diff options
author | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-03-14 22:33:29 +0100 |
---|---|---|
committer | Martin Weinelt <hexa@darmstadt.ccc.de> | 2023-03-14 22:33:40 +0100 |
commit | 231c1145f23b9e7e4477cf280212b92f46698717 (patch) | |
tree | c917c43d9807af456bc2ef2a00cd93cbc032e39c /nixos | |
parent | c089dfed379ea6eb374f3dc8c86558aea7efea96 (diff) | |
parent | 968de5d563a3b93fc57ac0938470fc23b5fc68d4 (diff) | |
download | nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar.gz nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar.bz2 nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar.lz nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar.xz nixlib-231c1145f23b9e7e4477cf280212b92f46698717.tar.zst nixlib-231c1145f23b9e7e4477cf280212b92f46698717.zip |
Merge remote-tracking branch 'origin/master' into staging-next
Conflicts: - pkgs/development/python-modules/rflink/default.nix
Diffstat (limited to 'nixos')
4 files changed, 203 insertions, 0 deletions
diff --git a/nixos/doc/manual/release-notes/rl-2305.section.md b/nixos/doc/manual/release-notes/rl-2305.section.md index 97ac092c9a0b..b5e157cdb76e 100644 --- a/nixos/doc/manual/release-notes/rl-2305.section.md +++ b/nixos/doc/manual/release-notes/rl-2305.section.md @@ -71,6 +71,10 @@ In addition to numerous new and upgraded packages, this release has the followin - [nimdow](https://github.com/avahe-kellenberger/nimdow), a window manager written in Nim, inspired by dwm. +- [woodpecker-agent](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-agent](#opt-services.woodpecker-agent.enable). + +- [woodpecker-server](https://woodpecker-ci.org/), a simple CI engine with great extensibility. Available as [services.woodpecker-server](#opt-services.woodpecker-server.enable). + ## Backward Incompatibilities {#sec-release-23.05-incompatibilities} <!-- To avoid merge conflicts, consider adding your item at an arbitrary place in the list instead. --> diff --git a/nixos/modules/module-list.nix b/nixos/modules/module-list.nix index 60f3bbc98c0c..314d67419b7f 100644 --- a/nixos/modules/module-list.nix +++ b/nixos/modules/module-list.nix @@ -377,6 +377,8 @@ ./services/continuous-integration/jenkins/default.nix ./services/continuous-integration/jenkins/job-builder.nix ./services/continuous-integration/jenkins/slave.nix + ./services/continuous-integration/woodpecker/agent.nix + ./services/continuous-integration/woodpecker/server.nix ./services/databases/aerospike.nix ./services/databases/cassandra.nix ./services/databases/clickhouse.nix diff --git a/nixos/modules/services/continuous-integration/woodpecker/agent.nix b/nixos/modules/services/continuous-integration/woodpecker/agent.nix new file mode 100644 index 000000000000..1aedec81c965 --- /dev/null +++ b/nixos/modules/services/continuous-integration/woodpecker/agent.nix @@ -0,0 +1,99 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.woodpecker-agent; +in +{ + meta.maintainers = [ lib.maintainers.janik ]; + + options = { + services.woodpecker-agent = { + enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Agent, Agents execute tasks generated by a Server, every install will need one server and at least one agent"); + package = lib.mkPackageOptionMD pkgs "woodpecker-agent" { }; + + environment = lib.mkOption { + default = { }; + type = lib.types.attrsOf lib.types.str; + example = lib.literalExpression '' + { + WOODPECKER_SERVER = "localhost:9000"; + WOODPECKER_BACKEND = "docker"; + DOCKER_HOST = "unix:///run/podman/podman.sock"; + } + ''; + description = lib.mdDoc "woodpecker-agent config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/agent-config)"; + }; + + extraGroups = lib.mkOption { + default = null; + type = lib.types.nullOr (lib.types.listOf lib.types.str); + example = [ "podman" ]; + description = lib.mdDoc '' + Additional groups for the systemd service. + ''; + }; + + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/root/woodpecker-agent.env"; + description = lib.mdDoc '' + File to load environment variables + from. This is helpful for specifying secrets. + Example content of environmentFile: + ``` + WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here + ``` + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services = { + woodpecker-agent = { + description = "Woodpecker-Agent Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + SupplementaryGroups = lib.optionals (cfg.extraGroups != null) cfg.extraGroups; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/woodpecker-agent"; + Restart = "on-failure"; + RestartSec = 15; + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + inherit (cfg) environment; + }; + }; + }; +} + diff --git a/nixos/modules/services/continuous-integration/woodpecker/server.nix b/nixos/modules/services/continuous-integration/woodpecker/server.nix new file mode 100644 index 000000000000..6b4e4732465c --- /dev/null +++ b/nixos/modules/services/continuous-integration/woodpecker/server.nix @@ -0,0 +1,98 @@ +{ config +, lib +, pkgs +, ... +}: + +let + cfg = config.services.woodpecker-server; +in +{ + meta.maintainers = [ lib.maintainers.janik ]; + + + options = { + services.woodpecker-server = { + enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Server, a CI/CD application for automatic builds, deployments and tests"); + package = lib.mkPackageOptionMD pkgs "woodpecker-server" { }; + environment = lib.mkOption { + default = { }; + type = lib.types.attrsOf lib.types.str; + example = lib.literalExpression + '' + { + WOODPECKER_HOST = "https://woodpecker.example.com"; + WOODPECKER_OPEN = "true"; + WOODPECKER_GITEA = "true"; + WOODPECKER_GITEA_CLIENT = "ffffffff-ffff-ffff-ffff-ffffffffffff"; + WOODPECKER_GITEA_URL = "https://git.example.com"; + } + ''; + description = lib.mdDoc "woodpecker-server config envrionment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)"; + }; + environmentFile = lib.mkOption { + type = lib.types.nullOr lib.types.path; + default = null; + example = "/root/woodpecker-server.env"; + description = lib.mdDoc '' + File to load environment variables + from. This is helpful for specifying secrets. + Example content of environmentFile: + ``` + WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here + WOODPECKER_GITEA_SECRET=gto_************************************** + ``` + ''; + }; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services = { + woodpecker-server = { + description = "Woodpecker-Server Service"; + wantedBy = [ "multi-user.target" ]; + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + serviceConfig = { + DynamicUser = true; + WorkingDirectory = "%S/woodpecker-server"; + StateDirectory = "woodpecker-server"; + StateDirectoryMode = "0700"; + UMask = "0007"; + ConfigurationDirectory = "woodpecker-server"; + EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile; + ExecStart = "${cfg.package}/bin/woodpecker-server"; + Restart = "on-failure"; + RestartSec = 15; + CapabilityBoundingSet = ""; + # Security + NoNewPrivileges = true; + # Sandboxing + ProtectSystem = "strict"; + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + PrivateUsers = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; + LockPersonality = true; + MemoryDenyWriteExecute = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + PrivateMounts = true; + # System Call Filtering + SystemCallArchitectures = "native"; + SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; + }; + inherit (cfg) environment; + }; + }; + }; +} + |