Miniflux and Woodpecker (#13)

.sops.yaml

@@ -1,6 +1,6 @@
 keys:
   - &patrick "age1uswp3m453z9vuvqcxcu5a7pnyu7l3vc09q6j99jywc08kag2r30qxk6254"
-  - &staging_server 'age1rg6ngrc38wj8239al0v737lgfgyf6s8rse02jk3z4cjqzhx0g5jq4xv784'
+  - &staging_server 'age1kwfcmu2uh5hanqpes9gv27n3aydlrj7t6u48n6k4ylu2wycdmq8qk688p8'
 creation_rules:
   - path_regex: "secrets/[^/]+\\.json$"
     key_groups:

PulumiWebServer/Domain.fs

@@ -97,18 +97,24 @@ type WellKnownSubdomain =
     | Nextcloud
     | Gitea
     | Radicale
+    | Rss
+    | Woodpecker
 
     override this.ToString () =
         match this with
         | Nextcloud -> "nextcloud"
         | Gitea -> "gitea"
         | Radicale -> "calendar"
+        | Rss -> "rss"
+        | Woodpecker -> "woodpecker"
 
     static member Parse (s : string) =
         match s with
         | "nextcloud" -> WellKnownSubdomain.Nextcloud
         | "gitea" -> WellKnownSubdomain.Gitea
         | "calendar" -> WellKnownSubdomain.Radicale
+        | "rss" -> WellKnownSubdomain.Rss
+        | "woodpecker" -> WellKnownSubdomain.Woodpecker
         | _ -> failwith $"Failed to deserialise: {s}"
 
 

PulumiWebServer/Nix/configuration.nix

@@ -7,8 +7,10 @@ in {
     ./sops.nix
     ./radicale-config.nix
     ./gitea-config.nix
+    ./miniflux.nix
     ./userconfig.nix
     ./nginx-config.nix
+    ./woodpecker.nix
     # generated at runtime by nixos-infect and copied here
     ./hardware-configuration.nix
     ./networking.nix
@@ -25,12 +27,18 @@ in {
   services.nginx-config.staging = true;
   services.gitea-config.subdomain = "gitea";
   services.gitea-config.domain = userConfig.domain;
+  services.miniflux-config.subdomain = "rss";
+  services.miniflux-config.domain = userConfig.domain;
+  services.woodpecker-config.domain = userConfig.domain;
 
   system.stateVersion = "23.05";
 
-  boot.cleanTmpDir = true;
+  boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
   networking.hostName = userConfig.name;
   services.openssh.enable = true;
   users.users.root.openssh.authorizedKeys.keys = sshKeys;
+
+  virtualisation.docker.enable = true;
+  users.extraGroups.docker.members = [userConfig.remoteUsername];
 }

PulumiWebServer/Nix/flake.lock

@@ -4,15 +4,14 @@
       "inputs": {
         "nixpkgs": [
           "nixpkgs"
-        ],
-        "utils": "utils"
+        ]
       },
       "locked": {
-        "lastModified": 1672349765,
-        "narHash": "sha256-Ul3lSGglgHXhgU3YNqsNeTlRH1pqxbR64h+2hM+HtnM=",
+        "lastModified": 1684824189,
+        "narHash": "sha256-k3nCkn5Qy67rCguuw6YkGuL6hOUNRKxQoKOjnapk5sU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "dd99675ee81fef051809bc87d67eb07f5ba022e8",
+        "rev": "58eb968c21d309a6c2b020ea8d64e25c38ceebba",
         "type": "github"
       },
       "original": {
@@ -23,11 +22,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1672262501,
-        "narHash": "sha256-ZNXqX9lwYo1tOFAqrVtKTLcJ2QMKCr3WuIvpN8emp7I=",
+        "lastModified": 1684935479,
+        "narHash": "sha256-6QMMsXMr2nhmOPHdti2j3KRHt+bai2zw+LJfdCl97Mk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e182da8622a354d44c39b3d7a542dc12cd7baa5f",
+        "rev": "f91ee3065de91a3531329a674a45ddcb3467a650",
         "type": "github"
       },
       "original": {
@@ -39,11 +38,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1674352297,
-        "narHash": "sha256-OkAnJPrauEcUCrst4/3DKoQfUn2gXKuU6CFvhtMrLgg=",
+        "lastModified": 1684632198,
+        "narHash": "sha256-SdxMPd0WmU9MnDBuuy7ouR++GftrThmSGL7PCQj/uVI=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "918b760070bb8f48cb511300fcd7e02e13058a2e",
+        "rev": "d0dade110dc7072d67ce27826cfe9ab2ab0cf247",
         "type": "github"
       },
       "original": {
@@ -55,11 +54,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1674236650,
-        "narHash": "sha256-B4GKL1YdJnII6DQNNJ4wDW1ySJVx2suB1h/v4Ql8J0Q=",
+        "lastModified": 1684585791,
+        "narHash": "sha256-lYPboblKrchmbkGMoAcAivomiOscZCjtGxxTSCY51SM=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cfb43ad7b941d9c3606fb35d91228da7ebddbfc5",
+        "rev": "eea79d584eff53bf7a76aeb63f8845da6d386129",
         "type": "github"
       },
       "original": {
@@ -82,11 +81,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1674546403,
-        "narHash": "sha256-vkyNv0xzXuEnu9v52TUtRugNmQWIti8c2RhYnbLG71w=",
+        "lastModified": 1684637723,
+        "narHash": "sha256-0vAxL7MVMhGbTkAyvzLvleELHjVsaS43p+PR1h9gzNQ=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "b6ab3c61e2ca5e07d1f4eb1b67304e2670ea230c",
+        "rev": "4ccdfb573f323a108a44c13bb7730e42baf962a9",
         "type": "github"
       },
       "original": {
@@ -94,21 +93,6 @@
         "repo": "sops-nix",
         "type": "github"
       }
-    },
-    "utils": {
-      "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
     }
   },
   "root": "root",

PulumiWebServer/Nix/gitea-config.nix

@@ -34,11 +34,8 @@
         type = "postgres";
         passwordFile = "/run/secrets/gitea_server_password";
       };
-      domain = "${config.services.gitea-config.subdomain}.${config.services.gitea-config.domain}";
-      rootUrl = "https://${config.services.gitea-config.subdomain}.${config.services.gitea-config.domain}/";
-      httpPort = config.services.gitea-config.port;
       settings = let
-        docutils = pkgs.python37.withPackages (ps:
+        docutils = pkgs.python311.withPackages (ps:
           with ps; [
             docutils
             pygments
@@ -48,11 +45,19 @@
           ENABLED = true;
           FROM = "gitea@" + config.services.gitea-config.domain;
         };
+        server = {
+          ROOT_URL = "https://${config.services.gitea-config.subdomain}.${config.services.gitea-config.domain}/";
+          HTTP_PORT = config.services.gitea-config.port;
+          DOMAIN = "${config.services.gitea-config.subdomain}.${config.services.gitea-config.domain}";
+        };
         service = {
           REGISTER_EMAIL_CONFIRM = true;
           DISABLE_REGISTRATION = true;
           COOKIE_SECURE = true;
         };
+        webhook = {
+          ALLOWED_HOST_LIST = "external,loopback";
+        };
         "markup.restructuredtext" = {
           ENABLED = true;
           FILE_EXTENSIONS = ".rst";

PulumiWebServer/Nix/miniflux.nix

@@ -0,0 +1,41 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options = {
+    services.miniflux-config = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        example = "example.com";
+        description = lib.mdDoc "Top-level domain to configure";
+      };
+      subdomain = lib.mkOption {
+        type = lib.types.str;
+        example = "rss";
+        description = lib.mdDoc "Subdomain in which to put Gitea";
+      };
+      port = lib.mkOption {
+        type = lib.types.port;
+        description = lib.mdDoc "Gitea localhost port";
+        default = 8080;
+      };
+    };
+  };
+  config = {
+    users.users."miniflux".extraGroups = [config.users.groups.keys.name];
+    services.miniflux = {
+      enable = true;
+      adminCredentialsFile = "/run/secrets/miniflux_admin_password";
+    };
+
+    services.nginx.virtualHosts."${config.services.miniflux-config.subdomain}.${config.services.miniflux-config.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.miniflux-config.port}/";
+      };
+    };
+  };
+}

PulumiWebServer/Nix/secrets/staging.json

@@ -3,11 +3,14 @@
 	"gitea_admin_password": "ENC[AES256_GCM,data:M/JZ0x5ca9KAyE+HnbvAohpgQuk=,iv:PZWQ7IJRvRoAOrCJHx9yZaPmM1eEWl21kKTl776Cm4I=,tag:GNqB6vIv5B0ThiNvw/835g==,type:str]",
 	"gitea_admin_username": "ENC[AES256_GCM,data:vYwbK0WnDfc7Ox5YZQ==,iv:VTifWcYPYvkR+9u91f5lovOTVe8jhfDpPCvMQMSjHg0=,tag:IxMny/5HMlpU8tyQJxJHJw==,type:str]",
 	"gitea_admin_email": "ENC[AES256_GCM,data:d/uXN59unzpO7O54lN5qVoyZkMHSIX4iMejWeA4pdIzoiJiWg07mHLmrMhQPSg==,iv:mzg8ZvYAGoMcPI5lDEJ4VFoShoACecZMo4sOAqkKTJ0=,tag:G94XwFlVenBmWx1DD8z1dw==,type:str]",
+	"gitea_woodpecker_oauth_id": "ENC[AES256_GCM,data:5eZXcULdZSwA2ZJbIff1SNDIqFDcbpUmtlessuKDZvJ2ZVtJ,iv:PUw4e8/76kIJnMn01/nWpP1uqTdpTSvmk7Yhiy96x2s=,tag:+lZ/uqevpkIYdnOi3WbSeA==,type:str]",
+	"gitea_woodpecker_secret": "ENC[AES256_GCM,data:bvtrzsRePoa7AGEI9wVNPGwtu9otptzrjVEAK5XWvi6xg/1gcMTU0VpjSur0aLtMNMiQ7jvRsb0=,iv:NMev0UxWibwcQqdPvmYHItW05ZL4D3wfuWCPkuwPeF0=,tag:hhhxTIVgXdzrsDQ3m/koVw==,type:str]",
 	"acme_email": "ENC[AES256_GCM,data:5/Ex62y0nHATgHJMDDBqVtET/t7fwwlWtWVvgzmblCaG,iv:XKe5eXLOSnoL1LedJc/5egOTtFB3JRZCz30BFWLxt3A=,tag:D0IkAOV0VDmhSU++WVlXoA==,type:str]",
 	"radicale_user": "ENC[AES256_GCM,data:aKoxSeTypg==,iv:/r3U99EwAIigJUjISKnEtnFyZYYITEJ45jp4Q3mM0qM=,tag:T9GVZBSUwWUTFK8yS5i6iQ==,type:str]",
 	"radicale_password": "ENC[AES256_GCM,data:ByLueujmUMAM1Edh0YDeNVZ7GMg=,iv:x+JbD1g+NFk2AldmgyFjIbj1CmT+GGFSnx6hhx8ggoE=,tag:i4rnsGv95hC5PjXQzi6k1Q==,type:str]",
 	"radicale_htcrypt_password": "ENC[AES256_GCM,data:vHHIiPjUjM4cQvv9acz8tFmtSdd8/knL0kZaL+6LbNCpzzR/UTZoAqsYtJuQtI8cWAN3tID0MnfM4cNjBwNmV/BBVk8=,iv:56z1d2E/WQ0UP0wyHvaI5YKZoY+90f5AyyxVUhHKEWs=,tag:jiNKYovn37rfG2YHoB4J0g==,type:str]",
 	"radicale_git_email": "ENC[AES256_GCM,data:xBjo3aIPEH3WIg8qBfMrQ1VXeEkUZ5Ynl0dEWeYGirqL/Y9QOA==,iv:bMi2QCvCnhfQT7+jTXb9PzVPDVr9DPiaEVmVMTRVGZI=,tag:V7Bmp/KGKpaH1ldHwF3/jA==,type:str]",
+	"miniflux_admin_password": "ENC[AES256_GCM,data:aXh6cBst5q7hJja5Ew8pg0ZE0c2Beo8sIwWpsuq6L1ENEAtrgfLf4lCE1MYzmmM9qXLt4ax6,iv:fgUW/eRfL7t2ttDdjxaBIGEJLt5o6Vzxv1ibSvh4XiI=,tag:h/IUuMq333LMwYEQJ5N2aQ==,type:str]",
 	"sops": {
 		"kms": null,
 		"gcp_kms": null,
@@ -15,16 +18,16 @@
 		"hc_vault": null,
 		"age": [
 			{
-				"recipient": "age1rg6ngrc38wj8239al0v737lgfgyf6s8rse02jk3z4cjqzhx0g5jq4xv784",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCaXlYaU1nb05oTjdzQTRV\nY1FpL2RJdHdGWm96M1Bvckxuc1dxUUkzS0dFClk3MTNvL1l1S3J1bEdxS2NhMUcz\ndHpDZkZiaUUwellOYnhpaWVXMW5qeEUKLS0tIElkaVY4L2NrblNjVEY5cWxLcndB\nemUwcGJkN0lLeEtjSEMvRFhKRnlsaE0K3PHJDhc24U3YYtSw972xd+jZtCdp4UWL\ngN2ZseqmdN+fLapND8MD+cthHbm320d/MNXvtsed6UjZt2/m1cO0FA==\n-----END AGE ENCRYPTED FILE-----\n"
+				"recipient": "age1kwfcmu2uh5hanqpes9gv27n3aydlrj7t6u48n6k4ylu2wycdmq8qk688p8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4NEVuVmNPemgrUmxJNEY4\nTWxoUzNQZ2p2YjdTZzZPeE1LM1FtaXRoNkdjCnd1ZVgweGs3bWZWZTU1R1NNUStK\nMVprYTdOdjVuRXlBclZvVk5JQUpXSncKLS0tIHlSQjg3KzF2OUFMSllwYlVlVjVE\nSDJscFNEZjRkSWJhWFRycWhuYm5BdU0K4uFxx8+uStqovrTrNVoCZdJd5B4EB+EM\nAQtGheXQ5vvIY39Pz+l6cXhHDUv3drz0vKJxLnGr1oI6LbSDL0miTw==\n-----END AGE ENCRYPTED FILE-----\n"
 			},
 			{
 				"recipient": "age1uswp3m453z9vuvqcxcu5a7pnyu7l3vc09q6j99jywc08kag2r30qxk6254",
-				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTTFSSWErV2c5U3hGTXE2\nNUVBTWFZYUZzTC9TbDN3TnlUV1pDRnVKbjBnCnFxeHF4UkwwZWRNeGsycWowOS9X\nblpRTytRME92YmI4WWlmZlhMV1NzOVkKLS0tIDVMQlh0QmtrZmYzUGd2ait4aGZK\nMFhON2V4WnhBWk1keWhPRTI2UEFIZmsKgG7U1/PNytYja8FnsmDVz7Xi5C2TjRkN\nJctlm3x1yZGoaneSTcwxjrhar3pWt+wEqklPFaeyEzzj0OxEfeIoRg==\n-----END AGE ENCRYPTED FILE-----\n"
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhL1FxdG1HM2VYdFNjMzJT\nOUZFNzFIMERNOWFNNWpGM1dVWFNQU3ZCYWhnCkdYZWdsRWpncDAzYTBaRzE5SFNq\nNFJhT3lXTElXVlJBaStaczhoYnorNWMKLS0tIDF1dlg0S1hnSkxjc01XUUVFcnd6\nSXJyL1BGb2JiVUpNK0FoNEo4cGRBL0EKdR+ZKb8hbP0wmjrzc0e3aIG5rGcyHm8g\njPfEtQx1Vt7rLSmWLNbw8tTx/5G3KFR1Bxa2t7pzEocJMDRW1g/gJA==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2023-02-01T21:53:59Z",
-		"mac": "ENC[AES256_GCM,data:wVm9LcMJ4gT3PpwyagSd386o6JGa5pUvetFwTkad9lyXQQ5k7pGKoVevvvWK9T4/UqOnjXuIA9IYCFC5OL5/jDmawOWCW028bMknArBHZVYXaY2SkBcU/iCdEJd8ox05Lv1KQRYfFNS828q6ghCT9tWIHk8xGO2WoqPPKB5G+rc=,iv:JnP/YF3EDm31hiN/YSq7dtgcqm7dA6n4VaiwvwfEGnw=,tag:wyLMu2QtXRTYsr4n5mlAkw==,type:str]",
+		"lastmodified": "2023-07-20T11:56:18Z",
+		"mac": "ENC[AES256_GCM,data:UOeXXZTGWiEVojn7ivUzPk7Et9JGbHxdvs4DH9aH9YV003PEGfDxpKMKZpSZeOlrrDATHr6pUzRFSci8ucMCACMaRIr7lUtgPxC+HZ3bfOxger2aWLr5HlXwlCI+GB8EEX5I+2eNWVmFOtRY9x63FjvHvG/uY6g+cyLtEAAonNU=,iv:HNv8k19z9BeGvpPWuFHYW4tZ9aOm1vIcxx3td1vpT4c=,tag:dPNPmU19giqy0S+Cgk2vdQ==,type:str]",
 		"pgp": null,
 		"unencrypted_suffix": "_unencrypted",
 		"version": "3.7.3"

PulumiWebServer/Nix/sops.nix

@@ -9,9 +9,12 @@
     "gitea_admin_password" = {owner = "gitea";};
     "gitea_admin_username" = {owner = "gitea";};
     "gitea_admin_email" = {owner = "gitea";};
+    "gitea_woodpecker_oauth_id" = {owner = "woodpecker";};
+    "gitea_woodpecker_secret" = {owner = "woodpecker";};
     "radicale_user" = {owner = "radicale";};
     "radicale_htcrypt_password" = {owner = "radicale";};
     "radicale_password" = {owner = "radicale";};
     "radicale_git_email" = {owner = "radicale";};
+    "miniflux_admin_password" = {owner = "miniflux";};
   };
 }

PulumiWebServer/Nix/userconfig.nix

@@ -27,6 +27,12 @@
       openssh.authorizedKeys.keys = config.services.userconfig.sshKeys;
     };
 
+    users.users."miniflux" = {
+      isSystemUser = true;
+      group = "miniflux";
+    };
+    users.groups."miniflux" = {};
+
     security.sudo = {
       enable = true;
       extraRules = [

PulumiWebServer/Nix/woodpecker.nix

@@ -0,0 +1,68 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  options = {
+    services.woodpecker-config = {
+      domain = lib.mkOption {
+        type = lib.types.str;
+        example = "example.com";
+        description = lib.mdDoc "Top-level domain to configure";
+      };
+      subdomain = lib.mkOption {
+        type = lib.types.str;
+        default = "woodpecker";
+        description = lib.mdDoc "Subdomain in which to put Woodpecker";
+      };
+      port = lib.mkOption {
+        type = lib.types.port;
+        description = lib.mdDoc "Woodpecker localhost port";
+        default = 9001;
+      };
+    };
+  };
+
+  config.users.users."woodpecker" = {
+    isSystemUser = true;
+    group = "woodpecker";
+    extraGroups = ["docker"];
+  };
+  config.users.groups."woodpecker" = {};
+
+  config.environment.etc = {
+    "woodpecker.yaml" = {
+      text = builtins.replaceStrings ["%%WOODPECKER_PORT%%" "%%WOODPECKER_SUBDOMAIN%%" "%%WOODPECKER_DOMAIN%%" "%%GITEA_SUBDOMAIN%%"] [(toString config.services.woodpecker-config.port) config.services.woodpecker-config.subdomain config.services.woodpecker-config.domain config.services.gitea-config.subdomain] (builtins.readFile ./woodpecker/compose.yaml);
+      mode = "0440";
+      user = "woodpecker";
+    };
+  };
+
+  config.systemd.services.start-woodpecker = {
+    description = "start-woodpecker";
+    wantedBy = ["multi-user.target"];
+    path = [pkgs.docker];
+    script = builtins.readFile ./woodpecker/start.sh;
+    serviceConfig = {
+      Restart = "on-failure";
+      Type = "exec";
+      User = "woodpecker";
+      Group = "woodpecker";
+    };
+    environment = {
+      DOCKER = "${pkgs.docker}/bin/docker";
+      OPENSSL = "${pkgs.openssl}/bin/openssl";
+    };
+  };
+
+  config = {
+    services.nginx.virtualHosts."${config.services.woodpecker-config.subdomain}.${config.services.woodpecker-config.domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://localhost:${toString config.services.woodpecker-config.port}/";
+      };
+    };
+  };
+}

PulumiWebServer/Nix/woodpecker/compose.yaml

@@ -0,0 +1,31 @@
+# docker-compose.yml
+version: '3'
+
+services:
+    woodpecker-server:
+        image: woodpeckerci/woodpecker-server:latest
+        ports: ["%%WOODPECKER_PORT%%:8000"]
+        volumes:
+            - woodpecker-server-data:/var/lib/woodpecker
+        environment:
+            - WOODPECKER_OPEN=true
+            - WOODPECKER_HOST=https://%%WOODPECKER_SUBDOMAIN%%.%%WOODPECKER_DOMAIN%%
+            - WOODPECKER_GITEA=true
+            - WOODPECKER_GITEA_URL=https://%%GITEA_SUBDOMAIN%%.%%WOODPECKER_DOMAIN%%
+            - WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT_OAUTH_ID}
+            - WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
+            - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
+
+    woodpecker-agent:
+        image: woodpeckerci/woodpecker-agent:latest
+        command: agent
+        restart: always
+        depends_on: [woodpecker-server]
+        volumes:
+            - /var/run/docker.sock:/var/run/docker.sock
+        environment:
+            - WOODPECKER_SERVER=woodpecker-server:9000
+            - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
+
+volumes:
+    woodpecker-server-data:

PulumiWebServer/Nix/woodpecker/start.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+export WOODPECKER_AGENT_SECRET
+WOODPECKER_AGENT_SECRET=$("$OPENSSL" rand -hex 32)
+export WOODPECKER_GITEA_SECRET
+WOODPECKER_GITEA_SECRET=$(cat /run/secrets/gitea_woodpecker_secret)
+export WOODPECKER_GITEA_CLIENT_OAUTH_ID
+WOODPECKER_GITEA_CLIENT_OAUTH_ID=$(cat /run/secrets/gitea_woodpecker_oauth_id)
+
+"$DOCKER" compose -f "/etc/woodpecker.yaml" up

PulumiWebServer/Pulumi.dev.yaml

@@ -1,5 +1,5 @@
 config:
   cloudflare:apiToken:
-    secure: AAABAFoVHnndh0tY+1jL4Z/Qml8Fy4R+RrU27w4OeWW44KoaJXSX9M4q55uqfArR2/rZZEGdJXkQoY7mluyFut5zAusuHrlX
+    secure: AAABABLOQt1u+iHDSEw5Xm5suXluzQmSQ/L4HBO2ay7IXfeQZ9ksV39f/wiuIAmsa4knq3FlFXdmv2DflHTvrHz5w+1ITiFR
   digitalocean:token:
-    secure: "AAABAGLyJqwR7IgpT6/7WO000SlkpsVXOX/McSOFjIGvhyfwCnGlsDlj8XUJqU+CPOzEpVtO85X/9ONno9LHGhUJtLVWcK5yhl8+/kyyGK4uii+ifImoa180nsXa/H2XCl8KjllNjw=="
+    secure: "AAABAB/j5IG7gawbsnNZcGiiG+lo7kK8vqFcUHIEYpkyYdcBwnnYv1EtfvaArIXOOFugWfuW1WtRCFDgcrDnTAhyQiOg5hCX6y1bzX86noLi9W7utIoy0dxBneCPTKM1pC2xdqXBpw=="

PulumiWebServer/Pulumi.staging.yaml

@@ -1,5 +1,5 @@
 config:
   cloudflare:apiToken:
-    secure: AAABAHOtDVnSnpghuWApxo1FL+j1MVVjZAib4Iv9iH1bx+QQeSGDyuOFfYnxLtHsC/Ixb9CeRYgHKnsfM1Y07yYoP3i77IjK
+    secure: AAABAGC/wO3gKB6z+G5zbGOCTFZ61G+c+SUFU7HcZUM4jszE9itVAFyqKnf77PluI32sj28C+kQ/C9Lr+QtysnJLzniaH/0V
   digitalocean:token:
-    secure: AAABAKEVauYDdDDryfXOR8Cv/eZpq4mafVcKMxTT/At3SVuN9I+aFVPlzoybee/8qzl0LwEXJ/Dh/y0IV4J6B1vEkXkH3oUjrmbt1iYESWnmTliz2m6PTwwwTBHCeD2dlXLj39mwBA==
+    secure: AAABAAPMq4Skfg4l16Iiog2a/+tEzFZqH0VEW3XAvivLxZ7mZ+2B94V8T6+kNr0z7J4m7NafvcMkNxjniAfstwKkErWcDMsSsMUMAGp+HwXqqNg3MP78x+sa8K/eQudngSEZwUK/6w==

PulumiWebServer/PulumiWebServer.fsproj

@@ -9,10 +9,10 @@
     <ItemGroup>
         <PackageReference Include="Nager.PublicSuffix" Version="2.4.0" />
         <PackageReference Include="Newtonsoft.Json" Version="13.0.1" />
-        <PackageReference Include="Pulumi" Version="3.53.0" />
-        <PackageReference Include="Pulumi.Cloudflare" Version="4.15.0" />
-        <PackageReference Include="Pulumi.Command" Version="4.5.0" />
-        <PackageReference Include="Pulumi.DigitalOcean" Version="4.16.0" />
+        <PackageReference Include="Pulumi" Version="3.54.1" />
+        <PackageReference Include="Pulumi.Cloudflare" Version="5.2.0" />
+        <PackageReference Include="Pulumi.Command" Version="0.5.2" />
+        <PackageReference Include="Pulumi.DigitalOcean" Version="4.19.1" />
     </ItemGroup>
 
     <ItemGroup>
@@ -44,6 +44,10 @@
       <Content Include="Nix\gitea\add-user.sh" />
       <Content Include="Nix\config.json" />
       <Content Include="Nix\ssh-keys.json" />
+      <Content Include="Nix\miniflux.nix" />
+      <Content Include="Nix\woodpecker.nix" />
+      <Content Include="Nix\woodpecker\compose.yaml" />
+      <Content Include="Nix\woodpecker\start.sh" />
       <Content Include="config.schema.json" />
       <Content Include="waitforready.sh">
         <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>

deploy.sh

@@ -1,18 +1,19 @@
 #!/bin/sh
 
-# e.g. foo.bar.com (i.e. the hostname in DNS)
-# TODO: get this with `jq` from config file
-DOMAIN="$1"
 # e.g. `PulumiWebServer/Nix`, the directory holding the Nix flake that you want on the remote machine.
 # Appropriate `networking.nix`, `hardware-configuration.nix`, and `ssh-keys.json` files, as output
 # by the `pulumi up` command, will end up written to this folder.
-NIX_FLAKE="$2"
+NIX_FLAKE="$1"
 
 if [ ! -d "$NIX_FLAKE" ]; then
     echo "Flake directory $NIX_FLAKE does not exist; aborting" 1>&2
     exit 1
 fi
 
+DOMAIN="$(jq -r .domain "$1/config.json")"
+
+echo "Domain: $DOMAIN"
+
 # TODO this somehow failed to find the right key
 AGE_KEY="$(ssh-keyscan "$DOMAIN" | ssh-to-age | tail -1 2>/dev/null)"
 

flake.lock

@@ -1,12 +1,15 @@
 {
   "nodes": {
     "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
       "locked": {
-        "lastModified": 1667395993,
-        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "lastModified": 1689068808,
+        "narHash": "sha256-6ixXo3wt24N/melDWjq70UuHQLxGV8jZvooRanIHXw0=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "rev": "919d646de7be200f3bf08cb76ae1f09402b6f9b4",
         "type": "github"
       },
       "original": {
@@ -17,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1675183161,
-        "narHash": "sha256-Zq8sNgAxDckpn7tJo7V1afRSk2eoVbu3OjI1QklGLNg=",
+        "lastModified": 1689679375,
+        "narHash": "sha256-LHUC52WvyVDi9PwyL1QCpaxYWBqp4ir4iL6zgOkmcb8=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "e1e1b192c1a5aab2960bf0a0bd53a2e8124fa18e",
+        "rev": "684c17c429c42515bafb3ad775d2a710947f3d67",
         "type": "github"
       },
       "original": {
@@ -35,6 +38,21 @@
         "flake-utils": "flake-utils",
         "nixpkgs": "nixpkgs"
       }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -71,7 +71,7 @@
           };
         };
         devShells = let
-          requirements = [pkgs.dotnet-sdk_7 pkgs.git pkgs.alejandra pkgs.nodePackages.markdown-link-check];
+          requirements = [pkgs.dotnet-sdk_7 pkgs.git pkgs.alejandra pkgs.nodePackages.markdown-link-check pkgs.jq];
         in {
           default = pkgs.mkShell {
             buildInputs =