WIP

Agents are not working : can't connect to the server for some reason... Maybe try to use the woodpecker-grpc domain...
pkgs: woodpecker-*: init at 0.15.3
19 changed files with 523 additions and 1 deletions
--- a/machines/porthos/services.nix
+++ b/machines/porthos/services.nix
@ -135,6 +135,13 @@ in
      enable = true;
      credentialsFile = secrets."transmission/credentials".path;
    };
+    # Open-Source CI 
+    woodpecker = {
+      enable = true;
+      runners = [ "docker" "local" ];
+      secretFile = secrets."woodpecker/gitea".path;
+      sharedSecretFile = secrets."woodpecker/secret".path;
+    };
    # Simple, in-kernel VPN
    wireguard = {
      enable = true;
--- a/modules/secrets/TODO
+++ b/modules/secrets/TODO
@ -0,0 +1 @@
+use WOODPECKER_GITEA_CLIENT_FILE, WOODPECKER_GITEA_SECRET_FILE
--- a/modules/secrets/secrets.nix
+++ b/modules/secrets/secrets.nix
@ -59,6 +59,10 @@ in
  "users/ambroisie/hashed-password.age".publicKeys = all;
  "users/root/hashed-password.age".publicKeys = all;

+  "woodpecker/gitea.age".publicKeys = all;
+  "woodpecker/secret.age".publicKeys = all;
+  "woodpecker/ssh/private-key.age".publicKeys = all;
+
  "wireguard/aramis/private-key.age".publicKeys = all;
  "wireguard/milady/private-key.age".publicKeys = all;
  "wireguard/porthos/private-key.age".publicKeys = all;
--- a/modules/secrets/woodpecker/gitea.age
+++ b/modules/secrets/woodpecker/gitea.age
--- a/modules/secrets/woodpecker/secret.age
+++ b/modules/secrets/woodpecker/secret.age
@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 jPowng IveSI2+/Q15g6yydDjMREsLFEq3fpM0SDmLmlsFnPHI
+wcRtjrmf+x1ZcqyliyYz6ljOltURWVhPI9x2TQSByK4
+-> ssh-ed25519 cKojmg bHay1I+jWaOEuCZoCFy6rcWiDpQxz74ZIUjOX37ODT4
+AKFTS5ZrQtHjJIYWZY7GLI8Rn6B1m+eTAl+KAr1oQC0
+-> n.H-grease v@8;)[ gzbujmT v9qhv $w&qF&(
+7DcEcfkZuSdAQzNuuein7/y9grPQ3rkdOrDHPKAtyPxRDH1U+6RALMHpkePYjYkl
+aFk+uU9vY/3WDwCiqw
+--- qgViLpjAghwtShzaGBwD9r+LKTz1wZRbt2uMRGBbhcQ
+Úc<UË,ôFôL¤5÷IŸ¹Çè1Z^LCÿE/ÐÐ‹¸T‹§WO{}èi‡•9kç2»	Æ.AÊô³OtL¢ôj“#C†,’c0„˜¬&<>ýÌc³	ÃŒŸ
--- a/modules/secrets/woodpecker/ssh/private-key.age
+++ b/modules/secrets/woodpecker/ssh/private-key.age
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@ -21,8 +21,8 @@
    ./paperless
    ./pirate
    ./podgrab
-    ./postgresql-backup
    ./postgresql
+    ./postgresql-backup
    ./quassel
    ./rss-bridge
    ./sabnzbd
@ -30,5 +30,6 @@
    ./tlp
    ./transmission
    ./wireguard
+    ./woodpecker
  ];
 }
--- a/modules/services/woodpecker/agent-docker/default.nix
+++ b/modules/services/woodpecker/agent-docker/default.nix
@ -0,0 +1,45 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.woodpecker;
+  hasRunner = (name: builtins.elem name cfg.runners);
+  agentPkg = pkgs.ambroisie.woodpecker-agent;
+in
+{
+  config = lib.mkIf (cfg.enable && hasRunner "docker") {
+    systemd.services.woodpecker-agent-docker = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "docker.socket" ]; # Needs the socket to be available
+      # might break deployment
+      restartIfChanged = false;
+      confinement.enable = true;
+      serviceConfig = {
+        Environment = [
+          "WOODPECKER_SERVER=localhost:${toString cfg.grpcPort}"
+          "WOODPECKER_GRPC_SECURE=true"
+          "WOODPECKER_MAX_PROCS=10"
+          "WOODPECKER_BACKEND=docker"
+          # FIXME: docker settings
+        ];
+        BindPaths = [
+          "/var/run/docker.sock"
+        ];
+        EnvironmentFile = [
+          cfg.sharedSecretFile
+        ];
+        ExecStart = "${agentPkg}/bin/woodpecker-agent";
+        User = "woodpecker-agent-docker";
+        Group = "woodpecker-agent-docker";
+      };
+    };
+
+    # Make sure it is activated in that case
+    virtualisation.docker.enable = true;
+
+    users.users.woodpecker-agent-docker = {
+      isSystemUser = true;
+      group = "woodpecker-agent-docker";
+      extraGroups = [ "docker" ]; # Give access to the daemon
+    };
+    users.groups.woodpecker-agent-docker = { };
+  };
+}
--- a/modules/services/woodpecker/agent-local/default.nix
+++ b/modules/services/woodpecker/agent-local/default.nix
@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.woodpecker;
+  hasRunner = (name: builtins.elem name cfg.runners);
+  agentPkg = pkgs.ambroisie.woodpecker-agent;
+in
+{
+  config = lib.mkIf (cfg.enable && hasRunner "local") {
+    systemd.services.woodpecker-agent-local = {
+      wantedBy = [ "multi-user.target" ];
+      # might break deployment
+      restartIfChanged = false;
+      confinement.enable = true;
+      confinement.packages = with pkgs; [
+        git
+        gnutar
+        bash
+        nixUnstable
+        gzip
+      ];
+      path = with pkgs; [
+        git
+        gnutar
+        bash
+        nixUnstable
+        gzip
+      ];
+      serviceConfig = {
+        Environment = [
+          "WOODPECKER_SERVER=localhost:${toString cfg.grpcPort}"
+          "WOODPECKER_GRPC_SECURE=true"
+          "WOODPECKER_MAX_PROCS=10"
+          "WOODPECKER_BACKEND=local"
+          "NIX_REMOTE=daemon"
+          "PAGER=cat"
+        ];
+        BindPaths = [
+          "/nix/var/nix/daemon-socket/socket"
+          "/run/nscd/socket"
+        ];
+        BindReadOnlyPaths = [
+          "/etc/resolv.conf:/etc/resolv.conf"
+          "/etc/resolvconf.conf:/etc/resolvconf.conf"
+          "/etc/passwd:/etc/passwd"
+          "/etc/group:/etc/group"
+          "/nix/var/nix/profiles/system/etc/nix:/etc/nix"
+          "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
+          "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
+          "/etc/machine-id"
+          # channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
+          "/nix/"
+        ];
+        EnvironmentFile = [
+          cfg.sharedSecretFile
+        ];
+        ExecStart = "${agentPkg}/bin/woodpecker-agent";
+        User = "woodpecker-agent-local";
+        Group = "woodpecker-agent-local";
+      };
+    };
+
+    users.users.woodpecker-agent-local = {
+      isSystemUser = true;
+      group = "woodpecker-agent-local";
+    };
+    users.groups.woodpecker-agent-local = { };
+  };
+}
--- a/modules/services/woodpecker/default.nix
+++ b/modules/services/woodpecker/default.nix
@ -0,0 +1,50 @@
+# A docker-based CI/CD system
+#
+# Inspired by [1]
+# [1]: https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone.nix
+{ lib, ... }:
+{
+  imports = [
+    ./agent-docker
+    ./agent-local
+    ./server
+  ];
+
+  options.my.services.woodpecker = with lib; {
+    enable = mkEnableOption "Woodpecker CI";
+    runners = mkOption {
+      type = with types; listOf (enum [ "local" "docker" ]);
+      default = [ ];
+      example = [ "local" "docker" ];
+      description = "Types of runners to enable";
+    };
+    admin = mkOption {
+      type = types.str;
+      default = "ambroisie";
+      example = "admin";
+      description = "Name of the admin user";
+    };
+    port = mkOption {
+      type = types.port;
+      default = 3031;
+      example = 8080;
+      description = "Internal port of the Woodpecker UI";
+    };
+    grpcPort = mkOption {
+      type = types.port;
+      default = 9001;
+      example = 8080;
+      description = "Internal port of the Woodpecker gRPC";
+    };
+    secretFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/woodpecker-gitea.env";
+      description = "Secrets to inject into Woodpecker server";
+    };
+    sharedSecretFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/woodpecker-rpc.env";
+      description = "Shared RPC secret to inject into server and runners";
+    };
+  };
+}
--- a/modules/services/woodpecker/server/default.nix
+++ b/modules/services/woodpecker/server/default.nix
@ -0,0 +1,61 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.my.services.woodpecker;
+in
+{
+  config = lib.mkIf cfg.enable {
+    systemd.services.woodpecker-server = {
+      wantedBy = [ "multi-user.target" ];
+      after = [ "postgresql.service" ];
+      serviceConfig = {
+        EnvironmentFile = [
+          cfg.secretFile
+          cfg.sharedSecretFile
+        ];
+        Environment = [
+          "WOODPECKER_SERVER_ADDR=:${toString cfg.port}"
+          "WOODPECKER_GRPC_ADDR=:${toString cfg.grpcPort}"
+          "WOODPECKER_HOST=https://woodpecker.${config.networking.domain}"
+          "WOODPECKER_DATABASE_DRIVER=postgres"
+          "WOODPECKER_DATABASE_DATASOURCE=postgres:///woodpecker?host=/run/postgresql"
+          "WOODPECKER_ADMIN=${cfg.admin}"
+          # FIXME: not supported?
+          "WOODPECKER_JSONNET_ENABLED=true"
+          "WOODPECKER_STARLARK_ENABLED=true"
+        ];
+        ExecStart = "${pkgs.ambroisie.woodpecker-server}/bin/woodpecker-server";
+        User = "woodpecker";
+        Group = "woodpecker";
+      };
+    };
+
+    users.users.woodpecker = {
+      isSystemUser = true;
+      createHome = true;
+      group = "woodpecker";
+    };
+    users.groups.woodpecker = { };
+
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ "woodpecker" ];
+      ensureUsers = [{
+        name = "woodpecker";
+        ensurePermissions = {
+          "DATABASE woodpecker" = "ALL PRIVILEGES";
+        };
+      }];
+    };
+
+    my.services.nginx.virtualHosts = [
+      {
+        subdomain = "woodpecker";
+        inherit (cfg) port;
+      }
+      {
+        subdomain = "woodpecker-grpc";
+        port = cfg.grpcPort;
+      }
+    ];
+  };
+}
--- a/pkgs/default.nix
+++ b/pkgs/default.nix
@ -39,4 +39,12 @@ pkgs.lib.makeScope pkgs.newScope (pkgs: {
  vimix-cursors = pkgs.callPackage ./vimix-cursors { };

  volantes-cursors = pkgs.callPackage ./volantes-cursors { };
+
+  woodpecker-agent = pkgs.callPackage ./woodpecker/agent.nix { };
+
+  woodpecker-cli = pkgs.callPackage ./woodpecker/cli.nix { };
+
+  woodpecker-server = pkgs.callPackage ./woodpecker/server.nix {
+    woodpecker-frontend = pkgs.callPackage ./woodpecker/frontend.nix { };
+  };
 })
--- a/pkgs/woodpecker/agent.nix
+++ b/pkgs/woodpecker/agent.nix
@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+let
+  inherit (import ./common.nix { inherit lib fetchFromGitHub; })
+    meta
+    version
+    src
+    ldflags
+    postBuild
+    ;
+in
+buildGoModule {
+  pname = "woodpecker-agent";
+  inherit version src ldflags postBuild;
+  vendorSha256 = null;
+
+  subPackages = "cmd/agent";
+
+  CGO_ENABLED = 0;
+
+  meta = meta // {
+    description = "Woodpecker Continuous Integration agent";
+  };
+}
--- a/pkgs/woodpecker/cli.nix
+++ b/pkgs/woodpecker/cli.nix
@ -0,0 +1,23 @@
+{ lib, buildGoModule, fetchFromGitHub }:
+let
+  inherit (import ./common.nix { inherit lib fetchFromGitHub; })
+    meta
+    version
+    src
+    ldflags
+    postBuild
+    ;
+in
+buildGoModule {
+  pname = "woodpecker-cli";
+  inherit version src ldflags postBuild;
+  vendorSha256 = null;
+
+  subPackages = "cmd/cli";
+
+  CGO_ENABLED = 0;
+
+  meta = meta // {
+    description = "Command line client for the Woodpecker Continuous Integration server";
+  };
+}
--- a/pkgs/woodpecker/common.nix
+++ b/pkgs/woodpecker/common.nix
@ -0,0 +1,36 @@
+{ lib, fetchFromGitHub }:
+let
+  version = "0.15.3";
+  srcSha256 = "sha256-HOOH3H2SXLcT2oW/xL80TO+ZSI+Haulnznpb4hlCQow=";
+  yarnSha256 = "sha256-x9g0vSoexfknqLejgcNIigmkFnqYsmhcQNTOStcj68o=";
+in
+{
+  inherit version yarnSha256;
+
+  src = fetchFromGitHub {
+    owner = "woodpecker-ci";
+    repo = "woodpecker";
+    rev = "v${version}";
+    sha256 = srcSha256;
+  };
+
+  postBuild = ''
+    cd $GOPATH/bin
+    for f in *; do
+      mv -- "$f" "woodpecker-$f"
+    done
+    cd -
+  '';
+
+  ldflags = [
+    "-s"
+    "-w"
+    "-X github.com/woodpecker-ci/woodpecker/version.Version=${version}"
+  ];
+
+  meta = with lib; {
+    homepage = "https://woodpecker-ci.org/";
+    license = licenses.asl20;
+    maintainers = with maintainers; [ ambroisie ];
+  };
+}
--- a/pkgs/woodpecker/frontend.nix
+++ b/pkgs/woodpecker/frontend.nix
@ -0,0 +1,45 @@
+{ lib, fetchFromGitHub, fetchYarnDeps, mkYarnPackage }:
+let
+  inherit (import ./common.nix { inherit lib fetchFromGitHub; })
+    meta
+    version
+    src
+    yarnSha256
+    ;
+in
+mkYarnPackage {
+  pname = "woodpecker-frontend";
+  inherit version;
+
+  src = "${src}/web";
+
+  packageJSON = ./woodpecker-package.json;
+  offlineCache = fetchYarnDeps {
+    yarnLock = "${src}/web/yarn.lock";
+    sha256 = yarnSha256;
+  };
+
+  buildPhase = ''
+    runHook preBuild
+
+    yarn build
+
+    runHook postBuild
+  '';
+
+  installPhase = ''
+    runHook preInstall
+
+    cp -R deps/woodpecker-ci/dist $out
+    echo "${version}" > "$out/version"
+
+    runHook postInstall
+  '';
+
+  # Do not attempt generating a tarball for woodpecker-frontend again.
+  doDist = false;
+
+  meta = meta // {
+    description = "Woodpecker Continuous Integration server frontend";
+  };
+}
--- a/pkgs/woodpecker/server.nix
+++ b/pkgs/woodpecker/server.nix
@ -0,0 +1,33 @@
+{ lib, buildGoModule, fetchFromGitHub, woodpecker-frontend }:
+let
+  inherit (import ./common.nix { inherit lib fetchFromGitHub; })
+    meta
+    version
+    src
+    ldflags
+    postBuild
+    ;
+in
+buildGoModule {
+  pname = "woodpecker-server";
+  inherit version src ldflags postBuild;
+  vendorSha256 = null;
+
+  postPatch = ''
+    cp -r ${woodpecker-frontend} web/dist
+  '';
+
+  subPackages = "cmd/server";
+
+  CGO_ENABLED = 1;
+
+  passthru = {
+    inherit woodpecker-frontend;
+
+    updateScript = ./update.sh;
+  };
+
+  meta = meta // {
+    description = "Woodpecker Continuous Integration server";
+  };
+}
--- a/pkgs/woodpecker/update.sh
+++ b/pkgs/woodpecker/update.sh
@ -0,0 +1,44 @@
+#!/usr/bin/env nix-shell
+#!nix-shell -i bash -p nix wget prefetch-yarn-deps nix-prefetch-github jq
+
+if [ "$#" -gt 1 ] || [[ "$1" == -* ]]; then
+    echo "Regenerates packaging data for the woodpecker packages."
+    echo "Usage: $0 [git release tag]"
+    exit 1
+fi
+
+set -x
+
+cd "$(dirname "$0")"
+version="$1"
+
+set -euo pipefail
+
+if [ -z "$version" ]; then
+    version="$(wget -O- "https://api.github.com/repos/woodpecker-ci/woodpecker/releases?per_page=1" | jq -r '.[0].tag_name')"
+fi
+
+# strip leading "v"
+version="${version#v}"
+
+# Woodpecker repository
+src_hash=$(nix-prefetch-github woodpecker-ci woodpecker --rev "v${version}" | jq -r .sha256)
+
+# Front-end dependencies
+woodpecker_src="https://raw.githubusercontent.com/woodpecker-ci/woodpecker/v$version"
+wget "$woodpecker_src/web/package.json" -O woodpecker-package.json
+
+web_tmpdir=$(mktemp -d)
+trap 'rm -rf "$web_tmpdir"' EXIT
+pushd "$web_tmpdir"
+wget "$woodpecker_src/web/yarn.lock"
+yarn_hash=$(prefetch-yarn-deps yarn.lock)
+popd
+
+# Use friendlier hashes
+src_hash=$(nix hash to-sri --type sha256 "$src_hash")
+yarn_hash=$(nix hash to-sri --type sha256 "$yarn_hash")
+
+sed -i -E -e "s#version = \".*\"#version = \"$version\"#" common.nix
+sed -i -E -e "s#srcSha256 = \".*\"#srcSha256 = \"$src_hash\"#" common.nix
+sed -i -E -e "s#yarnSha256 = \".*\"#yarnSha256 = \"$yarn_hash\"#" common.nix
--- a/pkgs/woodpecker/woodpecker-package.json
+++ b/pkgs/woodpecker/woodpecker-package.json
@ -0,0 +1,63 @@
+{
+  "name": "woodpecker-ci",
+  "author": "Woodpecker CI",
+  "version": "0.0.0",
+  "license": "Apache-2.0",
+  "engines": {
+    "node": ">=14"
+  },
+  "scripts": {
+    "start": "vite",
+    "build": "vite build",
+    "serve": "vite preview",
+    "lint": "eslint --max-warnings 0 --ext .js,.ts,.vue,.json .",
+    "formatcheck": "prettier -c .",
+    "format:fix": "prettier --write .",
+    "typecheck": "vue-tsc --noEmit",
+    "test": "echo 'No tests configured' && exit 0"
+  },
+  "dependencies": {
+    "@kyvg/vue3-notification": "2.3.4",
+    "@meforma/vue-toaster": "1.2.2",
+    "ansi-to-html": "0.7.2",
+    "dayjs": "1.10.7",
+    "floating-vue": "2.0.0-beta.5",
+    "fuse.js": "6.4.6",
+    "humanize-duration": "3.27.0",
+    "javascript-time-ago": "2.3.10",
+    "node-emoji": "1.11.0",
+    "pinia": "2.0.0",
+    "vue": "v3.2.20",
+    "vue-router": "4.0.10"
+  },
+  "devDependencies": {
+    "@iconify/json": "1.1.421",
+    "@types/humanize-duration": "3.27.0",
+    "@types/javascript-time-ago": "2.0.3",
+    "@types/node": "16.11.6",
+    "@types/node-emoji": "1.8.1",
+    "@typescript-eslint/eslint-plugin": "5.6.0",
+    "@typescript-eslint/parser": "5.6.0",
+    "@vitejs/plugin-vue": "1.9.4",
+    "@vue/compiler-sfc": "3.2.20",
+    "eslint": "7.32.0",
+    "eslint-config-airbnb-base": "15.0.0",
+    "eslint-config-airbnb-typescript": "16.1.0",
+    "eslint-config-prettier": "8.3.0",
+    "eslint-plugin-import": "2.25.3",
+    "eslint-plugin-prettier": "4.0.0",
+    "eslint-plugin-promise": "5.1.1",
+    "eslint-plugin-simple-import-sort": "7.0.0",
+    "eslint-plugin-vue": "7.18.0",
+    "eslint-plugin-vue-scoped-css": "1.3.0",
+    "prettier": "2.4.1",
+    "typescript": "4.4.4",
+    "unplugin-icons": "0.12.17",
+    "unplugin-vue-components": "0.17.0",
+    "vite": "2.6.13",
+    "vite-plugin-windicss": "1.4.12",
+    "vite-svg-loader": "3.0.0",
+    "vue-tsc": "0.28.10",
+    "windicss": "3.2.0"
+  }
+}
Author	SHA1	Message	Date
Bruno BELANYI	7821618722	WIP continuous-integration/drone/push Build is passing Details Agents are not working : can't connect to the server for some reason... Maybe try to use the woodpecker-grpc domain...	8 months ago
Bruno BELANYI	ca59097b35	pkgs: woodpecker-*: init at 0.15.3 continuous-integration/drone/push Build is passing Details	8 months ago
				`@ -0,0 +1 @@`
				`use WOODPECKER_GITEA_CLIENT_FILE, WOODPECKER_GITEA_SECRET_FILE`