current
1{lib, ...}: {
2 den.aspects.services.provides.woodpecker.provides.agent = {
3 name,
4 server,
5 tokenFileAged,
6 labels ? {},
7 extraEnv ? {},
8 }: let
9 mapLabels = lib.concatMapAttrsStringSep "," (n: v: "${n}=${v}");
10 in {
11 nixos = {config, ...}: {
12 services.woodpecker-agents.agents.${name} = {
13 enable = true;
14 extraGroups = ["podman"];
15 environment =
16 {
17 WOODPECKER_AGENT_LABELS = mapLabels ({
18 network =
19 if (config.services.mihomo.enable)
20 then "host"
21 else "auto";
22 }
23 // labels);
24 WOODPECKER_SERVER = server;
25 WOODPECKER_GRPC_SECURE = "true";
26 WOODPECKER_AGENT_SECRET_FILE = config.vaultix.secrets."woodpecker-agent-${name}-token".path;
27 WOODPECKER_MAX_WORKFLOWS = "4";
28 DOCKER_HOST = "unix:///run/podman/podman.sock";
29 WOODPECKER_BACKEND = "docker";
30 BACKEND_DOCKER_ENABLE_IPV6 = "true";
31 # Use host for mihomo to avoid network error
32 # See https://github.com/MetaCubeX/mihomo/issues/1260
33 # See also https://github.com/SagerNet/sing-box/issues/2700
34 }
35 // (
36 lib.optionalAttrs (config.services.mihomo.enable) {BACKEND_DOCKER_NETWORK = "host";}
37 )
38 // extraEnv;
39 };
40
41 systemd.services."woodpecker-agent-${name}".serviceConfig = {
42 DynamicUser = lib.mkForce false;
43 User = "woodpecker-agent-${name}";
44 Group = "woodpecker-agent-${name}";
45 };
46
47 users.users."woodpecker-agent-${name}" = {
48 isSystemUser = true;
49 useDefaultShell = true;
50 group = "woodpecker-agent-${name}";
51 };
52 users.groups."woodpecker-agent-${name}" = {};
53
54 vaultix.secrets."woodpecker-agent-${name}-token" = {
55 file = tokenFileAged;
56 owner = "root";
57 group = "woodpecker-agent-${name}";
58 mode = "0440";
59 };
60 };
61 };
62}