add woodpecker to hyperion

debugloop · debugloop · commit 50b9cd2daf3a · 2026-01-24T21:40:56.000+01:00
diff --git a/hosts/hyperion/configuration.nix b/hosts/hyperion/configuration.nix
@@ -13,6 +13,7 @@
     flake.nixosModules.service-restic-rest
     flake.nixosModules.service-jellyfin
     flake.nixosModules.service-rqbit
+    flake.nixosModules.service-woodpecker
   ];
 
   networking = {
diff --git a/modules/nixos/common/impermanence.nix b/modules/nixos/common/impermanence.nix
@@ -19,6 +19,11 @@
       "/var/lib/nixos" # uid and gid mappings
       "/var/log" # logs
       "/var/lib/docker" # docker rootful
+      # sandboxed systemd services -> TODO: should be per service
+      {
+        directory = "/var/lib/private";
+        mode = "0700";
+      }
     ];
     files = [
       "/etc/machine-id" # important, e.g. for journald
diff --git a/modules/nixos/service-factorio.nix b/modules/nixos/service-factorio.nix
@@ -8,13 +8,4 @@
   };
 
   age.secrets.factorio.file = ../../secrets/factorio.age;
-
-  environment.persistence."/nix/persist" = {
-    directories = [
-      {
-        directory = "/var/lib/private";
-        mode = "0700";
-      }
-    ];
-  };
 }
diff --git a/modules/nixos/service-woodpecker.nix b/modules/nixos/service-woodpecker.nix
@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    woodpecker-server = {
+      enable = true;
+      environmentFile = "${config.age.secrets.woodpecker.path}";
+      environment = {
+        WOODPECKER_ADMIN = "debugloop";
+        WOODPECKER_HOST = "https://ci.danieln.de";
+
+        WOODPECKER_GITEA = "true";
+        WOODPECKER_GITEA_URL = "https://codeberg.org";
+
+        WOODPECKER_SERVER_ADDR = "localhost:8082";
+      };
+    };
+    woodpecker-agents.agents.local = {
+      enable = true;
+      environmentFile = ["${config.age.secrets.woodpecker.path}"];
+      environment = {
+        WOODPECKER_SERVER = "localhost:9000";
+        WOODPECKER_BACKEND = "local";
+        WOODPECKER_HEALTHCHECK_ADDR = "localhost:3004";
+      };
+      path = with pkgs; [
+        git
+        git-lfs
+        bash
+        curl
+        jq
+        nix
+      ];
+    };
+  };
+
+  # NOTE: Required by the .#update script specifically for inline sed replace.
+  systemd.services.woodpecker-agent-local.serviceConfig.SystemCallFilter = ["@chown"];
+
+  age.secrets.woodpecker.file = ../../secrets/woodpecker.age;
+
+  services.caddy.virtualHosts."ci.danieln.de".extraConfig = ''
+    reverse_proxy localhost:8082
+  '';
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -18,4 +18,5 @@ in {
   "miniflux.age".publicKeys = all;
   "factorio.age".publicKeys = all;
   "mullvad.conf.age".publicKeys = all;
+  "woodpecker.age".publicKeys = all;
 }
diff --git a/secrets/woodpecker.age b/secrets/woodpecker.age

Original file line number	Diff line number	Diff line change
`@@ -18,4 +18,5 @@ in {`
`18`	`18`	`"miniflux.age".publicKeys = all;`
`19`	`19`	`"factorio.age".publicKeys = all;`
`20`	`20`	`"mullvad.conf.age".publicKeys = all;`
	`21`	`+ "woodpecker.age".publicKeys = all;`
`21`	`22`	`}`