Flesh out Woodpecker CI article

This commit is contained in:
exu 2023-09-27 18:35:18 +02:00
parent 0f59c6c81a
commit 60e7180df3

View File

@ -5,10 +5,15 @@ visible: true
[toc]
This page details installation instructions for Woodpecker CI with a connection to a self-hosted [Gitea](/linux/gitea) instance.
Woodpecker will be deployed as a container.
## Podman
### Network and Pod
Multiple containers will be created. To separate them from other containers while also simplifying access between member containers, a container network and pod are created.
```sh
podman network create net_woodpecker
podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000
@ -16,6 +21,8 @@ podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p
#### Port Mappings
Woodpecker CI uses these ports for outside communication by default.
```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
@ -23,6 +30,8 @@ podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p
### Database
The database container is standard PostgreSQL.
```sh
podman run --name woodpeckerdb \
-e PGDATA=/var/lib/postgresql/data/pgdata \
@ -38,6 +47,8 @@ podman run --name woodpeckerdb \
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
These options apply regardless of the Git Forge you want to use.
```sh
podman run --name woodpecker-server -t \
-e WOODPECKER_HOST=https://(hostname/ip address) \
@ -57,10 +68,6 @@ If one wanted to add a user manually: `$ woodpecker-cli user add`
Generate `WOODPECKER_AGENT_SECRET` with this command:
`$ openssl rand -hex 32`
#### GitHub
_TODO_
#### Gitea
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
@ -75,10 +82,10 @@ Add these environment variables to enable Woodpecker for a gitea server.
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
```
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration is blocking the connection due to a suspected DNS rebind attack.
A simple workaround is adding an override rule in OPNsense under `Services > Unbound DNS > Overrides`.
> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
> [Helpful Reddit post](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
#### GitLab
@ -95,6 +102,10 @@ Add these environment variables to enable GitLab in Woodpecker.
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
The Woodpecker agent must be deployed as a separate container.
It needs access to the docker socket to spawn new container processes on the host.
Podman isn't well supported currently, so I'll be using Docker for this one container instead (See below).
```sh
docker run --name woodpecker-agent -t \
-e WOODPECKER_SERVER=(url/ip):(grpc port) \
@ -107,11 +118,9 @@ docker run --name woodpecker-agent -t \
-d docker.io/woodpeckerci/woodpecker-agent:latest
```
The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
For now I'll be using docker to run my agents.
#### Podman Socket Notes
Podman has support for using sockets since version 3.4.0.
_TODO: try out socket access once Podman 3.4.0 is on my servers_
_Recommended by Woodpecker is at least Podman 4.0_
[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)