from bundlewrap.metadata import atomic defaults = { 'postgresql': { 'roles': { 'woodpecker': { 'password': repo.vault.password_for(f'{node.name} postgresql woodpecker'), }, }, 'databases': { 'woodpecker': { 'owner': 'woodpecker', }, }, }, 'woodpecker-server': { 'environment': { 'WOODPECKER_AGENT_SECRET': repo.vault.password_for(f'{node.name} WOODPECKER_AGENT_SECRET'), 'WOODPECKER_DATABASE_DATASOURCE': repo.vault.password_for(f'{node.name} postgresql woodpecker').format_into( 'postgres://woodpecker:{}@localhost/woodpecker?sslmode=disable' ), 'WOODPECKER_DATABASE_DRIVER': 'postgres', 'WOODPECKER_GRPC_ADDR': ':22101', 'WOODPECKER_LOG_LEVEL': 'warn', 'WOODPECKER_OPEN': 'true', 'WOODPECKER_SERVER_ADDR': ':22100', }, }, } @metadata_reactor.provides( 'nginx/vhosts/woodpecker-server', 'woodpecker-server/environment/WOODPECKER_HOST', ) def nginx(metadata): if not node.has_bundle('nginx'): raise DoNotRunAgain ssl = metadata.get('nginx/vhosts/woodpecker-server/ssl', 'letsencrypt') domain = metadata.get('woodpecker-server/domain') prefix = 'https' if ssl else 'http' return { 'nginx': { 'vhosts': { 'woodpecker-server': { 'domain': domain, 'locations': { '/': { 'target': 'http://127.0.0.1:22100', 'additional_config': { 'proxy_redirect off', 'chunked_transfer_encoding off', }, }, '/metrics': { 'return': 403, }, '/debug': { 'return': 403, }, }, 'website_check_path': '/do-login', 'website_check_string': 'Woodpecker', }, }, }, 'woodpecker-server': { 'environment': { 'WOODPECKER_HOST': f'{prefix}://{domain}', }, }, } @metadata_reactor.provides( 'firewall/port_rules', ) def firewall(metadata): port = metadata.get('woodpecker-server/environment/WOODPECKER_GRPC_ADDR')[1:] agents = set() for node in repo.nodes: if node.has_bundle('woodpecker-agent'): agents.add(node.name) return { 'firewall': { 'port_rules': { port: atomic(agents), }, }, }