Finish woodpecker wiki article

2022-09-11 19:18:56 +02:00 · 2022-09-11 19:18:56 +02:00 · 7393100b32
commit 7393100b32
parent 6a43d874cd
1 changed files with 89 additions and 28 deletions
--- a/pages/02.linux/28.woodpecker-ci/default.en.md
+++ b/pages/02.linux/28.woodpecker-ci/default.en.md
@ -4,42 +4,103 @@ title: 'Woodpecker CI'

 [toc]
 ## Podman
-### Pod
-`# podman pod create --name woodpecker -p 8000:8000`  
-### Server
+### Network and Pod
+`# podman network create net_woodpecker`  
+`# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000`  
+
+#### Port Mappings
+```
+8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
+9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
+```
+
+### Database
+```
+# podman run --name woodpeckerdb \
+    -e PGDATA=/var/lib/postgresql/data/pgdata \
+    -e POSTGRES_USER=woodpecker \
+    -e POSTGRES_PASSWORD=woodpecker \
+    -e POSTGRES_DB=woodpecker \
+    -v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
+    --pod pod_woodpecker \
+    -d docker.io/postgres
+```
+
+### Application server
+> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)  
+
 ```
 # podman run --name woodpecker-server -t \
-    -e WOODPECKER_OPEN=true \
-    -e WOODPECKER_HOST=${WOODPECKER_HOST} \
-    -e WOODPECKER_GITEA=true
-    -e WOODPECKER_GITEA_URL=${WOODPECKER_GITEA_URL}
-    -e WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT}
-    -e WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
-    -e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
+    -e WOODPECKER_HOST=https://(hostname/ip address) \
+    -e WOODPECKER_ADMIN=RealStickman \
+    -e WOODPECKER_REPO_OWNERS=RealStickman \
+    -e WOODPECKER_OPEN=false \
+    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
    -e WOODPECKER_DATABASE_DRIVER=postgres \
-    -e WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/postgres?sslmode=disable \
-    -v  /mnt/woodpecker:/var/lib/woodpecker/ \
-    --pod=woodpecker \
+    -e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
+    -v /mnt/woodpecker:/var/lib/woodpecker/ \
+    --pod pod_woodpecker \
    -d docker.io/woodpeckerci/woodpecker-server:latest
 ```
-### Agent
+
+If `WOODPECKER_OPEN` is set to `true`, any user present on the connected git server could log in to woodpecker.  
+I'm using `WOODPECKER_REPO_OWNERS` instead to allow my user on woodpecker without having to add it manually using the CLI.  
+If one wanted to add a user manually: `$ woodpecker-cli user add`  
+
+Generate `WOODPECKER_AGENT_SECRET` with this command:  
+`$ openssl rand -hex 32`  
+
+#### GitHub
+*TODO*  
+
+#### Gitea
+> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)  
+
+Add these environment variables to enable Woodpecker for a gitea server.  
+```
+    -e WOODPECKER_GITEA=true \
+    -e WOODPECKER_GITEA_URL=https://(gitea url) \
+    -e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
+    -e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
+    -e WOODPECKER_GITEA_SKIP_VERIFY=false \
+```
+
+I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.  
+Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)  
+
+> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)  
+
+#### GitLab
+Add these environment variables to enable GitLab in Woodpecker.  
+```
+    -e WOODPECKER_GITLAB=true \
+    -e WOODPECKER_GITLAB_URL=https://(gitlab url) \
+    -e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
+    -e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
+```
+
+### Application agent
+> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)  

 ```
 # podman run --name woodpecker-agent -t \
-    -e WOODPECKER_SERVER=woodpecker-server:9000 \
-    -e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
-    --pod=woodpecker \
+    -e WOODPECKER_SERVER=(url/ip):(grpc port) \
+    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
+    -e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
+    -e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
+    -e WOODPECKER_GRPC_SECURE=true \
+    -v /var/run/docker.sock:/var/run/docker.sock \
    -d docker.io/woodpeckerci/woodpecker-agent:latest
 ```

-  woodpecker-agent:
-    image: woodpeckerci/woodpecker-agent:latest
-    command: agent
-    restart: always
-    depends_on:
-      - woodpecker-server
-    volumes:
-      - /var/run/docker.sock:/var/run/docker.sock
-    environment:
-      - WOODPECKER_SERVER=woodpecker-server:9000
-      - WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
+The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.  
+For now I'll be using docker to run my agents.  
+
+Podman has support for using sockets since version 3.4.0.  
+*TODO: try out socket access once Podman 3.4.0 is on my servers*  
+*Recommended by Woodpecker is at least Podman 4.0*  
+[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)  
+
+[Woodpecker note on using Podman](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support)  
+[Woodpecker issue about Podman](https://github.com/woodpecker-ci/woodpecker/issues/85)  
+[Woodpecker PR for Podman backend](https://github.com/woodpecker-ci/woodpecker/pull/305)