woodpecker things

hosts/profiles/woodpecker-agent/default.nix

@@ -5,6 +5,7 @@
     group = "woodpecker-runner";
     home = "/var/lib/woodpecker";
     createHome = true;
+    extraGroups = [ "docker" ];
   };
   users.groups.woodpecker-runner = { };
   # Allow the exec runner to write to build with nix
@@ -13,56 +14,43 @@
   age.secrets.woodpecker-agent-secret.owner = "woodpecker-runner";
   age.secrets.woodpecker-agent-secret.file = "${self}/secrets/woodpecker-agent-secret.age";
 
-  systemd.services.woodpecker-runner-exec = {
+  systemd.services.woodpecker-agent = {
     enable = true;
-    wantedBy = [ "multi-user.target" ];
     ### MANUALLY RESTART SERVICE IF CHANGED
     restartIfChanged = true;
-    confinement.enable = true;
-    confinement.packages = [
-      pkgs.git
-      pkgs.gnutar
-      pkgs.bash
-      pkgs.nixFlakes
-      pkgs.gzip
-    ];
-    path = [
-      pkgs.git
-      pkgs.gnutar
-      pkgs.bash
-      pkgs.nixFlakes
-      pkgs.gzip
-    ];
+    # confinement.enable = true;
+    # confinement.packages = [
+    #   pkgs.git
+    #   pkgs.gnutar
+    #   pkgs.bash
+    #   pkgs.nixFlakes
+    #   pkgs.gzip
+    # ];
+    # path = [
+    #   pkgs.git
+    #   pkgs.gnutar
+    #   pkgs.bash
+    #   pkgs.nixFlakes
+    #   pkgs.gzip
+    # ];
     serviceConfig = {
+      Type = "simple";
       Environment = [
         "WOODPECKER_RUNNER_CAPACITY=6"
-        "WOODPECKER_RUNNER_NAME=woodpecker-agent"
+        # "WOODPECKER_RUNNER_NAME=woodpecker-agent"
         "WOODPECKER_SERVER=https://ci.sealight.xyz/"
-        "WOODPECKER_HOSTNAME=mossnet"
-        "WOODPECKER_BACKEND=local"
-        "NIX_REMOTE=daemon"
-        "PAGER=cat"
-      ];
-      BindPaths = [
-        "/nix/var/nix/daemon-socket/socket"
-        "/run/nscd/socket"
-        "/var/lib/woodpecker"
-        "/var/empty/usr"
-      ];
-      BindReadOnlyPaths = [
-        "/etc/passwd:/etc/passwd"
-        "/etc/group:/etc/group"
-        "/nix/var/nix/profiles/system/etc/nix:/etc/nix"
-        "${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
-        "${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
-        "${builtins.toFile "ssh_config" ''
-          Host git.sealight.xyz
-          ForwardAgent yes
-        ''}:/etc/ssh/ssh_config"
-        "/etc/machine-id"
-        "/etc/resolv.conf"
-        "/nix/"
+        # "WOODPECKER_HOSTNAME=mossnet"
+        # "WOODPECKER_BACKEND=local"
+        # "NIX_REMOTE=daemon"
+        # "PAGER=cat"
+        # "WOODPECKER_LOG_LEVEL=debug"
       ];
+      WorkingDirectory = "/var/lib/woodpecker";
+      # Runtime directory and mode
+      RuntimeDirectory = "woodpecker";
+      RuntimeDirectoryMode = "0755";
+      # Access write directories
+      ReadWritePaths = [ "/var/lib/woodpecker" ];
       EnvironmentFile = [
         /run/agenix/woodpecker-agent-secret
       ];