Finish woodpecker wiki article

This commit is contained in:
RealStickman 2022-09-11 19:18:56 +02:00
parent 6a43d874cd
commit 7393100b32

View File

@ -4,42 +4,103 @@ title: 'Woodpecker CI'
[toc] [toc]
## Podman ## Podman
### Pod ### Network and Pod
`# podman pod create --name woodpecker -p 8000:8000` `# podman network create net_woodpecker`
### Server `# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000`
#### Port Mappings
```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
```
### Database
```
# podman run --name woodpeckerdb \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_USER=woodpecker \
-e POSTGRES_PASSWORD=woodpecker \
-e POSTGRES_DB=woodpecker \
-v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
--pod pod_woodpecker \
-d docker.io/postgres
```
### Application server
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
``` ```
# podman run --name woodpecker-server -t \ # podman run --name woodpecker-server -t \
-e WOODPECKER_OPEN=true \ -e WOODPECKER_HOST=https://(hostname/ip address) \
-e WOODPECKER_HOST=${WOODPECKER_HOST} \ -e WOODPECKER_ADMIN=RealStickman \
-e WOODPECKER_GITEA=true -e WOODPECKER_REPO_OWNERS=RealStickman \
-e WOODPECKER_GITEA_URL=${WOODPECKER_GITEA_URL} -e WOODPECKER_OPEN=false \
-e WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT} -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
-e WOODPECKER_DATABASE_DRIVER=postgres \ -e WOODPECKER_DATABASE_DRIVER=postgres \
-e WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/postgres?sslmode=disable \ -e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
-v /mnt/woodpecker:/var/lib/woodpecker/ \ -v /mnt/woodpecker:/var/lib/woodpecker/ \
--pod=woodpecker \ --pod pod_woodpecker \
-d docker.io/woodpeckerci/woodpecker-server:latest -d docker.io/woodpeckerci/woodpecker-server:latest
``` ```
### Agent
If `WOODPECKER_OPEN` is set to `true`, any user present on the connected git server could log in to woodpecker.
I'm using `WOODPECKER_REPO_OWNERS` instead to allow my user on woodpecker without having to add it manually using the CLI.
If one wanted to add a user manually: `$ woodpecker-cli user add`
Generate `WOODPECKER_AGENT_SECRET` with this command:
`$ openssl rand -hex 32`
#### GitHub
*TODO*
#### Gitea
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
Add these environment variables to enable Woodpecker for a gitea server.
```
-e WOODPECKER_GITEA=true \
-e WOODPECKER_GITEA_URL=https://(gitea url) \
-e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
-e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
```
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)
> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
#### GitLab
Add these environment variables to enable GitLab in Woodpecker.
```
-e WOODPECKER_GITLAB=true \
-e WOODPECKER_GITLAB_URL=https://(gitlab url) \
-e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
-e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
```
### Application agent
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
``` ```
# podman run --name woodpecker-agent -t \ # podman run --name woodpecker-agent -t \
-e WOODPECKER_SERVER=woodpecker-server:9000 \ -e WOODPECKER_SERVER=(url/ip):(grpc port) \
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \ -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
--pod=woodpecker \ -e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
-e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
-e WOODPECKER_GRPC_SECURE=true \
-v /var/run/docker.sock:/var/run/docker.sock \
-d docker.io/woodpeckerci/woodpecker-agent:latest -d docker.io/woodpeckerci/woodpecker-agent:latest
``` ```
woodpecker-agent: The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
image: woodpeckerci/woodpecker-agent:latest For now I'll be using docker to run my agents.
command: agent
restart: always Podman has support for using sockets since version 3.4.0.
depends_on: *TODO: try out socket access once Podman 3.4.0 is on my servers*
- woodpecker-server *Recommended by Woodpecker is at least Podman 4.0*
volumes: [Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)
- /var/run/docker.sock:/var/run/docker.sock
environment: [Woodpecker note on using Podman](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support)
- WOODPECKER_SERVER=woodpecker-server:9000 [Woodpecker issue about Podman](https://github.com/woodpecker-ci/woodpecker/issues/85)
- WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} [Woodpecker PR for Podman backend](https://github.com/woodpecker-ci/woodpecker/pull/305)