8 cfg = config.services.woodpecker-server;
11 meta.maintainers = with lib.maintainers; [ ambroisie ];
15 services.woodpecker-server = {
16 enable = lib.mkEnableOption "the Woodpecker-Server, a CI/CD application for automatic builds, deployments and tests";
17 package = lib.mkPackageOption pkgs "woodpecker-server" { };
18 environment = lib.mkOption {
20 type = lib.types.attrsOf lib.types.str;
21 example = lib.literalExpression
24 WOODPECKER_HOST = "https://woodpecker.example.com";
25 WOODPECKER_OPEN = "true";
26 WOODPECKER_GITEA = "true";
27 WOODPECKER_GITEA_CLIENT = "ffffffff-ffff-ffff-ffff-ffffffffffff";
28 WOODPECKER_GITEA_URL = "https://git.example.com";
31 description = "woodpecker-server config environment variables, for other options read the [documentation](https://woodpecker-ci.org/docs/administration/server-config)";
33 environmentFile = lib.mkOption {
34 type = with lib.types; coercedTo path (f: [ f ]) (listOf path);
36 example = [ "/root/woodpecker-server.env" ];
38 File to load environment variables
39 from. This is helpful for specifying secrets.
40 Example content of environmentFile:
42 WOODPECKER_AGENT_SECRET=your-shared-secret-goes-here
43 WOODPECKER_GITEA_SECRET=gto_**************************************
50 config = lib.mkIf cfg.enable {
53 description = "Woodpecker-Server Service";
54 wantedBy = [ "multi-user.target" ];
55 after = [ "network-online.target" ];
56 wants = [ "network-online.target" ];
59 WorkingDirectory = "%S/woodpecker-server";
60 StateDirectory = "woodpecker-server";
61 StateDirectoryMode = "0700";
63 ConfigurationDirectory = "woodpecker-server";
64 EnvironmentFile = cfg.environmentFile;
65 ExecStart = "${cfg.package}/bin/woodpecker-server";
66 Restart = "on-failure";
68 CapabilityBoundingSet = "";
70 NoNewPrivileges = true;
72 ProtectSystem = "strict";
75 PrivateDevices = true;
77 ProtectHostname = true;
79 ProtectKernelTunables = true;
80 ProtectKernelModules = true;
81 ProtectKernelLogs = true;
82 ProtectControlGroups = true;
83 RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
84 LockPersonality = true;
85 MemoryDenyWriteExecute = true;
86 RestrictRealtime = true;
87 RestrictSUIDSGID = true;
89 # System Call Filtering
90 SystemCallArchitectures = "native";
91 SystemCallFilter = "~@clock @privileged @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
93 inherit (cfg) environment;