wiki-grav/pages/02.linux/woodpecker-ci/default.en.md

---
title: "Woodpecker CI"
visible: true
---

[toc]

## Podman

### Network and Pod

```sh
podman network create net_woodpecker
podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000
```

#### Port Mappings

```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
```

### Database

```sh
podman run --name woodpeckerdb \
    -e PGDATA=/var/lib/postgresql/data/pgdata \
    -e POSTGRES_USER=woodpecker \
    -e POSTGRES_PASSWORD=woodpecker \
    -e POSTGRES_DB=woodpecker \
    -v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
    --pod pod_woodpecker \
    -d docker.io/postgres:14
```

### Application server

> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)

```sh
podman run --name woodpecker-server -t \
    -e WOODPECKER_HOST=https://(hostname/ip address) \
    -e WOODPECKER_ADMIN=RealStickman \
    -e WOODPECKER_OPEN=false \
    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
    -e WOODPECKER_DATABASE_DRIVER=postgres \
    -e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
    -v /mnt/woodpecker:/var/lib/woodpecker/ \
    --pod pod_woodpecker \
    -d docker.io/woodpeckerci/woodpecker-server:latest
```

If `WOODPECKER_OPEN` is set to `true`, any user present on the connected git server could log in to woodpecker.  
If one wanted to add a user manually: `$ woodpecker-cli user add`

Generate `WOODPECKER_AGENT_SECRET` with this command:  
`$ openssl rand -hex 32`

#### GitHub

_TODO_

#### Gitea

> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)

Add these environment variables to enable Woodpecker for a gitea server.

```sh
    -e WOODPECKER_GITEA=true \
    -e WOODPECKER_GITEA_URL=https://(gitea url) \
    -e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
    -e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
    -e WOODPECKER_GITEA_SKIP_VERIFY=false \
```

I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.  
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)

> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)

#### GitLab

Add these environment variables to enable GitLab in Woodpecker.

```sh
    -e WOODPECKER_GITLAB=true \
    -e WOODPECKER_GITLAB_URL=https://(gitlab url) \
    -e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
    -e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
```

### Application agent

> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)

```sh
docker run --name woodpecker-agent -t \
    -e WOODPECKER_SERVER=(url/ip):(grpc port) \
    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
    -e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
    -e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
    -e WOODPECKER_GRPC_SECURE=true \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --restart unless-stopped \
    -d docker.io/woodpeckerci/woodpecker-agent:latest
```

The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.  
For now I'll be using docker to run my agents.

Podman has support for using sockets since version 3.4.0.  
_TODO: try out socket access once Podman 3.4.0 is on my servers_  
_Recommended by Woodpecker is at least Podman 4.0_  
[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)

[Woodpecker note on using Podman](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support)  
[Woodpecker issue about Podman](https://github.com/woodpecker-ci/woodpecker/issues/85)  
[Woodpecker PR for Podman backend](https://github.com/woodpecker-ci/woodpecker/pull/305)