From a4ec703bae797e5f3cf4fe1549a847d086c27023 Mon Sep 17 00:00:00 2001
From: notohh <github@notohh.dev>
Date: Tue, 23 Jan 2024 15:43:08 -0500
Subject: [PATCH] tsuru: enable woodpecker

---
 hosts/tsuru/services/default.nix    |  2 +-
 hosts/tsuru/services/tailscale.nix  | 43 +++++++++++++++++++++++++++++
 hosts/tsuru/services/woodpecker.nix | 38 +++++++++++++++++++++++++
 3 files changed, 82 insertions(+), 1 deletion(-)
 create mode 100644 hosts/tsuru/services/tailscale.nix
 create mode 100644 hosts/tsuru/services/woodpecker.nix

diff --git a/hosts/tsuru/services/default.nix b/hosts/tsuru/services/default.nix
index 95d74d2..f811024 100644
--- a/hosts/tsuru/services/default.nix
+++ b/hosts/tsuru/services/default.nix
@@ -1,5 +1,5 @@
 _: {
   imports = [
-    ./forgejo-runners.nix
+    ./woodpecker.nix
   ];
 }
diff --git a/hosts/tsuru/services/tailscale.nix b/hosts/tsuru/services/tailscale.nix
new file mode 100644
index 0000000..798440a
--- /dev/null
+++ b/hosts/tsuru/services/tailscale.nix
@@ -0,0 +1,43 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  sops.secrets.tsauth-tsuru = {
+    sopsFile = ../../../secrets/tailscale/secrets.yaml;
+  };
+  environment.systemPackages = [pkgs.jq pkgs.tailscale];
+  services.tailscale = {
+    useRoutingFeatures = lib.mkDefault "client";
+  };
+  networking.firewall.allowedUDPPorts = [config.services.tailscale.port];
+  networking.firewall.trustedInterfaces = [config.services.tailscale.interfaceName];
+
+  systemd.services.tailscale-autoconnect = {
+    description = "Automatic connection to Tailscale";
+
+    # make sure tailscale is running before trying to connect to tailscale
+    after = ["network-pre.target" "tailscale.service"];
+    wants = ["network-pre.target" "tailscale.service"];
+    wantedBy = ["multi-user.target"];
+
+    # set this service as a oneshot job
+    serviceConfig.Type = "oneshot";
+
+    # have the job run this shell script
+    script = with pkgs; ''
+      # wait for tailscaled to settle
+      sleep 2
+
+      # check if we are already authenticated to tailscale
+      status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+      if [ $status = "Running" ]; then # if so, then do nothing
+        exit 0
+      fi
+
+      # otherwise authenticate with tailscale
+      ${tailscale}/bin/tailscale up -authkey file:${config.sops.secrets.tsauth-tsuru.path} --exit-node=100.104.42.96 --exit-node-allow-lan-access=true --accept-dns=false
+    '';
+  };
+}
diff --git a/hosts/tsuru/services/woodpecker.nix b/hosts/tsuru/services/woodpecker.nix
new file mode 100644
index 0000000..b3fae28
--- /dev/null
+++ b/hosts/tsuru/services/woodpecker.nix
@@ -0,0 +1,38 @@
+{config, ...}: {
+  sops.secrets.woodpecker-server = {};
+  sops.secrets.woodpecker-agent-secret = {};
+  services.woodpecker-server = {
+    enable = true;
+    environment = {
+      WOODPECKER_SERVER_ADDR = ":8200";
+      WOODPECKER_GRPC_ADDR = ":8300";
+      WOODPECKER_HOST = "https://ci.flake.sh";
+      WOODPECKER_OPEN = "false";
+      WOODPECKER_GITEA = "true";
+      WOODPECKER_GITEA_URL = "https://git.flake.sh";
+      WOODPECKER_ADMIN = "notohh";
+      WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path;
+      WOODPECKER_LOG_LEVEL = "debug";
+      WOODPECKER_DEBUG_PRETTY = "true";
+      WOODPECKER_KEEPALIVE_MIN_TIME = "10s";
+    };
+    environmentFile = config.sops.secrets.woodpecker-server.path;
+  };
+
+  services.woodpecker-agents.agents.nix = {
+    enable = true;
+    environment = {
+      DOCKER_HOST = "unix:///var/run/docker.sock";
+      WOODPECKER_BACKEND = "docker";
+      WOODPECKER_SERVER = "localhost:8300";
+      WOODPECKER_AGENT_SECRET = config.sops.secrets.woodpecker-agent-secret.path;
+      WOODPECKER_LOG_LEVEL = "debug";
+      WOODPECKER_DEBUG_PRETTY = "true";
+      WOODPECKER_KEEPALIVE_MIN_TIME = "10s";
+      WOODPECKER_HEALTHCHECK = "true";
+    };
+    extraGroups = [
+      "docker"
+    ];
+  };
+}