2022-07-05 11:14:46 +02:00
---
2023-02-23 14:48:51 +01:00
title: "Woodpecker CI"
2022-11-19 15:25:20 +01:00
visible: true
2022-07-05 11:14:46 +02:00
---
[toc]
2023-02-23 14:48:51 +01:00
2023-09-27 18:35:18 +02:00
This page details installation instructions for Woodpecker CI with a connection to a self-hosted [Gitea ](/linux/gitea ) instance.
Woodpecker will be deployed as a container.
2022-07-05 11:27:09 +02:00
## Podman
2023-02-23 14:48:51 +01:00
2022-09-11 19:18:56 +02:00
### Network and Pod
2023-02-23 14:48:51 +01:00
2023-09-27 18:35:18 +02:00
Multiple containers will be created. To separate them from other containers while also simplifying access between member containers, a container network and pod are created.
2023-02-23 14:48:51 +01:00
```sh
podman network create net_woodpecker
podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000
```
2022-09-11 19:18:56 +02:00
#### Port Mappings
2023-02-23 14:48:51 +01:00
2023-09-27 18:35:18 +02:00
Woodpecker CI uses these ports for outside communication by default.
2022-09-11 19:18:56 +02:00
```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
```
### Database
2023-02-23 14:48:51 +01:00
2023-09-27 18:35:18 +02:00
The database container is standard PostgreSQL.
2023-02-23 14:48:51 +01:00
```sh
podman run --name woodpeckerdb \
2022-09-11 19:18:56 +02:00
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_USER=woodpecker \
-e POSTGRES_PASSWORD=woodpecker \
-e POSTGRES_DB=woodpecker \
-v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
--pod pod_woodpecker \
2022-11-20 18:49:37 +01:00
-d docker.io/postgres:14
2022-09-11 19:18:56 +02:00
```
### Application server
2023-02-23 14:48:51 +01:00
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
2023-09-27 18:35:18 +02:00
These options apply regardless of the Git Forge you want to use.
2023-02-23 14:48:51 +01:00
```sh
podman run --name woodpecker-server -t \
2022-09-11 19:18:56 +02:00
-e WOODPECKER_HOST=https://(hostname/ip address) \
-e WOODPECKER_ADMIN=RealStickman \
-e WOODPECKER_OPEN=false \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
2022-07-05 11:27:09 +02:00
-e WOODPECKER_DATABASE_DRIVER=postgres \
2022-09-11 19:18:56 +02:00
-e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
-v /mnt/woodpecker:/var/lib/woodpecker/ \
--pod pod_woodpecker \
2022-07-05 11:27:09 +02:00
-d docker.io/woodpeckerci/woodpecker-server:latest
```
2022-09-11 19:18:56 +02:00
If `WOODPECKER_OPEN` is set to `true` , any user present on the connected git server could log in to woodpecker.
2023-02-23 14:48:51 +01:00
If one wanted to add a user manually: `$ woodpecker-cli user add`
2022-09-11 19:18:56 +02:00
Generate `WOODPECKER_AGENT_SECRET` with this command:
2023-02-23 14:48:51 +01:00
`$ openssl rand -hex 32`
2022-09-11 19:18:56 +02:00
#### Gitea
2023-02-23 14:48:51 +01:00
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
Add these environment variables to enable Woodpecker for a gitea server.
```sh
2022-09-11 19:18:56 +02:00
-e WOODPECKER_GITEA=true \
-e WOODPECKER_GITEA_URL=https://(gitea url) \
-e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
-e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
```
2023-09-27 18:35:18 +02:00
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration is blocking the connection due to a suspected DNS rebind attack.
A simple workaround is adding an override rule in OPNsense under `Services > Unbound DNS > Overrides` .
2022-09-11 19:18:56 +02:00
2023-09-27 18:35:18 +02:00
> [Helpful Reddit post](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
2022-09-11 19:18:56 +02:00
### Application agent
2022-07-05 11:27:09 +02:00
2023-02-23 14:48:51 +01:00
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
2023-09-27 18:35:18 +02:00
The Woodpecker agent must be deployed as a separate container.
It needs access to the docker socket to spawn new container processes on the host.
Podman isn't well supported currently, so I'll be using Docker for this one container instead (See below).
2023-02-23 14:48:51 +01:00
```sh
docker run --name woodpecker-agent -t \
2022-09-11 19:18:56 +02:00
-e WOODPECKER_SERVER=(url/ip):(grpc port) \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
-e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
-e WOODPECKER_GRPC_SECURE=true \
-v /var/run/docker.sock:/var/run/docker.sock \
2022-09-12 14:17:09 +02:00
--restart unless-stopped \
2022-07-05 11:29:26 +02:00
-d docker.io/woodpeckerci/woodpecker-agent:latest
2022-07-05 11:27:09 +02:00
```
2023-09-27 18:35:18 +02:00
#### Podman Socket Notes
2022-09-11 19:18:56 +02:00
Podman has support for using sockets since version 3.4.0.
2023-02-23 14:48:51 +01:00
_Recommended by Woodpecker is at least Podman 4.0_
[Podman socket activation ](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md )
2022-09-11 19:18:56 +02:00
[Woodpecker note on using Podman ](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support )
[Woodpecker issue about Podman ](https://github.com/woodpecker-ci/woodpecker/issues/85 )
2023-02-23 14:48:51 +01:00
[Woodpecker PR for Podman backend ](https://github.com/woodpecker-ci/woodpecker/pull/305 )