bundles/docker-ce: sort nftables rules

.woodpecker/bw-test.yml

@@ -0,0 +1,26 @@
+pipeline:
+    install-deps:
+        image: python:3.10-slim
+        commands:
+            - pip install -r requirements.txt
+
+    test-dummymode:
+        image: python:3.10-slim
+        commands:
+            - bw test
+        environment:
+            BW_VAULT_DUMMY_MODE: 1
+            BW_PASS_DUMMY_MODE: 1
+
+    test-ignore-missing-faults:
+        image: python:3.10-slim
+        commands:
+            - bw test --ignore-missing-faults
+
+    test-determinism:
+        image: python:3.10-slim
+        commands:
+            - bw test --metadata-determinism 3 --config-determinism 3
+        environment:
+            BW_VAULT_DUMMY_MODE: 1
+            BW_PASS_DUMMY_MODE: 1

.woodpecker/editorconfig.yml

@@ -0,0 +1,8 @@
+pipeline:
+    editorconfig:
+        image: alpine:latest
+        commands:
+            - wget -O ec-linux-amd64.tar.gz https://github.com/editorconfig-checker/editorconfig-checker/releases/latest/download/ec-linux-amd64.tar.gz
+            - tar -xzf ec-linux-amd64.tar.gz
+            - rm ec-linux-amd64.tar.gz
+            - bin/ec-linux-amd64 -no-color -exclude '^bin/'

PORT_MAP.md

@@ -45,6 +45,8 @@ Rule of thumb: keep ports below 10000 free for stuff that reserves ports.
 | 22060       | pretalx              | gunicorn |
 | 22070       | paperless-ng         | gunicorn |
 | 22080       | netbox               | gunicorn |
+| 22100       | woodpecker-server    | http |
+| 22101       | woodpecker-server    | gRPC |
 | 22999       | nginx                | stub_status |
 | 22100       | ntfy                 | http |
 

bundles/docker-ce/items.py

@@ -0,0 +1,11 @@
+from bundlewrap.metadata import metadata_to_json
+
+files['/etc/docker/daemon.json'] = {
+    'content': metadata_to_json({
+        'iptables': False,
+    }),
+    'before': {
+        'pkg_apt:docker-ce',
+        'pkg_apt:docker-ce-cli',
+    }
+}

bundles/docker-ce/metadata.py

@@ -0,0 +1,36 @@
+defaults = {
+    'apt': {
+        'repos': {
+            'docker': {
+                'items': {
+                    'deb https://download.docker.com/linux/debian {os_release} stable',
+                },
+            },
+        },
+        'packages': {
+            'docker-ce': {},
+            'docker-ce-cli': {},
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'nftables/rules/00-docker-ce',
+)
+def nftables_nat(metadata):
+    rules = {
+        'inet filter forward ct state { related, established } accept',
+        'inet filter forward iifname docker0 accept',
+    }
+
+    for iface in metadata.get('interfaces'):
+        rules.add(f'nat postrouting oifname {iface} masquerade')
+
+    return {
+        'nftables': {
+            'rules': {
+                '00-docker-ce': sorted(rules),
+            },
+        },
+    }

bundles/nftables/metadata.py

@@ -25,7 +25,7 @@ defaults = {
     },
 }
 
-if not node.has_bundle('vmhost'):
+if not node.has_bundle('vmhost') and not node.has_bundle('docker-ce'):
     # see comment in bundles/vmhost/items.py
     defaults['apt']['packages']['iptables'] = {
         'installed': False,

bundles/woodpecker-agent/files/woodpecker-agent.service

@@ -0,0 +1,42 @@
+[Unit]
+Description=woodpecker ci agent
+After=syslog.target
+After=network.target
+
+[Service]
+RestartSec=2s
+Type=simple
+User=woodpecker
+Group=woodpecker
+WorkingDirectory=/var/lib/woodpecker
+ExecStart=/usr/local/bin/woodpecker-agent
+Restart=always
+ReadWritePaths=/var/lib/woodpecker
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
+
+% for k, v in sorted(env.items()):
+Environment=${k}=${v}
+% endfor
+
+[Install]
+WantedBy=multi-user.target

bundles/woodpecker-agent/items.py

@@ -0,0 +1,43 @@
+version = node.metadata.get('woodpecker-agent/version')
+
+directories['/var/lib/woodpecker'] = {
+    'owner': 'woodpecker',
+}
+
+actions['install_woodpecker-agent'] = {
+    'command': ' && '.join([
+        f'wget -q -O/tmp/woodpecker-agent.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-agent_{version}_amd64.deb',
+        'dpkg -i /tmp/woodpecker-agent.deb',
+    ]),
+    'unless': f'''bash -c "[[ \"$(woodpecker-agent --version | cut -d' ' -f3)\" == "{version}" ]]"''',
+    'triggers': {
+        'svc_systemd:woodpecker-agent:restart',
+    },
+}
+
+files['/usr/local/lib/systemd/system/woodpecker-agent.service'] = {
+    'content_type': 'mako',
+    'context': {
+        'env': node.metadata.get('woodpecker-agent/environment'),
+    },
+    'triggers': {
+        'action:systemd-reload',
+        'svc_systemd:woodpecker-agent:restart',
+    },
+}
+
+svc_systemd['woodpecker-agent'] = {
+    'after': {
+        # to make sure we have docker and other eventual dependencies
+        'pkg_apt:',
+    },
+    'needs': {
+        'action:install_woodpecker-agent',
+        'file:/usr/local/lib/systemd/system/woodpecker-agent.service',
+        'user:woodpecker',
+    },
+}
+
+users['woodpecker'] = {
+    'home': '/var/lib/woodpecker',
+}

bundles/woodpecker-agent/metadata.py

@@ -0,0 +1,30 @@
+@metadata_reactor.provides(
+    'woodpecker-agent/environment',
+    'woodpecker-agent/version',
+)
+def environment(metadata):
+    env = {}
+    server = repo.get_node(metadata.get('woodpecker-agent/server'))
+
+    domain = server.metadata.get('woodpecker-server/domain')
+    port = server.metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR')
+    env['WOODPECKER_SERVER'] = f'{domain}{port}'
+
+    env['WOODPECKER_AGENT_SECRET'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_AGENT_SECRET')
+
+    env['WOODPECKER_MAX_PROCS'] = int(int(metadata.get('vm/cpu'))/2)
+
+    env['WOODPECKER_HOSTNAME'] = metadata.get('hostname')
+
+    env['WOODPECKER_LOG_LEVEL'] = server.metadata.get('woodpecker-server/environment/WOODPECKER_LOG_LEVEL')
+
+    debug = server.metadata.get('woodpecker-server/environment/GODEBUG', None)
+    if debug:
+        env['GODEBUG'] = debug
+
+    return {
+        'woodpecker-agent': {
+            'environment': env,
+            'version': server.metadata.get('woodpecker-server/version'),
+        },
+    }

bundles/woodpecker-server/files/woodpecker-server.service

@@ -0,0 +1,43 @@
+[Unit]
+Description=woodpecker ci
+After=syslog.target
+After=network.target
+Requires=postgresql.service
+
+[Service]
+RestartSec=2s
+Type=simple
+User=woodpecker
+Group=woodpecker
+WorkingDirectory=/var/lib/woodpecker
+ExecStart=/usr/local/bin/woodpecker-server
+Restart=always
+ReadWritePaths=/var/lib/woodpecker
+CapabilityBoundingSet=
+NoNewPrivileges=true
+ProtectSystem=strict
+ProtectHome=true
+PrivateTmp=true
+PrivateDevices=true
+PrivateUsers=true
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+PrivateMounts=true
+SystemCallArchitectures=native
+SystemCallFilter=~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @raw-io @reboot @setuid @swap
+
+% for k, v in sorted(env.items()):
+Environment=${k}=${v}
+% endfor
+
+[Install]
+WantedBy=multi-user.target

bundles/woodpecker-server/items.py

@@ -0,0 +1,41 @@
+version = node.metadata.get('woodpecker-server/version')
+
+directories['/var/lib/woodpecker'] = {
+    'owner': 'woodpecker',
+}
+
+actions['install_woodpecker-server'] = {
+    'command': ' && '.join([
+        f'wget -q -O/tmp/woodpecker-server.deb https://github.com/woodpecker-ci/woodpecker/releases/download/v{version}/woodpecker-server_{version}_amd64.deb',
+        'dpkg -i /tmp/woodpecker-server.deb',
+    ]),
+    'unless': f'''bash -c "[[ \"$(woodpecker-server --version | cut -d' ' -f3)\" == "{version}" ]]"''',
+    'triggers': {
+        'svc_systemd:woodpecker-server:restart',
+    },
+}
+
+files['/usr/local/lib/systemd/system/woodpecker-server.service'] = {
+    'content_type': 'mako',
+    'context': {
+        'env': node.metadata.get('woodpecker-server/environment'),
+    },
+    'triggers': {
+        'action:systemd-reload',
+        'svc_systemd:woodpecker-server:restart',
+    },
+}
+
+svc_systemd['woodpecker-server'] = {
+    'needs': {
+        'action:install_woodpecker-server',
+        'file:/usr/local/lib/systemd/system/woodpecker-server.service',
+        'postgres_db:woodpecker',
+        'postgres_role:woodpecker',
+        'user:woodpecker',
+    },
+}
+
+users['woodpecker'] = {
+    'home': '/var/lib/woodpecker',
+}

bundles/woodpecker-server/metadata.py

@@ -0,0 +1,98 @@
+from bundlewrap.metadata import atomic
+
+defaults = {
+    'postgresql': {
+        'roles': {
+            'woodpecker': {
+                'password': repo.vault.password_for(f'{node.name} postgresql woodpecker'),
+            },
+        },
+        'databases': {
+            'woodpecker': {
+                'owner': 'woodpecker',
+            },
+        },
+    },
+    'woodpecker-server': {
+        'environment': {
+            'WOODPECKER_AGENT_SECRET': repo.vault.password_for(f'{node.name} WOODPECKER_AGENT_SECRET'),
+            'WOODPECKER_DATABASE_DATASOURCE': repo.vault.password_for(f'{node.name} postgresql woodpecker').format_into(
+                'postgres://woodpecker:{}@localhost/woodpecker?sslmode=disable'
+            ),
+            'WOODPECKER_DATABASE_DRIVER': 'postgres',
+            'WOODPECKER_GRPC_ADDR': ':22101',
+            'WOODPECKER_LOG_LEVEL': 'warn',
+            'WOODPECKER_OPEN': 'true',
+            'WOODPECKER_SERVER_ADDR': ':22100',
+
+            # https://github.com/woodpecker-ci/woodpecker/issues/1497
+            # https://github.com/woodpecker-ci/woodpecker/issues/748
+            'GODEBUG': 'netdns=go'
+        },
+    },
+}
+
+
+@metadata_reactor.provides(
+    'nginx/vhosts/woodpecker-server',
+    'woodpecker-server/environment/WOODPECKER_HOST',
+)
+def nginx(metadata):
+    if not node.has_bundle('nginx'):
+        raise DoNotRunAgain
+
+    ssl = metadata.get('nginx/vhosts/woodpecker-server/ssl', 'letsencrypt')
+    domain = metadata.get('woodpecker-server/domain')
+    prefix = 'https' if ssl else 'http'
+
+    return {
+        'nginx': {
+            'vhosts': {
+                'woodpecker-server': {
+                    'domain': domain,
+                    'locations': {
+                        '/': {
+                            'target': 'http://127.0.0.1:22100',
+                            'additional_config': {
+                                'proxy_redirect off',
+                                'chunked_transfer_encoding off',
+                            },
+                        },
+                        '/metrics': {
+                            'return': 403,
+                        },
+                        '/debug': {
+                            'return': 403,
+                        },
+                    },
+                    'website_check_path': '/do-login',
+                    'website_check_string': 'Woodpecker',
+                },
+            },
+        },
+        'woodpecker-server': {
+            'environment': {
+                'WOODPECKER_HOST': f'{prefix}://{domain}',
+            },
+        },
+    }
+
+
+@metadata_reactor.provides(
+    'firewall/port_rules',
+)
+def firewall(metadata):
+    port = metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR')[1:]
+    agents = set()
+
+    for node in repo.nodes:
+        if node.has_bundle('woodpecker-agent'):
+            agents.add(node.name)
+
+    return {
+        'firewall': {
+            'port_rules': {
+                port: atomic(agents),
+            },
+        },
+    }

data/apt/files/gpg-keys/docker.asc

@@ -0,0 +1,62 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
+lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
+38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
+L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
+UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
+cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
+ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
+vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
+G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
+XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
+q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
+tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
+BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
+v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
+tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
+jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
+6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
+XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
+FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
+g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
+ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
+9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
+G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
+FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
+EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
+M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
+Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
+w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
+z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
+eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
+VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
+1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
+zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
+pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
+ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
+BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
+1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
+YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
+mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
+KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
+JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
+cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
+6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
+U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
+VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
+irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
+SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
+QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
+9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
+24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
+dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
+Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
+H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
+/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
+M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
+xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
+jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
+YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
+=0YYh
+-----END PGP PUBLIC KEY BLOCK-----

nodes/rx300.py

@@ -35,6 +35,7 @@ nodes['rx300'] = {
         'travelynx',
         'unbound',
         'vmhost',
+        'woodpecker-server',
         'zfs',
     },
     'groups': {
@@ -334,6 +335,7 @@ nodes['rx300'] = {
                 'netbox': {'ssl': '_.franzi.business'},
                 'radicale': {'ssl': '_.franzi.business'},
                 'travelynx': {'ssl': '_.franzi.business'},
+                'woodpecker-server': {'ssl': '_.franzi.business'},
                 'daskritzelt-redirect': {
                     'domain': 'die-brontosaurier-waren-es.org',
                     'ssl': None,
@@ -535,6 +537,16 @@ nodes['rx300'] = {
                 'enable_linger': True,
             },
         },
+        'woodpecker-server': {
+            'domain': 'woodpecker.franzi.business',
+            'version': '0.15.6',
+            'environment': {
+                'WOODPECKER_GITEA': 'true',
+                'WOODPECKER_GITEA_URL': 'https://git.franzi.business',
+                'WOODPECKER_GITEA_CLIENT': vault.decrypt('encrypt$gAAAAABjpJJQkNyG2B2ThT5yrkGnrPoM33bVYNTyLcuaas4_7ewBRrDb-KO2-JIM895fdI6U6NO8wHQ3gKBxBBYUtt-xgbWW1j4iUrzyt7KhqswSNBIBFfce80UmQ5UuOHsaFPVyyd1W'),
+                'WOODPECKER_GITEA_SECRET': vault.decrypt('encrypt$gAAAAABjpJJW95MaCPnK2ngkGf1DLBmV8Y_K6B0Dc8XBM4oN3sPHH54vFbKB1YLODepR-okpXUJGHxqlS7TkTlu4JylRINXiIh7OHRRDaTCkU_bfLSUDnc_VLgDmVULWH09fsveslKw5v1ssl-RBGJg16XXBz1Sq4g=='),
+            },
+        },
         'zfs': {
             'module_options': {
                 'zfs_arc_max_gb': 16,

nodes/woodpecker-agent-1.toml

@@ -0,0 +1,24 @@
+hostname = "31.47.232.108"
+bundles = [
+    "docker-ce",
+    "woodpecker-agent",
+]
+groups = ["debian-bullseye"]
+
+[metadata.backups]
+exclude_from_backups = true
+
+[metadata.interfaces.enp1s0]
+ips = [
+    "31.47.232.108/29",
+    "2a00:f820:528::5/64",
+]
+gateway4 = "31.47.232.105"
+gateway6 = "2a00:f820:528::1"
+
+[metadata.woodpecker-agent]
+server = "rx300"
+
+[metadata.vm]
+cpu = 8
+ram = 16