From a4ec703bae797e5f3cf4fe1549a847d086c27023 Mon Sep 17 00:00:00 2001 From: notohh Date: Tue, 23 Jan 2024 15:43:08 -0500 Subject: [PATCH] tsuru: enable woodpecker --- hosts/tsuru/services/default.nix | 2 +- hosts/tsuru/services/tailscale.nix | 43 +++++++++++++++++++++++++++++ hosts/tsuru/services/woodpecker.nix | 38 +++++++++++++++++++++++++ 3 files changed, 82 insertions(+), 1 deletion(-) create mode 100644 hosts/tsuru/services/tailscale.nix create mode 100644 hosts/tsuru/services/woodpecker.nix diff --git a/hosts/tsuru/services/default.nix b/hosts/tsuru/services/default.nix index 95d74d2..f811024 100644 --- a/hosts/tsuru/services/default.nix +++ b/hosts/tsuru/services/default.nix @@ -1,5 +1,5 @@ _: { imports = [ - ./forgejo-runners.nix + ./woodpecker.nix ]; } diff --git a/hosts/tsuru/services/tailscale.nix b/hosts/tsuru/services/tailscale.nix new file mode 100644 index 0000000..798440a --- /dev/null +++ b/hosts/tsuru/services/tailscale.nix @@ -0,0 +1,43 @@ +{ + config, + lib, + pkgs, + ... +}: { + sops.secrets.tsauth-tsuru = { + sopsFile = ../../../secrets/tailscale/secrets.yaml; + }; + environment.systemPackages = [pkgs.jq pkgs.tailscale]; + services.tailscale = { + useRoutingFeatures = lib.mkDefault "client"; + }; + networking.firewall.allowedUDPPorts = [config.services.tailscale.port]; + networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName]; + + systemd.services.tailscale-autoconnect = { + description = "Automatic connection to Tailscale"; + + # make sure tailscale is running before trying to connect to tailscale + after = ["network-pre.target" "tailscale.service"]; + wants = ["network-pre.target" "tailscale.service"]; + wantedBy = ["multi-user.target"]; + + # set this service as a oneshot job + serviceConfig.Type = "oneshot"; + + # have the job run this shell script + script = with pkgs; '' + # wait for tailscaled to settle + sleep 2 + + # check if we are already authenticated to tailscale + status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" + if [ $status = "Running" ]; then # if so, then do nothing + exit 0 + fi + + # otherwise authenticate with tailscale + ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-tsuru.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false + ''; + }; +} diff --git a/hosts/tsuru/services/woodpecker.nix b/hosts/tsuru/services/woodpecker.nix new file mode 100644 index 0000000..b3fae28 --- /dev/null +++ b/hosts/tsuru/services/woodpecker.nix @@ -0,0 +1,38 @@ +{config, ...}: { + sops.secrets.woodpecker-server = {}; + sops.secrets.woodpecker-agent-secret = {}; + services.woodpecker-server = { + enable = true; + environment = { + WOODPECKER_SERVER_ADDR = ":8200"; + WOODPECKER_GRPC_ADDR = ":8300"; + WOODPECKER_HOST = "https://ci.flake.sh"; + WOODPECKER_OPEN = "false"; + WOODPECKER_GITEA = "true"; + WOODPECKER_GITEA_URL = "https://git.flake.sh"; + WOODPECKER_ADMIN = "notohh"; + WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path; + WOODPECKER_LOG_LEVEL = "debug"; + WOODPECKER_DEBUG_PRETTY = "true"; + WOODPECKER_KEEPALIVE_MIN_TIME = "10s"; + }; + environmentFile = config.sops.secrets.woodpecker-server.path; + }; + + services.woodpecker-agents.agents.nix = { + enable = true; + environment = { + DOCKER_HOST = "unix:///var/run/docker.sock"; + WOODPECKER_BACKEND = "docker"; + WOODPECKER_SERVER = "localhost:8300"; + WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path; + WOODPECKER_LOG_LEVEL = "debug"; + WOODPECKER_DEBUG_PRETTY = "true"; + WOODPECKER_KEEPALIVE_MIN_TIME = "10s"; + WOODPECKER_HEALTHCHECK = "true"; + }; + extraGroups = [ + "docker" + ]; + }; +}