Woodpecker upgrade (#18)

2025-10-13 04:28:39 +00:00 · 2023-10-01 22:27:05 +01:00
parent e8cf9916ee
commit 713401546a
10 changed files with 94 additions and 81 deletions
--- a/PulumiWebServer/Nix/woodpecker/woodpecker.nix
+++ b/PulumiWebServer/Nix/woodpecker/woodpecker.nix
@@ -16,54 +16,88 @@
        default = "woodpecker";
        description = lib.mdDoc "Subdomain in which to put Woodpecker";
      };
+      agent-subdomain = lib.mkOption {
+        type = lib.types.str;
+        default = "woodpecker-agent";
+        description = lib.mdDoc "Subdomain to open for Woodpecker agent gRPC";
+      };
      port = lib.mkOption {
        type = lib.types.port;
        description = lib.mdDoc "Woodpecker localhost port";
        default = 9001;
      };
+      grpc-port = lib.mkOption {
+        type = lib.types.port;
+        description = lib.mdDoc "Woodpecker server-agent communication port";
+        default = 9010;
+      };
+      admin-users = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        description = lib.mdDoc "List of admin usernames within the Woodpecker instance";
+        default = [];
+      };
    };
  };

-  config.users.users."woodpecker" = {
-    isSystemUser = true;
-    group = "woodpecker";
-    extraGroups = ["docker"];
+  config.services.woodpecker-server = {
+    enable = true;
+    environment = {
+      WOODPECKER_HOST = "https://${config.services.woodpecker-config.subdomain}.${config.services.woodpecker-config.domain}";
+      WOODPECKER_SERVER_ADDR = "localhost:${toString config.services.woodpecker-config.port}";
+      WOODPECKER_LOG_LEVEL = "debug";
+      WOODPECKER_GITEA = "true";
+      WOODPECKER_GITEA_URL = "https://${config.services.gitea-config.subdomain}.${config.services.gitea-config.domain}";
+      WOODPECKER_ADMIN = builtins.concatStringsSep "," config.services.woodpecker-config.admin-users;
+      WOODPECKER_GRPC_ADDR = "localhost:${toString config.services.woodpecker-config.grpc-port}";
+    };
+    environmentFile = "/preserve/woodpecker/woodpecker-combined-secrets.txt";
  };
-  config.users.groups."woodpecker" = {};

-  config.environment.etc = {
-    "woodpecker.yaml" = {
-      text = builtins.replaceStrings ["%%WOODPECKER_PORT%%" "%%WOODPECKER_SUBDOMAIN%%" "%%WOODPECKER_DOMAIN%%" "%%GITEA_SUBDOMAIN%%"] [(toString config.services.woodpecker-config.port) config.services.woodpecker-config.subdomain config.services.woodpecker-config.domain config.services.gitea-config.subdomain] (builtins.readFile ./compose.yaml);
-      mode = "0440";
-      user = "woodpecker";
+  config.services.woodpecker-agents = {
+    agents = {
+      podman-agent = {
+        enable = true;
+        extraGroups = ["podman"];
+        environment = {
+          WOODPECKER_SERVER = "localhost:${toString config.services.woodpecker-config.grpc-port}";
+          WOODPECKER_BACKEND = "docker";
+          DOCKER_HOST = "unix:///run/podman/podman.sock";
+        };
+        environmentFile = ["/preserve/woodpecker/woodpecker-combined-secrets.txt"];
+      };
    };
  };

-  config.systemd.services.start-woodpecker = {
-    description = "start-woodpecker";
-    wantedBy = ["multi-user.target"];
-    path = [pkgs.docker];
-    script = builtins.readFile ./start.sh;
-    preStop = builtins.readFile ./stop.sh;
+  config.systemd.services.woodpecker-secret = {
+    description = "ensure woodpecker secrets are in place";
+    wantedBy = ["multi-user.target" "woodpecker-server.service" "woodpecker-agent-podman-agent.service"];
+    before = ["woodpecker-server.service" "woodpecker-agent-podman-agent.service"];
+    script = builtins.readFile ./secrets.sh;
    serviceConfig = {
-      Restart = "on-failure";
-      Type = "exec";
-      User = "woodpecker";
-      Group = "woodpecker";
+      Restart = "no";
+      Type = "oneshot";
+      User = "root";
    };
    environment = {
-      DOCKER = "${pkgs.docker}/bin/docker";
      OPENSSL = "${pkgs.openssl}/bin/openssl";
    };
  };

-  config = {
-    services.nginx.virtualHosts."${config.services.woodpecker-config.subdomain}.${config.services.woodpecker-config.domain}" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:${toString config.services.woodpecker-config.port}/";
-      };
+  config.services.nginx.virtualHosts."${config.services.woodpecker-config.subdomain}.${config.services.woodpecker-config.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString config.services.woodpecker-config.port}/";
+    };
+  };
+
+  config.services.nginx.virtualHosts."${config.services.woodpecker-config.agent-subdomain}.${config.services.woodpecker-config.domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      extraConfig = ''
+        grpc_pass grpc://127.0.0.1:${toString config.services.woodpecker-config.grpc-port};
+      '';
    };
  };
 }