Commit 3d9fb41

HPCesia <me@hpcesia.com>
2026-05-26 04:45:17
feat: woodpecker-agent service
1 parent 28e2fbd
modules/hosts/mobius/services/default.nix
@@ -42,5 +42,15 @@ in {
     <services/restic>
 
     (<services/tailscale> ./tailscale-authkey.age)
+
+    (<services/woodpecker/agent> {
+      name = "codeberg";
+      server = "grpc.ci.codeberg.org:443";
+      tokenFileAged = ./woodpecker-agent-codeberg-token.age;
+      labels = {
+        location = "CN";
+        tier = "high";
+      };
+    })
   ];
 }
modules/hosts/mobius/services/woodpecker-agent-codeberg-token.age
Binary file
modules/hosts/pardofelis/services/default.nix
@@ -42,5 +42,15 @@ in {
     <services/restic>
 
     (<services/tailscale> ./tailscale-authkey.age)
+
+    (<services/woodpecker/agent> {
+      name = "codeberg";
+      server = "grpc.ci.codeberg.org:443";
+      tokenFileAged = ./woodpecker-agent-codeberg-token.age;
+      labels = {
+        location = "HK";
+        tier = "low";
+      };
+    })
   ];
 }
modules/hosts/pardofelis/services/woodpecker-agent-codeberg-token.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 xCEwtQ A/GBD0Xzdj+yFx+ULlQqacC134h/dlw/YHlUDdW0IJv1
+GncnRhkEZLj4q1I4qOhaMF6EbNYJkidS+LOBg1rd710
+-> F~XF&-grease S_
+EU6maaLEcyPWXTEafYrT3xbZREJTwvmXDW1UPa7kBFqNxl+Xg7lS8pK187yqGvsG
+RHVkULfmobuDGp1SbOAvw+UCoo2SWFeDEZGY2j+umS8igUWYVm1mYC3bPDMzwoM
+--- OJu1hokuFt4AvlJt4Lbb1BB8XSDoza5apgKux81TDoA
+ݩA1k�"��-d�ԃ@�zA"�yCK�1�Lc=#Ŕx��=�!;��k���K꾞^o�,̙��`��#gVe�իo���F��:�"
\ No newline at end of file
modules/services/woodpecker/agent.nix
@@ -0,0 +1,62 @@
+{lib, ...}: {
+  den.aspects.services.provides.woodpecker.provides.agent = {
+    name,
+    server,
+    tokenFileAged,
+    labels ? {},
+    extraEnv ? {},
+  }: let
+    mapLabels = lib.concatMapAttrsStringSep "," (n: v: "${n}=${v}");
+  in {
+    nixos = {config, ...}: {
+      services.woodpecker-agents.agents.${name} = {
+        enable = true;
+        extraGroups = ["podman"];
+        environment =
+          {
+            WOODPECKER_AGENT_LABELS = mapLabels ({
+                network =
+                  if (config.services.mihomo.enable)
+                  then "host"
+                  else "auto";
+              }
+              // labels);
+            WOODPECKER_SERVER = server;
+            WOODPECKER_GRPC_SECURE = "true";
+            WOODPECKER_AGENT_SECRET_FILE = config.vaultix.secrets."woodpecker-agent-${name}-token".path;
+            WOODPECKER_MAX_WORKFLOWS = "4";
+            DOCKER_HOST = "unix:///run/podman/podman.sock";
+            WOODPECKER_BACKEND = "docker";
+            BACKEND_DOCKER_ENABLE_IPV6 = "true";
+            # Use host for mihomo to avoid network error
+            # See https://github.com/MetaCubeX/mihomo/issues/1260
+            # See also https://github.com/SagerNet/sing-box/issues/2700
+          }
+          // (
+            lib.optionalAttrs (config.services.mihomo.enable) {BACKEND_DOCKER_NETWORK = "host";}
+          )
+          // extraEnv;
+      };
+
+      systemd.services."woodpecker-agent-${name}".serviceConfig = {
+        DynamicUser = lib.mkForce false;
+        User = "woodpecker-agent-${name}";
+        Group = "woodpecker-agent-${name}";
+      };
+
+      users.users."woodpecker-agent-${name}" = {
+        isSystemUser = true;
+        useDefaultShell = true;
+        group = "woodpecker-agent-${name}";
+      };
+      users.groups."woodpecker-agent-${name}" = {};
+
+      vaultix.secrets."woodpecker-agent-${name}-token" = {
+        file = tokenFileAged;
+        owner = "root";
+        group = "woodpecker-agent-${name}";
+        mode = "0440";
+      };
+    };
+  };
+}
secrets/cache/mobius/1430499dfb2e1ab51c5c472e30f2f1da199ebee5faa635b7407e33544c9800ad
Binary file
secrets/cache/pardofelis/c5fc7148cfa493d20968bd6b0a04e5be94d007ab51453b5d066b3a53cf617ab9
Binary file