diff options
| author | Bruno BELANYI <bruno@belanyi.fr> | 2023-03-18 17:05:05 +0000 |
|---|---|---|
| committer | Bruno BELANYI <bruno@belanyi.fr> | 2023-03-23 12:47:47 +0000 |
| commit | e4f5f1b7187162c15b1a35df8772375cf878ab19 (patch) | |
| tree | 2e4ad46012af1ea80de78fe96fad9a91792c41ab /nixos/modules/services/continuous-integration/woodpecker | |
| parent | 658070e63688dd9e17237f428de956e1dd7913ed (diff) | |
nixos/woodpecker: refactor to multi-agents setup
The module file has been renamed from `agent.nix` to `agents.nix` to mirror the change.
Diffstat (limited to 'nixos/modules/services/continuous-integration/woodpecker')
| -rw-r--r-- | nixos/modules/services/continuous-integration/woodpecker/agent.nix | 99 | ||||
| -rw-r--r-- | nixos/modules/services/continuous-integration/woodpecker/agents.nix | 131 |
2 files changed, 131 insertions, 99 deletions
diff --git a/nixos/modules/services/continuous-integration/woodpecker/agent.nix b/nixos/modules/services/continuous-integration/woodpecker/agent.nix deleted file mode 100644 index 1aedec81c9651..0000000000000 --- a/nixos/modules/services/continuous-integration/woodpecker/agent.nix +++ /dev/null @@ -1,99 +0,0 @@ -{ config -, lib -, pkgs -, ... -}: - -let - cfg = config.services.woodpecker-agent; -in -{ - meta.maintainers = [ lib.maintainers.janik ]; - - options = { - services.woodpecker-agent = { - enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Agent, Agents execute tasks generated by a Server, every install will need one server and at least one agent"); - package = lib.mkPackageOptionMD pkgs "woodpecker-agent" { }; - - environment = lib.mkOption { - default = { }; - type = lib.types.attrsOf lib.types.str; - example = lib.literalExpression '' - { - WOODPECKER_SERVER = "localhost:9000"; - WOODPECKER_BACKEND = "docker"; - DOCKER_HOST = "unix:///run/podman/podman.sock"; - } - ''; - description = lib.mdDoc "woodpecker-agent config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/agent-config)"; - }; - - extraGroups = lib.mkOption { - default = null; - type = lib.types.nullOr (lib.types.listOf lib.types.str); - example = [ "podman" ]; - description = lib.mdDoc '' - Additional groups for the systemd service. - ''; - }; - - environmentFile = lib.mkOption { - type = lib.types.nullOr lib.types.path; - default = null; - example = "/root/woodpecker-agent.env"; - description = lib.mdDoc '' - File to load environment variables - from. This is helpful for specifying secrets. - Example content of environmentFile: - ``` - WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here - ``` - ''; - }; - }; - }; - - config = lib.mkIf cfg.enable { - systemd.services = { - woodpecker-agent = { - description = "Woodpecker-Agent Service"; - wantedBy = [ "multi-user.target" ]; - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - serviceConfig = { - DynamicUser = true; - SupplementaryGroups = lib.optionals (cfg.extraGroups != null) cfg.extraGroups; - EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; - ExecStart = "${cfg.package}/bin/woodpecker-agent"; - Restart = "on-failure"; - RestartSec = 15; - CapabilityBoundingSet = ""; - # Security - NoNewPrivileges = true; - # Sandboxing - ProtectSystem = "strict"; - PrivateTmp = true; - PrivateDevices = true; - PrivateUsers = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - PrivateMounts = true; - # System Call Filtering - SystemCallArchitectures = "native"; - SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; - }; - inherit (cfg) environment; - }; - }; - }; -} - diff --git a/nixos/modules/services/continuous-integration/woodpecker/agents.nix b/nixos/modules/services/continuous-integration/woodpecker/agents.nix new file mode 100644 index 0000000000000..e8e683a72d5f2 --- /dev/null +++ b/nixos/modules/services/continuous-integration/woodpecker/agents.nix @@ -0,0 +1,131 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.woodpecker-agents; + + agentModule = lib.types.submodule { + options = { + package = lib.mkPackageOptionMD pkgs "woodpecker-agent" { }; + + environment = lib.mkOption { + default = { }; + type = lib.types.attrsOf lib.types.str; + example = lib.literalExpression '' + { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///run/podman/podman.sock"; + } + ''; + description = lib.mdDoc "woodpecker-agent config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/agent-config)"; + }; + + extraGroups = lib.mkOption { + default = null; + type = lib.types.nullOr (lib.types.listOf lib.types.str); + example = [ "podman" ]; + description = lib.mdDoc '' + Additional groups for the systemd service. + ''; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/var/secrets/woodpecker-agent.env"; + description = lib.mdDoc '' + File to load environment variables + from. This is helpful for specifying secrets. + Example content of environmentFile: + ``` + WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here + ``` + ''; + }; + }; + }; + + mkAgentService = name: agentCfg: { + name = "woodpecker-agent-${name}"; + value = { + description = "Woodpecker-Agent Service - ${name}"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + SupplementaryGroups = lib.optionals (agentCfg.extraGroups != null) agentCfg.extraGroups; + EnvironmentFile = lib.optional (agentCfg.environmentFile != null) agentCfg.environmentFile; + ExecStart = lib.getExe agentCfg.package; + Restart = "on-failure"; + RestartSec = 15; + CapabilityBoundingSet = ""; + NoNewPrivileges = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + inherit (agentCfg) environment; + }; + }; +in +{ + meta.maintainers = [ lib.maintainers.janik ]; + + options = { + services.woodpecker-agents = { + enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Agent, Agents execute tasks generated by a Server, every install will need one server and at least one agent"); + + agents = lib.mkOption { + default = { }; + type = lib.types.attrsOf agentModule; + example = { + docker = { + environment = { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///run/podman/podman.sock"; + }; + + extraGroups = [ "docker" ]; + + environmentFile = "/run/secrets/woodpecker/agent-secret.txt"; + }; + + exec = { + environment = { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "exec"; + }; + + environmentFile = "/run/secrets/woodpecker/agent-secret.txt"; + }; + }; + description = lib.mdDoc "woodpecker-agents configurations"; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services = lib.mapAttrs' mkAgentService cfg.agents; + }; +} |