrets."woodpecker_agent_secret_environment_file".restartUnits = [ "woodpecker-agent-podman.service" ]; mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "woodpecker-agent-podman.service" ];
};
} }

View file

@ -27,12 +27,8 @@
# Set via enviornmentFile: # Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT # WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET # WOODPECKER_FORGEJO_SECRET
# WOODPECKER_AGENT_SECRET
}; };
environmentFile = [ environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
"/run/secrets/woodpecker_server_environment_file"
"/run/secrets/woodpecker_agent_secret_environment_file"
];
}; };
systemd.services.woodpecker-server.serviceConfig = { systemd.services.woodpecker-server.serviceConfig = {
@ -46,11 +42,4 @@
group = "root"; group = "root";
restartUnits = [ "woodpecker-server.service" ]; restartUnits = [ "woodpecker-server.service" ];
}; };
sops.secrets."woodpecker_agent_secret_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "woodpecker-server.service" ];
};
} }