diff --git a/modules/services/server/default.nix b/modules/services/server/default.nix index c593745..415c339 100644 --- a/modules/services/server/default.nix +++ b/modules/services/server/default.nix @@ -13,6 +13,7 @@ [ ./postgresql.nix ./gitea.nix + ./woodpecker.nix ./nextcloud.nix ./matrix.nix ./coturn.nix diff --git a/modules/services/server/woodpecker.nix b/modules/services/server/woodpecker.nix new file mode 100644 index 0000000..27d1a9a --- /dev/null +++ b/modules/services/server/woodpecker.nix @@ -0,0 +1,87 @@ +# +# CI/CD Woodpecker +# + +{ config, lib, pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ # Default packages install system-wide + woodpecker-server + woodpecker-cli + ]; + + users = { + users = { + woodpecker = { + uid = 3005; + group = "woodpecker"; + isSystemUser = true; + }; + }; + groups = { + woodpecker = { + gid = 3005; + }; + }; + }; + + woodpecker-server = { + description = "CI/CD Pipeline Server"; + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" "postgresql.service" ]; + requires = [ "postgresql.service" ]; + script = "${pkgs.woodpecker-server}/bin/woodpecker-server --server-host https://woodpecker.kabtop.de --server-addr localhost:8000 "; + # --environment ${config.age.secrets."services/woodpecker/environment.yml".path}"; + serviceConfig = { + User = "woodpecker"; + Group = "woodpecker"; + Environment = "HOME=/var/lib/woodpecker"; + ReadWritePaths="/var/log/woodpecker"; + NoNewPrivileges=true; + MemoryDenyWriteExecute=true; + PrivateDevices=true; + PrivateTmp=true; + ProtectHome=true; + ProtectSystem="strict"; + ProtectControlGroups=true; + RestrictSUIDSGID=true; + RestrictRealtime=true; + LockPersonality=true; + ProtectKernelLogs=true; + ProtectKernelTunables=true; + ProtectHostname=true; + ProtectKernelModules=true; + PrivateUsers=true; + ProtectClock=true; + SystemCallArchitectures="native"; + SystemCallErrorNumber="EPERM"; + SystemCallFilter="@system-service"; + }; + }; + + systemd.tmpfiles.rules = [ + "d /var/log/woodpecker - woodpecker woodpecker" + ]; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts = { + "woodpecker.kabtop.de" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://localhost:8000"; + }; + }; + }; + +# age.secrets."services/woodpecker/dbpassFile" = { +# file = ../../../secrets/services/nextcloud/dbpassFile.age; +# owner = "nextcloud"; +# }; + +} +