new services

2025-09-07 00:53:50 +02:00 · 2025-09-07 00:53:50 +02:00 · bbe47c8fe6
commit bbe47c8fe6
parent f2fcbfb679
7 changed files with 353 additions and 2 deletions
--- a/instances/ds9/services/woodpecker.nix
+++ b/instances/ds9/services/woodpecker.nix
@ -0,0 +1,75 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+{
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker.extraConfig =
+    "reverse_proxy http://[::1]:18000";
+  xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker-agent.extraConfig =
+    "reverse_proxy h2c://[::1]:19000";
+  services.postgresql.ensureDatabases = [ "woodpecker" ];
+  services.postgresql.ensureUsers = [
+    {
+      name = "woodpecker";
+      ensureDBOwnership = true;
+    }
+  ];
+
+  services.woodpecker-server = {
+    enable = true;
+    environment = {
+      GITEA = true;
+      GITEA_URL = "https://git.xyno.systems";
+      GRPC_ADDR = ":19000";
+      SERVER_ADDR = ":18000";
+      WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker@localhost/woodpecker?host=/run/postgresql";
+      WOODPECKER_DATABASE_DRIVER = "postgres";
+      WOODPECKER_HOST = "https://woodpecker.hailsatan.eu";
+    };
+    environmentFile = [
+      config.sops.secrets."woodpecker/agent_secret".path
+      config.sops.secrets."woodpecker/gitea".path
+    ];
+  };
+
+  virtualisation.podman = {
+    dockerSocket.enable = true;
+    enable = true;
+    autoPrune.enable = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+    };
+  };
+  # This is needed for podman to be able to talk over dns
+  networking.firewall.interfaces."podman0" = {
+    allowedUDPPorts = [ 53 ];
+    allowedTCPPorts = [ 53 ];
+  };
+  services.woodpecker-agents.podman = {
+    environment = {
+      WOODPECKER_SERVER = "[::1]:19000";
+      WOODPECKER_BACKEND = "docker";
+      WOODPECKER_MAX_WORKFLOWS = 4;
+      DOCKER_HOST = "unix:///run/podman/podman.sock";
+    };
+    environmentFile = [
+      config.sops.secrets."woodpecker/agent_secret".path
+    ];
+    extraGroups = [ "podman" ];
+  };
+  sops.secrets."woodpecker/agent_secret" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  sops.secrets."woodpecker/gitea" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  sops.secrets."woodpecker/prometheus" = {
+    sopsFile = ../secrets/woodpecker.yaml;
+  };
+  xyno.impermanence.directories = [
+    "/var/lib/woodpecker"
+    "/var/lib/containers"
+  ];
+}