Commit 3d9fb41
Changed files (7)
modules
hosts
mobius
pardofelis
services
woodpecker
secrets
modules/hosts/mobius/services/default.nix
@@ -42,5 +42,15 @@ in {
<services/restic>
(<services/tailscale> ./tailscale-authkey.age)
+
+ (<services/woodpecker/agent> {
+ name = "codeberg";
+ server = "grpc.ci.codeberg.org:443";
+ tokenFileAged = ./woodpecker-agent-codeberg-token.age;
+ labels = {
+ location = "CN";
+ tier = "high";
+ };
+ })
];
}
modules/hosts/mobius/services/woodpecker-agent-codeberg-token.age
Binary file
modules/hosts/pardofelis/services/default.nix
@@ -42,5 +42,15 @@ in {
<services/restic>
(<services/tailscale> ./tailscale-authkey.age)
+
+ (<services/woodpecker/agent> {
+ name = "codeberg";
+ server = "grpc.ci.codeberg.org:443";
+ tokenFileAged = ./woodpecker-agent-codeberg-token.age;
+ labels = {
+ location = "HK";
+ tier = "low";
+ };
+ })
];
}
modules/hosts/pardofelis/services/woodpecker-agent-codeberg-token.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> piv-p256 xCEwtQ A/GBD0Xzdj+yFx+ULlQqacC134h/dlw/YHlUDdW0IJv1
+GncnRhkEZLj4q1I4qOhaMF6EbNYJkidS+LOBg1rd710
+-> F~XF&-grease S_
+EU6maaLEcyPWXTEafYrT3xbZREJTwvmXDW1UPa7kBFqNxl+Xg7lS8pK187yqGvsG
+RHVkULfmobuDGp1SbOAvw+UCoo2SWFeDEZGY2j+umS8igUWYVm1mYC3bPDMzwoM
+--- OJu1hokuFt4AvlJt4Lbb1BB8XSDoza5apgKux81TDoA
+ݩA1k�"��-d�ԃ@�zA"�yCK�1�Lc=#Ŕx��=�!;��k���K꾞^o�,̙��`��#gVe�իo���F��:�"
\ No newline at end of file
modules/services/woodpecker/agent.nix
@@ -0,0 +1,62 @@
+{lib, ...}: {
+ den.aspects.services.provides.woodpecker.provides.agent = {
+ name,
+ server,
+ tokenFileAged,
+ labels ? {},
+ extraEnv ? {},
+ }: let
+ mapLabels = lib.concatMapAttrsStringSep "," (n: v: "${n}=${v}");
+ in {
+ nixos = {config, ...}: {
+ services.woodpecker-agents.agents.${name} = {
+ enable = true;
+ extraGroups = ["podman"];
+ environment =
+ {
+ WOODPECKER_AGENT_LABELS = mapLabels ({
+ network =
+ if (config.services.mihomo.enable)
+ then "host"
+ else "auto";
+ }
+ // labels);
+ WOODPECKER_SERVER = server;
+ WOODPECKER_GRPC_SECURE = "true";
+ WOODPECKER_AGENT_SECRET_FILE = config.vaultix.secrets."woodpecker-agent-${name}-token".path;
+ WOODPECKER_MAX_WORKFLOWS = "4";
+ DOCKER_HOST = "unix:///run/podman/podman.sock";
+ WOODPECKER_BACKEND = "docker";
+ BACKEND_DOCKER_ENABLE_IPV6 = "true";
+ # Use host for mihomo to avoid network error
+ # See https://github.com/MetaCubeX/mihomo/issues/1260
+ # See also https://github.com/SagerNet/sing-box/issues/2700
+ }
+ // (
+ lib.optionalAttrs (config.services.mihomo.enable) {BACKEND_DOCKER_NETWORK = "host";}
+ )
+ // extraEnv;
+ };
+
+ systemd.services."woodpecker-agent-${name}".serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = "woodpecker-agent-${name}";
+ Group = "woodpecker-agent-${name}";
+ };
+
+ users.users."woodpecker-agent-${name}" = {
+ isSystemUser = true;
+ useDefaultShell = true;
+ group = "woodpecker-agent-${name}";
+ };
+ users.groups."woodpecker-agent-${name}" = {};
+
+ vaultix.secrets."woodpecker-agent-${name}-token" = {
+ file = tokenFileAged;
+ owner = "root";
+ group = "woodpecker-agent-${name}";
+ mode = "0440";
+ };
+ };
+ };
+}
secrets/cache/mobius/1430499dfb2e1ab51c5c472e30f2f1da199ebee5faa635b7407e33544c9800ad
Binary file
secrets/cache/pardofelis/c5fc7148cfa493d20968bd6b0a04e5be94d007ab51453b5d066b3a53cf617ab9
Binary file