feat: setup woodpecker CI

hosts/ami/acme.nix

@@ -11,6 +11,7 @@
 
       extraDomainNames = [
         "*.buffet.sh"
+        "*.buffets.kitchen"
         "buffets.kitchen"
       ];
     };

hosts/ami/default.nix

@@ -19,6 +19,7 @@
     ./murmur.nix
     ./nginx.nix
     ./upgrade.nix
+    ./woodpecker.nix
 
     ../../users/maintainer
   ];

hosts/ami/forgejo.nix

@@ -69,6 +69,10 @@ in {
           DISABLE_REGISTRATION = true;
           ENABLE_NOTIFY_MAIL = true;
         };
+
+        webhook = {
+          ALLOWED_HOST_LIST = "external,loopback";
+        };
       };
     };
 

hosts/ami/woodpecker.nix

@@ -0,0 +1,37 @@
+{config, ...}: {
+  age.secrets.woodpecker.file = ../../secrets/woodpecker.age;
+
+  services = let
+    port = 3007;
+  in {
+    woodpecker-server = {
+      enable = true;
+
+      environment = {
+        WOODPECKER_OPEN = "true";
+        WOODPECKER_ORGS = "kitchen";
+        WOODPECKER_ADMIN = "chef";
+        WOODPECKER_HOST = "https://ci.buffets.kitchen/";
+        WOODPECKER_SERVER_ADDR = ":${toString port}";
+
+        WOODPECKER_FORGEJO = "true";
+        WOODPECKER_FORGEJO_URL = "https://buffets.kitchen/";
+      };
+
+      environmentFile = config.age.secrets.woodpecker.path;
+    };
+
+    nginx = {
+      virtualHosts."build.buffets.kitchen" = {
+        useACMEHost = "buffet.sh";
+        forceSSL = true;
+
+        locations = {
+          "/" = {
+            proxyPass = "http://localhost:${toString port}";
+          };
+        };
+      };
+    };
+  };
+}

secrets.nix

@@ -6,4 +6,5 @@ in {
   "secrets/hetzner-dns.age".publicKeys = [buffet];
   "secrets/kitchen-runner-token.age".publicKeys = [buffet];
   "secrets/msmtppassword.age".publicKeys = [buffet];
+  "secrets/woodpecker.age".publicKeys = [buffet];
 }