-
-
Notifications
You must be signed in to change notification settings - Fork 376
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bb7e0f9
commit 01c46f0
Showing
2 changed files
with
88 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| # NixOS Deployment | ||
|
|
||
| :::info | ||
| Note that this module is not maintained by the woodpecker-developers | ||
| ::: | ||
|
|
||
| The NixOS install is in theory quite similar to the binary install and supports multiple backends. | ||
| In practice you specify the settings declaratively in your NixOS config and don't have to do any manual steps. | ||
|
|
||
| ## General Configuration | ||
|
|
||
| ```nix | ||
| { config | ||
| , ... | ||
| }: | ||
| let | ||
| domain = "woodpecker.example.org"; | ||
| in | ||
| { | ||
| # This automatically sets up certificates via let's encrypt | ||
| security.acme.defaults.email = "acme@example.com"; | ||
| security.acme.acceptTerms = true; | ||
| security.acme.certs."${domain}" = { }; | ||
| # Setting up a nginx proxy that handles tls for us | ||
| networking.firewall.allowedTCPPorts = [ 80 443 ]; | ||
| services.nginx = { | ||
| enable = true; | ||
| recommendedTlsSettings = true; | ||
| recommendedOptimisation = true; | ||
| recommendedProxySettings = true; | ||
| virtualHosts."${domain}" = { | ||
| enableACME = true; | ||
| forceSSL = true; | ||
| locations."/" = { | ||
| proxyPass = "http://localhost:3007"; | ||
| }; | ||
| }; | ||
| }; | ||
| services.woodpecker-server = { | ||
| enable = true; | ||
| environment = { | ||
| WOODPECKER_HOST = "https://${domain}"; | ||
| WOODPECKER_SERVER_ADDR = ":3007"; | ||
| WOODPECKER_OPEN = "true"; | ||
| }; | ||
| # You can pass a file with env vars to the system it could look like: | ||
| # WOODPECKER_AGENT_SECRET=XXXXXXXXXXXXXXXXXXXXXX | ||
| environmentFile = "/path/to/my/secrets/file"; | ||
| }; | ||
| # This sets up a woodpecker agent | ||
| services.woodpecker-agents.agents."docker" = { | ||
| enable = true; | ||
| # We need this to talk to the podman socket | ||
| extraGroups = [ "podman" ]; | ||
| environment = { | ||
| WOODPECKER_SERVER = "localhost:9000"; | ||
| WOODPECKER_MAX_WORKFLOWS = "4"; | ||
| DOCKER_HOST = "unix:///run/podman/podman.sock"; | ||
| WOODPECKER_BACKEND = "docker"; | ||
| }; | ||
| # Same as with woodpecker-server | ||
| environmentFile = [ "/var/lib/secrets/woodpecker.env" ]; | ||
| }; | ||
| # Here we setup podman and enable dns | ||
| virtualisation.podman = { | ||
| enable = true; | ||
| defaultNetwork.settings = { | ||
| dns_enabled = true; | ||
| }; | ||
| }; | ||
| # This is needed for podman to be able to talk over dns | ||
| networking.firewall.interfaces."podman0" = { | ||
| allowedUDPPorts = [ 53 ]; | ||
| allowedTCPPorts = [ 53 ]; | ||
| }; | ||
| } | ||
| ``` | ||
|
|
||
| You can find all the configuration options [here](https://search.nixos.org/options?channel=unstable&size=200&sort=relevance&query=woodpecker) | ||
|
|
||
| ## Tips and tricks | ||
|
|
||
| There are some resources on how to utilize woodpecker more effectively with nix in the [awesome](#awesome) section, like using the runners nix-store in the pipeline |