From d2e7ad47434fbc86a55c9a54c5a8ac3357a5a20d Mon Sep 17 00:00:00 2001
From: Kabbone <tobias@opel-online.de>
Date: Tue, 14 Mar 2023 18:41:49 +0100
Subject: [PATCH] server: configure woodpecker

---
 modules/services/server/woodpecker.nix      |  74 ++++++++++----------
 secrets/secrets.nix                         |   1 +
 secrets/services/woodpecker/environment.age | Bin 0 -> 1858 bytes
 3 files changed, 39 insertions(+), 36 deletions(-)
 create mode 100644 secrets/services/woodpecker/environment.age

diff --git a/modules/services/server/woodpecker.nix b/modules/services/server/woodpecker.nix
index 27d1a9a..53ddbb8 100644
--- a/modules/services/server/woodpecker.nix
+++ b/modules/services/server/woodpecker.nix
@@ -25,37 +25,39 @@
     };
   };
 
-  woodpecker-server = {
-    description = "CI/CD Pipeline Server";
-    wantedBy = [ "multi-user.target"  ];
-    after = [ "network.target" "postgresql.service" ];
-    requires = [ "postgresql.service" ];
-    script = "${pkgs.woodpecker-server}/bin/woodpecker-server --server-host https://woodpecker.kabtop.de --server-addr localhost:8000 ";
-    # --environment ${config.age.secrets."services/woodpecker/environment.yml".path}";
-    serviceConfig = {
-      User = "woodpecker";
-      Group = "woodpecker";
-      Environment = "HOME=/var/lib/woodpecker";
-      ReadWritePaths="/var/log/woodpecker";
-      NoNewPrivileges=true;
-      MemoryDenyWriteExecute=true;
-      PrivateDevices=true;
-      PrivateTmp=true;
-      ProtectHome=true;
-      ProtectSystem="strict";
-      ProtectControlGroups=true;
-      RestrictSUIDSGID=true;
-      RestrictRealtime=true;
-      LockPersonality=true;
-      ProtectKernelLogs=true;
-      ProtectKernelTunables=true;
-      ProtectHostname=true;
-      ProtectKernelModules=true;
-      PrivateUsers=true;
-      ProtectClock=true;
-      SystemCallArchitectures="native";
-      SystemCallErrorNumber="EPERM";
-      SystemCallFilter="@system-service";
+  systemd.services = {
+    woodpecker-server = {
+      description = "CI/CD Pipeline Server";
+      wantedBy = [ "multi-user.target"  ];
+      after = [ "network.target" "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
+      serviceConfig = {
+        User="woodpecker";
+        Group="woodpecker";
+        Environment="HOME=/var/lib/woodpecker";
+        EnvironmentFile=config.age.secrets."services/woodpecker/environment".path;
+        ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker";
+        NoNewPrivileges=true;
+        MemoryDenyWriteExecute=true;
+        PrivateDevices=true;
+        PrivateTmp=true;
+        ProtectHome=true;
+        ProtectSystem="strict";
+        ProtectControlGroups=true;
+        RestrictSUIDSGID=true;
+        RestrictRealtime=true;
+        LockPersonality=true;
+        ProtectKernelLogs=true;
+        ProtectKernelTunables=true;
+        ProtectHostname=true;
+        ProtectKernelModules=true;
+        PrivateUsers=true;
+        ProtectClock=true;
+        SystemCallArchitectures="native";
+        SystemCallErrorNumber="EPERM";
+        SystemCallFilter="@system-service";
+      };
     };
   };
 
@@ -70,7 +72,7 @@
     recommendedGzipSettings = true;
     recommendedProxySettings = true;
     virtualHosts = {
-      "woodpecker.kabtop.de" = {
+      "ci.kabtop.de" = {
         enableACME = true;
         forceSSL = true;
         locations."/".proxyPass = "http://localhost:8000";
@@ -78,10 +80,10 @@
     };
   };
 
-#  age.secrets."services/woodpecker/dbpassFile" = {
-#      file = ../../../secrets/services/nextcloud/dbpassFile.age;
-#      owner = "nextcloud";
-#  };
+  age.secrets."services/woodpecker/environment" = {
+      file = ../../../secrets/services/woodpecker/environment.age;
+      owner = "woodpecker";
+  };
 
 }
 
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index cebc20d..a807253 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -44,4 +44,5 @@ in
         "services/nextcloud/dbpassFile.age".publicKeys = servers ++ users;
         "services/gitea/databasePassword.age".publicKeys = servers ++ users;
         "services/gitea/mailerPassword.age".publicKeys = servers ++ users;
+        "services/woodpecker/environment.age".publicKeys = servers ++ users;
     }
diff --git a/secrets/services/woodpecker/environment.age b/secrets/services/woodpecker/environment.age
new file mode 100644
index 0000000000000000000000000000000000000000..0e2f5dd7883f368d60fec3c03cd18d8ae15c7b8f
GIT binary patch
literal 1858
zcmY+?`?u4C0l@Kr2wK4jV+Y|VyH{}Rkd-{zG>tH|X`1wrw&^2Dn;~18v`Lyi(&o{o
z9A%q(Fz%6!gVX7RAs5+no6|WFud;E+!K3F2g9AG8Oi=M2Q1p5bCey=X^N0Pgzu@!z
z;VY?Cf3+odJ=50PtrhLA3c9e*fBTSSY5uB$peT$FwW_hcoEs8@^<El83?R~iNV40@
zNqV#EMtPI2LU3J84JwLFfhf-wEnltD(1UUWONY`$33KzErX&DpA7<mRtSJRTf*FDt
zs$**f>wj9;l7@J@PMbL&2l7cPB4kVbVvNsMI<kxB>I0&#=6fbo2<ujgV`zk<8z|dq
z(|yq+^R!AP{#!$55_LQ0qg9n^LWxE&QO!n)O2Zr2WVw%r4Up2>D4RiyxIiZby9{D#
zDuu?vv0PS8fv6fop<vxE`?NIO!ZUR+5Gr~d2q#*!$oJi9xs<O}dQ1{*bZZokRO_g$
ziKGjYjd%+Jg1tt5P*g))QTL%;G+{Q`KrF@R$(o?V^;`|`TIHaE3k@+@DY2CZYLPKm
z;M+!#4kyxKfG8FQZ9~8-9nSG-w&=OMVMfe&#?cZ2XcuaAtV9Ix0DwS5w45O;TrV3f
zrMylBqa-Ke@#sJwWVA+ILn+-?izH(MHj_vN9E2CNG{We8h;TGEA8gsY)D@c*+z3(*
zk4TxOL9#&@iAz;2B^TO}kShy5v@h2wo~Y#tq7ovQS~3>M%9x~cy#~gz70l^*#T=26
zNVycL!CfeiaBQ2aKoNzqLyW8YvZ{k3v7XDBT*pZ93708z2@#NtT#3px`K;6uIk<$B
z6p;0r#XOc3?3Q8=s4~ZZeFt}Zs%+yVh{tn)7qK0xmK8I&&`u+nfd>?VX_jH3c9b^w
zwi1N^QZVyk1geNyBhV+9R$Qz57{$TL1c}f^1+;5wB3Q_4tellXa^5btV7P9%CQ7l*
zHikwy#Zh%JZQ4CKB7+H1iPun{skjm(dV^vD0D53ik6IB<ssdJ^L%?>QkzxZtp~MW<
z*3~aQHg(r;B4}tx?dCDGHxz-vK&lHg_-;7p@?5(OFa%;!Ig_dvYMBNnn?-}g@&gVA
zd%k$H2e(ociWdyARc(^ZSct3(ecFvi$#6YRD;=VsU>Ue!L;q*xbE=ce4Mn<|mF-wv
z88JI4CLfeZFP;xjauZ`qTBux(X+Xrz*u0aAHhhW(S3EYw=`4>k(QvLK4~V4YAv$Q|
zti*^+$HtsKToWwg3u_?y)oxX?sy-4f%lUdVGa$lQA(}u^jsjTmau5KR44Uua0KseJ
zayikjh&spMdSAg{rNaX)DOu>1ilQ&mCurM%-B77->a^2o*72Ajq5&Oh@CIx(i!noY
zA-0+DNTgT*DJUGN`}}_Y5Yy>&3vOAEbJ;*UKx!C@S13E-goS>}$rNR_>v_eLq|<uB
z_XqX-O<R6_@$#*IcB7fYi(lM&^1!*>$XE6r`No`OU1P?o%AB2Ns?Ag4FFt>2{FCAn
z+Jn<yz5h$(`>lBo9z8uemVK|ZB6;GqCC0>^Pdo=)y{#6UwfpR=hr-wTCznUz3(3mX
zapXAd6*rC@o&ffozO>~xYT>=u+Y5qQM#lG#e*682)7w<-Tr2o7u2JJ#?ugOrjvoKp
zK4I^v^XrEn`OY=By|Dhnh1afh7Hs<K=6n43OZtuUMCr&`^UHHyc%J^uoD{;l*1dM)
zG-BLZxNz)O4<CA91RDG5^qb$hYvW7mwl()P-#qyv;~mVsc?~;v=MO*M&XzVUo42&|
zk@8Fa^a!&4+}DrV-FyEY_<3jeAM~;wbLY(a_YF4E&%6N+U%WhJ_q68iQ+Gv^KY99t
z_2I>Dj}klYUb1Tu_`MmiMU=PW-^2M!n*-uPe)-rV`1SJB!}{{A+nvU&LLvUyO@uXf
z)d$DAE8mPgh8=sk8Ri~){Fbr(S7wfkii+jmaB%h916%ig48Jq6;E%8DSZi#%`?*_2
zhPNI;p84l}kDt8${0ZN&?@zusXV1=aEOXt4z(f^3@cNTe`jxYnhsrY^T0DH|s;_at
z)arw4R{Z#$pZ#vyW>Y>hKU{ip!8Kvz!o1&Z0cKyE1h0Pdz(b?Z(Ql2fy>;~2zwDc_
z;rQgUI|D0sZ?BF2YvJ_=SNveTvS(UqHf)jYC2zE+FA}B%Vbl0jA-(p7->)ved)xd&
zw0Fa&;a%Un?#j!%R=xZDRm{>)qMMMVn;%|t?$Ngx=<F+(*G)S)@=?8Zc5+#MR(ACD
p<uiTXMV{LK>4z)O!)s6cbkXc_VMp?gqv<pAPyOk_15>M){|60T#AN^g

literal 0
HcmV?d00001