# # CI/CD Woodpecker # { config, lib, pkgs, ... }: { environment.systemPackages = with pkgs; [ # Default packages install system-wide woodpecker-server woodpecker-cli ]; users = { users = { woodpecker = { uid = 3005; group = "woodpecker"; isSystemUser = true; }; }; groups = { woodpecker = { gid = 3005; }; }; }; systemd.services = { woodpecker-server = { description = "CI/CD Pipeline Server"; wantedBy = ["multi-user.target"]; after = ["network.target" "postgresql.service"]; requires = ["postgresql.service"]; script = "${pkgs.woodpecker-server}/bin/woodpecker-server"; serviceConfig = { User = "woodpecker"; Group = "woodpecker"; Environment = "HOME=/var/lib/woodpecker"; EnvironmentFile = config.age.secrets."services/woodpecker/environment".path; ReadWritePaths = "/var/lib/woodpecker /var/log/woodpecker"; NoNewPrivileges = true; MemoryDenyWriteExecute = true; PrivateDevices = true; PrivateTmp = true; ProtectHome = true; ProtectSystem = "strict"; ProtectControlGroups = true; RestrictSUIDSGID = true; RestrictRealtime = true; LockPersonality = true; ProtectKernelLogs = true; ProtectKernelTunables = true; ProtectHostname = true; ProtectKernelModules = true; PrivateUsers = true; ProtectClock = true; SystemCallArchitectures = "native"; SystemCallErrorNumber = "EPERM"; SystemCallFilter = "@system-service"; }; }; }; systemd.tmpfiles.rules = [ "d /var/log/woodpecker - woodpecker woodpecker" ]; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "ci.kabtop.de" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://localhost:8000"; }; }; }; age.secrets."services/woodpecker/environment" = { file = ../../../secrets/services/woodpecker/environment.age; owner = "woodpecker"; }; }