nixos/modules/services/continuous-integration/woodpecker/server.nix at 23.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / modules / services / continuous-integration / woodpecker / server.nix
at 23.11-pre 3.4 kB view raw
 1{ config
 2, lib
 3, pkgs
 4, ...
 5}:
 6
 7let
 8  cfg = config.services.woodpecker-server;
 9in
10{
11  meta.maintainers = with lib.maintainers; [ janik ambroisie ];
12
13
14  options = {
15    services.woodpecker-server = {
16      enable = lib.mkEnableOption (lib.mdDoc "the Woodpecker-Server, a CI/CD application for automatic builds, deployments and tests");
17      package = lib.mkPackageOptionMD pkgs "woodpecker-server" { };
18      environment = lib.mkOption {
19        default = { };
20        type = lib.types.attrsOf lib.types.str;
21        example = lib.literalExpression
22          ''
23            {
24              WOODPECKER_HOST = "https://woodpecker.example.com";
25              WOODPECKER_OPEN = "true";
26              WOODPECKER_GITEA = "true";
27              WOODPECKER_GITEA_CLIENT = "ffffffff-ffff-ffff-ffff-ffffffffffff";
28              WOODPECKER_GITEA_URL = "https://git.example.com";
29            }
30          '';
31        description = lib.mdDoc "woodpecker-server config environment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)";
32      };
33      environmentFile = lib.mkOption {
34        type = lib.types.nullOr lib.types.path;
35        default = null;
36        example = "/root/woodpecker-server.env";
37        description = lib.mdDoc ''
38          File to load environment variables
39          from. This is helpful for specifying secrets.
40          Example content of environmentFile:
41          ```
42          WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here
43          WOODPECKER_GITEA_SECRET=gto_**************************************
44          ```
45        '';
46      };
47    };
48  };
49
50  config = lib.mkIf cfg.enable {
51    systemd.services = {
52      woodpecker-server = {
53        description = "Woodpecker-Server Service";
54        wantedBy = [ "multi-user.target" ];
55        after = [ "network-online.target" ];
56        wants = [ "network-online.target" ];
57        serviceConfig = {
58          DynamicUser = true;
59          WorkingDirectory = "%S/woodpecker-server";
60          StateDirectory = "woodpecker-server";
61          StateDirectoryMode = "0700";
62          UMask = "0007";
63          ConfigurationDirectory = "woodpecker-server";
64          EnvironmentFile = lib.optional (cfg.environmentFile != null) cfg.environmentFile;
65          ExecStart = "${cfg.package}/bin/woodpecker-server";
66          Restart = "on-failure";
67          RestartSec = 15;
68          CapabilityBoundingSet = "";
69          # Security
70          NoNewPrivileges = true;
71          # Sandboxing
72          ProtectSystem = "strict";
73          ProtectHome = true;
74          PrivateTmp = true;
75          PrivateDevices = true;
76          PrivateUsers = true;
77          ProtectHostname = true;
78          ProtectClock = true;
79          ProtectKernelTunables = true;
80          ProtectKernelModules = true;
81          ProtectKernelLogs = true;
82          ProtectControlGroups = true;
83          RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
84          LockPersonality = true;
85          MemoryDenyWriteExecute = true;
86          RestrictRealtime = true;
87          RestrictSUIDSGID = true;
88          PrivateMounts = true;
89          # System Call Filtering
90          SystemCallArchitectures = "native";
91          SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
92        };
93        inherit (cfg) environment;
94      };
95    };
96  };
97}
98