{ pkgs, config, lib, ... }: { xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker.extraConfig = "reverse_proxy http://[::1]:18000"; xyno.services.caddy.wildcardHosts."hailsatan.eu".hosts.woodpecker-agent.extraConfig = "reverse_proxy h2c://[::1]:19000"; services.postgresql.ensureDatabases = [ "woodpecker" ]; services.postgresql.ensureUsers = [ { name = "woodpecker"; ensureDBOwnership = true; } ]; services.woodpecker-server = { enable = true; environment = { GITEA = true; GITEA_URL = "https://git.xyno.systems"; GRPC_ADDR = ":19000"; SERVER_ADDR = ":18000"; WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker@localhost/woodpecker?host=/run/postgresql"; WOODPECKER_DATABASE_DRIVER = "postgres"; WOODPECKER_HOST = "https://woodpecker.hailsatan.eu"; }; environmentFile = [ config.sops.secrets."woodpecker/agent_secret".path config.sops.secrets."woodpecker/gitea".path ]; }; virtualisation.podman = { dockerSocket.enable = true; enable = true; autoPrune.enable = true; defaultNetwork.settings = { dns_enabled = true; }; }; # This is needed for podman to be able to talk over dns networking.firewall.interfaces."podman0" = { allowedUDPPorts = [ 53 ]; allowedTCPPorts = [ 53 ]; }; services.woodpecker-agents.podman = { environment = { WOODPECKER_SERVER = "[::1]:19000"; WOODPECKER_BACKEND = "docker"; WOODPECKER_MAX_WORKFLOWS = 4; DOCKER_HOST = "unix:///run/podman/podman.sock"; }; environmentFile = [ config.sops.secrets."woodpecker/agent_secret".path ]; extraGroups = [ "podman" ]; }; sops.secrets."woodpecker/agent_secret" = { sopsFile = ../secrets/woodpecker.yaml; }; sops.secrets."woodpecker/gitea" = { sopsFile = ../secrets/woodpecker.yaml; }; sops.secrets."woodpecker/prometheus" = { sopsFile = ../secrets/woodpecker.yaml; }; xyno.impermanence.directories = [ "/var/lib/woodpecker" "/var/lib/containers" ]; }