Finish woodpecker wiki article

This commit is contained in:
RealStickman 2022-09-11 19:18:56 +02:00
parent 6a43d874cd
commit 7393100b32

View File

@ -4,42 +4,103 @@ title: 'Woodpecker CI'
[toc]
## Podman
### Pod
`# podman pod create --name woodpecker -p 8000:8000`
### Server
### Network and Pod
`# podman network create net_woodpecker`
`# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000`
#### Port Mappings
```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
```
### Database
```
# podman run --name woodpeckerdb \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_USER=woodpecker \
-e POSTGRES_PASSWORD=woodpecker \
-e POSTGRES_DB=woodpecker \
-v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
--pod pod_woodpecker \
-d docker.io/postgres
```
### Application server
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
```
# podman run --name woodpecker-server -t \
-e WOODPECKER_OPEN=true \
-e WOODPECKER_HOST=${WOODPECKER_HOST} \
-e WOODPECKER_GITEA=true
-e WOODPECKER_GITEA_URL=${WOODPECKER_GITEA_URL}
-e WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT}
-e WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
-e WOODPECKER_HOST=https://(hostname/ip address) \
-e WOODPECKER_ADMIN=RealStickman \
-e WOODPECKER_REPO_OWNERS=RealStickman \
-e WOODPECKER_OPEN=false \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_DATABASE_DRIVER=postgres \
-e WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/postgres?sslmode=disable \
-v /mnt/woodpecker:/var/lib/woodpecker/ \
--pod=woodpecker \
-e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
-v /mnt/woodpecker:/var/lib/woodpecker/ \
--pod pod_woodpecker \
-d docker.io/woodpeckerci/woodpecker-server:latest
```
### Agent
If `WOODPECKER_OPEN` is set to `true`, any user present on the connected git server could log in to woodpecker.
I'm using `WOODPECKER_REPO_OWNERS` instead to allow my user on woodpecker without having to add it manually using the CLI.
If one wanted to add a user manually: `$ woodpecker-cli user add`
Generate `WOODPECKER_AGENT_SECRET` with this command:
`$ openssl rand -hex 32`
#### GitHub
*TODO*
#### Gitea
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
Add these environment variables to enable Woodpecker for a gitea server.
```
-e WOODPECKER_GITEA=true \
-e WOODPECKER_GITEA_URL=https://(gitea url) \
-e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
-e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
```
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)
> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
#### GitLab
Add these environment variables to enable GitLab in Woodpecker.
```
-e WOODPECKER_GITLAB=true \
-e WOODPECKER_GITLAB_URL=https://(gitlab url) \
-e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
-e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
```
### Application agent
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
```
# podman run --name woodpecker-agent -t \
-e WOODPECKER_SERVER=woodpecker-server:9000 \
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
--pod=woodpecker \
-e WOODPECKER_SERVER=(url/ip):(grpc port) \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
-e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
-e WOODPECKER_GRPC_SECURE=true \
-v /var/run/docker.sock:/var/run/docker.sock \
-d docker.io/woodpeckerci/woodpecker-agent:latest
```
woodpecker-agent:
image: woodpeckerci/woodpecker-agent:latest
command: agent
restart: always
depends_on:
- woodpecker-server
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
- WOODPECKER_SERVER=woodpecker-server:9000
- WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
For now I'll be using docker to run my agents.
Podman has support for using sockets since version 3.4.0.
*TODO: try out socket access once Podman 3.4.0 is on my servers*
*Recommended by Woodpecker is at least Podman 4.0*
[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)
[Woodpecker note on using Podman](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support)
[Woodpecker issue about Podman](https://github.com/woodpecker-ci/woodpecker/issues/85)
[Woodpecker PR for Podman backend](https://github.com/woodpecker-ci/woodpecker/pull/305)