woodpecker: restructure

Author: felbinger

modules/woodpecker-agent.nix

@@ -4,7 +4,15 @@
   ...
 }:
 let
-  inherit (lib) mkEnableOption mkOption types;
+  cfg = config.secshell.gitea.woodpecker;
+  inherit (lib)
+    mkIf
+    mkEnableOption
+    mkOption
+    types
+    mkMerge
+    mkAfter
+    ;
   mkDisableOption =
     name:
     mkEnableOption name
@@ -47,8 +55,107 @@ in
     };
   };
 
-  imports = [
-    ./woodpecker-server.nix
-    ./woodpecker-agent.nix
-  ];
+  config = mkIf (config.secshell.gitea.enable && cfg.enable) (mkMerge [
+    # base
+    {
+      sops = {
+        secrets."woodpecker/secret" = { };
+        templates."woodpecker/environment-agent".content = ''
+          WOODPECKER_AGENT_SECRET=${config.sops.placeholder."woodpecker/secret"}
+        '';
+      };
+    }
+
+    # server
+    (mkIf cfg.enableServers {
+      sops = {
+        secrets = {
+          "woodpecker/oidcClientId" = { };
+          "woodpecker/oidcSecret" = { };
+        };
+        templates."woodpecker/environment".content = mkAfter ''
+          WOODPECKER_GITEA_CLIENT=${config.sops.placeholder."woodpecker/oidcClientId"}
+          WOODPECKER_GITEA_SECRET=${config.sops.placeholder."woodpecker/oidcSecret"}
+        '';
+      };
+
+      services = {
+        woodpecker-server = {
+          enable = true;
+          environment = {
+            WOODPECKER_HOST = "https://${cfg.domain}";
+            WOODPECKER_SERVER_ADDR = "127.0.0.1:${toString cfg.internal_port}";
+            WOODPECKER_GRPC_ADDR = "${cfg.grpc_addr}:${toString cfg.grpc_port}";
+            WOODPECKER_OPEN = "true";
+
+            WOODPECKER_GITEA = "true";
+            WOODPECKER_GITEA_URL = config.services.gitea.settings.server.ROOT_URL;
+            WOODPECKER_AUTHENTICATE_PUBLIC_REPOS = "true";
+          };
+          environmentFile = config.sops.templates."woodpecker/environment".path;
+        };
+
+        nginx = lib.mkIf cfg.enableServer {
+          enable = true;
+          virtualHosts."${toString cfg.domain}" = {
+            locations = {
+              "/".proxyPass = "http://127.0.0.1:${toString cfg.internal_port}";
+            };
+            serverName = toString cfg.domain;
+
+            # use ACME DNS-01 challenge
+            useACMEHost = toString cfg.domain;
+            forceSSL = true;
+          };
+        };
+      };
+      security.acme.certs."${toString cfg.domain}" = { };
+    })
+
+    # agent
+    (mkIf cfg.enableAgent {
+      services.woodpecker-agents.agents.docker = {
+        enable = true;
+        extraGroups = [ "podman" ];
+        environment = {
+          WOODPECKER_SERVER = "${toString cfg.domain}:${toString cfg.grpc_port}";
+
+          WOODPECKER_MAX_WORKFLOWS = "4";
+
+          WOODPECKER_BACKEND = "docker";
+          DOCKER_HOST = "unix:///run/podman/podman.sock";
+        };
+        environmentFile = [ config.sops.templates."woodpecker/environment-agent".path ];
+      };
+
+      virtualisation.podman = {
+        enable = true;
+        defaultNetwork.settings = {
+          dns_enabled = true;
+        };
+        dockerCompat = true;
+      };
+
+      # This is needed for podman to be able to talk over dns
+      networking.firewall.interfaces."podman0" = {
+        allowedUDPPorts = [ 53 ];
+        allowedTCPPorts = [ 53 ];
+      };
+
+      # Adjust runner service for nix usage
+      systemd.services.woodpecker-agent-docker = {
+        after = [
+          "podman.socket"
+        ]
+        ++ (lib.optionals cfg.enableServer [
+          "woodpecker-server.service"
+        ]);
+        # might break deployment
+        restartIfChanged = false;
+        serviceConfig = {
+          BindPaths = [ "/run/podman/podman.sock" ];
+        };
+      };
+    })
+  ]);
 }