hyl.st / helm
nix config
2
fork

Configure Feed

Select the types of activity you want to include in your feed.

helm / modules / nixos / woodpecker.nix
at darwin 191 lines 5.4 kB view raw
Anish Lakhwara update to 23.11
6fb6d4ca
1{ config, pkgs, lib, ... }: 2# I gave up writing this lol 3 4with lib; 5 6let 7 cfg = config.services.woodpecker; 8 droneserver = config.users.users.droneserver.name; 9 10in 11{ 12 options = { 13 enable = mkEnableOption "Woodpecker CI/CD"; 14 15 user = mkOption { 16 type = types.str; 17 default = "woodpeckerserver"; 18 description = "User account under which woodpecker server runs."; 19 }; 20 21 group = mkOption { 22 type = types.str; 23 default = "woodpeckerserver"; 24 description = "Group account under which woodpecker server runs."; 25 }; 26 27 hostname = mkOption { 28 type = types.str; 29 example = "woodpecker.example.com"; 30 description = "VirtualHost created for nginx"; 31 }; 32 }; 33 34 config = mkIf cfg.enable { 35 users.users = optionalAttrs (cfg.user == name) { 36 ${name} = { 37 group = cfg.group; 38 description = "woodpecker server user"; 39 home = cfg.dataDir; 40 createHome = true; 41 }; 42 }; 43 44 users.groups = optionalAttrs (cfg.group == name) { 45 ${name}.gid = config.ids.gids.headphones; 46 }; 47 48 services.nginx.virtualHosts."drone.my-server.tld" = { 49 enableACME = true; 50 forceSSL = true; 51 locations."/".proxyPass = "http://localhost:3030/"; 52 }; 53 54 services.postgresql = { 55 ensureDatabases = [ droneserver ]; 56 ensureUsers = [{ 57 name = droneserver; 58 ensureDBOwnership = true; 59 }]; 60 }; 61 62 # Secrets configured: 63 # - DRONE_GITEA_CLIENT_ID 64 # - DRONE_GITEA_CLIENT_SECRET 65 # - DRONE_RPC_SECRET 66 # To get these secrets, please check Drone's documentation for Gitea integration: 67 # https://docs.drone.io/server/provider/gitea/ 68 69 # agenix secret 70 71 systemd.services.drone-server = { 72 wantedBy = [ "multi-user.target" ]; 73 serviceConfig = { 74 EnvironmentFile = [ 75 config.sops.secrets.drone.path 76 ]; 77 Environment = [ 78 "DRONE_DATABASE_DATASOURCE=postgres:///droneserver?host=/run/postgresql" 79 "DRONE_DATABASE_DRIVER=postgres" 80 "DRONE_SERVER_PORT=:3030" 81 "DRONE_USER_CREATE=username:viperML,admin:true" # set your admin username 82 83 "DRONE_GITEA_SERVER=https://git.my-domain.tld" 84 "DRONE_SERVER_HOST=drone.my-domain.tld" 85 "DRONE_SERVER_PROTO=https" 86 ]; 87 ExecStart = "${pkgs.drone}/bin/drone-server"; 88 User = droneserver; 89 Group = droneserver; 90 }; 91 }; 92 93 ### Docker runner 94 95 users.users.drone-runner-docker = { 96 isSystemUser = true; 97 group = "drone-runner-docker"; 98 }; 99 users.groups.drone-runner-docker = { }; 100 # Allow the runner to use docker 101 users.groups.docker.members = [ "drone-runner-docker" ]; 102 103 systemd.services.drone-runner-docker = { 104 enable = true; 105 wantedBy = [ "multi-user.target" ]; 106 ### MANUALLY RESTART SERVICE IF CHANGED 107 restartIfChanged = false; 108 serviceConfig = { 109 Environment = [ 110 "DRONE_RPC_PROTO=http" 111 "DRONE_RPC_HOST=localhost:3030" 112 "DRONE_RUNNER_CAPACITY=2" 113 "DRONE_RUNNER_NAME=drone-runner-docker" 114 ]; 115 EnvironmentFile = [ 116 config.sops.secrets.drone.path 117 ]; 118 ExecStart = "${pkgs.drone-runner-docker}/bin/drone-runner-docker"; 119 User = "drone-runner-docker"; 120 Group = "drone-runner-docker"; 121 }; 122 }; 123 124 ### Exec runner 125 126 users.users.drone-runner-exec = { 127 isSystemUser = true; 128 group = "drone-runner-exec"; 129 }; 130 users.groups.drone-runner-exec = { }; 131 # Allow the exec runner to write to build with nix 132 nix.allowedUsers = [ "drone-runner-exec" ]; 133 134 systemd.services.drone-runner-exec = { 135 enable = true; 136 wantedBy = [ "multi-user.target" ]; 137 ### MANUALLY RESTART SERVICE IF CHANGED 138 restartIfChanged = true; 139 confinement.enable = true; 140 confinement.packages = [ 141 pkgs.git 142 pkgs.gnutar 143 pkgs.bash 144 pkgs.nixFlakes 145 pkgs.gzip 146 ]; 147 path = [ 148 pkgs.git 149 pkgs.gnutar 150 pkgs.bash 151 pkgs.nixFlakes 152 pkgs.gzip 153 ]; 154 serviceConfig = { 155 Environment = [ 156 "DRONE_RPC_PROTO=http" 157 "DRONE_RPC_HOST=127.0.0.1:3030" 158 "DRONE_RUNNER_CAPACITY=2" 159 "DRONE_RUNNER_NAME=drone-runner-exec" 160 "NIX_REMOTE=daemon" 161 "PAGER=cat" 162 "DRONE_DEBUG=true" 163 ]; 164 BindPaths = [ 165 "/nix/var/nix/daemon-socket/socket" 166 "/run/nscd/socket" 167 # "/var/lib/drone" 168 ]; 169 BindReadOnlyPaths = [ 170 "/etc/passwd:/etc/passwd" 171 "/etc/group:/etc/group" 172 "/nix/var/nix/profiles/system/etc/nix:/etc/nix" 173 "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt" 174 "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts" 175 "${builtins.toFile "ssh_config" '' 176 Host git.ayats.org 177 ForwardAgent yes 178 ''}:/etc/ssh/ssh_config" 179 "/etc/machine-id" 180 "/etc/resolv.conf" 181 "/nix/" 182 ]; 183 EnvironmentFile = [ 184 config.sops.secrets.drone.path 185 ]; 186 ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec"; 187 User = "drone-runner-exec"; 188 Group = "drone-runner-exec"; 189 }; 190 }; 191 };