#
# CI/CD Woodpecker
#
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ # Default packages install system-wide
woodpecker-server
woodpecker-cli
];
users = {
users = {
woodpecker = {
uid = 3005;
group = "woodpecker";
isSystemUser = true;
};
};
groups = {
woodpecker = {
gid = 3005;
};
};
};
systemd.services = {
woodpecker-server = {
description = "CI/CD Pipeline Server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" "postgresql.service" ];
requires = [ "postgresql.service" ];
script = "${pkgs.woodpecker-server}/bin/woodpecker-server";
serviceConfig = {
User="woodpecker";
Group="woodpecker";
Environment="HOME=/var/lib/woodpecker";
EnvironmentFile=config.age.secrets."services/woodpecker/environment".path;
ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker";
NoNewPrivileges=true;
MemoryDenyWriteExecute=true;
PrivateDevices=true;
PrivateTmp=true;
ProtectHome=true;
ProtectSystem="strict";
ProtectControlGroups=true;
RestrictSUIDSGID=true;
RestrictRealtime=true;
LockPersonality=true;
ProtectKernelLogs=true;
ProtectKernelTunables=true;
ProtectHostname=true;
ProtectKernelModules=true;
PrivateUsers=true;
ProtectClock=true;
SystemCallArchitectures="native";
SystemCallErrorNumber="EPERM";
SystemCallFilter="@system-service";
};
};
};
systemd.tmpfiles.rules = [
"d /var/log/woodpecker - woodpecker woodpecker"
];
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
virtualHosts = {
"ci.kabtop.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://localhost:8000";
};
};
};
age.secrets."services/woodpecker/environment" = {
file = ../../../secrets/services/woodpecker/environment.age;
owner = "woodpecker";
};
}