# # CI/CD Woodpecker # { config, lib, pkgs, ... }: { environment.systemPackages = with pkgs; [ # Default packages install system-wide woodpecker-server woodpecker-cli ]; users = { users = { woodpecker = { uid = 3005; group = "woodpecker"; isSystemUser = true; }; }; groups = { woodpecker = { gid = 3005; }; }; }; systemd.services = { woodpecker-server = { description = "CI/CD Pipeline Server"; wantedBy = [ "multi-user.target" ]; after = [ "network.target" "postgresql.service" ]; requires = [ "postgresql.service" ]; script = "${pkgs.woodpecker-server}/bin/woodpecker-server"; serviceConfig = { User="woodpecker"; Group="woodpecker"; Environment="HOME=/var/lib/woodpecker"; EnvironmentFile=config.age.secrets."services/woodpecker/environment".path; ReadWritePaths="/var/lib/woodpecker /var/log/woodpecker"; NoNewPrivileges=true; MemoryDenyWriteExecute=true; PrivateDevices=true; PrivateTmp=true; ProtectHome=true; ProtectSystem="strict"; ProtectControlGroups=true; RestrictSUIDSGID=true; RestrictRealtime=true; LockPersonality=true; ProtectKernelLogs=true; ProtectKernelTunables=true; ProtectHostname=true; ProtectKernelModules=true; PrivateUsers=true; ProtectClock=true; SystemCallArchitectures="native"; SystemCallErrorNumber="EPERM"; SystemCallFilter="@system-service"; }; }; }; systemd.tmpfiles.rules = [ "d /var/log/woodpecker - woodpecker woodpecker" ]; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "ci.kabtop.de" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://localhost:8000"; }; }; }; age.secrets."services/woodpecker/environment" = { file = ../../../secrets/services/woodpecker/environment.age; owner = "woodpecker"; }; }