Finish woodpecker wiki article
This commit is contained in:
parent
6a43d874cd
commit
7393100b32
@ -4,42 +4,103 @@ title: 'Woodpecker CI'
|
||||
|
||||
[toc]
|
||||
## Podman
|
||||
### Pod
|
||||
`# podman pod create --name woodpecker -p 8000:8000`
|
||||
### Server
|
||||
### Network and Pod
|
||||
`# podman network create net_woodpecker`
|
||||
`# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000`
|
||||
|
||||
#### Port Mappings
|
||||
```
|
||||
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
|
||||
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
|
||||
```
|
||||
|
||||
### Database
|
||||
```
|
||||
# podman run --name woodpeckerdb \
|
||||
-e PGDATA=/var/lib/postgresql/data/pgdata \
|
||||
-e POSTGRES_USER=woodpecker \
|
||||
-e POSTGRES_PASSWORD=woodpecker \
|
||||
-e POSTGRES_DB=woodpecker \
|
||||
-v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
|
||||
--pod pod_woodpecker \
|
||||
-d docker.io/postgres
|
||||
```
|
||||
|
||||
### Application server
|
||||
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
|
||||
|
||||
```
|
||||
# podman run --name woodpecker-server -t \
|
||||
-e WOODPECKER_OPEN=true \
|
||||
-e WOODPECKER_HOST=${WOODPECKER_HOST} \
|
||||
-e WOODPECKER_GITEA=true
|
||||
-e WOODPECKER_GITEA_URL=${WOODPECKER_GITEA_URL}
|
||||
-e WOODPECKER_GITEA_CLIENT=${WOODPECKER_GITEA_CLIENT}
|
||||
-e WOODPECKER_GITEA_SECRET=${WOODPECKER_GITEA_SECRET}
|
||||
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
|
||||
-e WOODPECKER_HOST=https://(hostname/ip address) \
|
||||
-e WOODPECKER_ADMIN=RealStickman \
|
||||
-e WOODPECKER_REPO_OWNERS=RealStickman \
|
||||
-e WOODPECKER_OPEN=false \
|
||||
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
|
||||
-e WOODPECKER_DATABASE_DRIVER=postgres \
|
||||
-e WOODPECKER_DATABASE_DATASOURCE=postgres://root:password@1.2.3.4:5432/postgres?sslmode=disable \
|
||||
-e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
|
||||
-v /mnt/woodpecker:/var/lib/woodpecker/ \
|
||||
--pod=woodpecker \
|
||||
--pod pod_woodpecker \
|
||||
-d docker.io/woodpeckerci/woodpecker-server:latest
|
||||
```
|
||||
### Agent
|
||||
|
||||
If `WOODPECKER_OPEN` is set to `true`, any user present on the connected git server could log in to woodpecker.
|
||||
I'm using `WOODPECKER_REPO_OWNERS` instead to allow my user on woodpecker without having to add it manually using the CLI.
|
||||
If one wanted to add a user manually: `$ woodpecker-cli user add`
|
||||
|
||||
Generate `WOODPECKER_AGENT_SECRET` with this command:
|
||||
`$ openssl rand -hex 32`
|
||||
|
||||
#### GitHub
|
||||
*TODO*
|
||||
|
||||
#### Gitea
|
||||
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
|
||||
|
||||
Add these environment variables to enable Woodpecker for a gitea server.
|
||||
```
|
||||
-e WOODPECKER_GITEA=true \
|
||||
-e WOODPECKER_GITEA_URL=https://(gitea url) \
|
||||
-e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
|
||||
-e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
|
||||
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
|
||||
```
|
||||
|
||||
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
|
||||
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)
|
||||
|
||||
> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
|
||||
|
||||
#### GitLab
|
||||
Add these environment variables to enable GitLab in Woodpecker.
|
||||
```
|
||||
-e WOODPECKER_GITLAB=true \
|
||||
-e WOODPECKER_GITLAB_URL=https://(gitlab url) \
|
||||
-e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
|
||||
-e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
|
||||
```
|
||||
|
||||
### Application agent
|
||||
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
|
||||
|
||||
```
|
||||
# podman run --name woodpecker-agent -t \
|
||||
-e WOODPECKER_SERVER=woodpecker-server:9000 \
|
||||
-e WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET} \
|
||||
--pod=woodpecker \
|
||||
-e WOODPECKER_SERVER=(url/ip):(grpc port) \
|
||||
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
|
||||
-e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
|
||||
-e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
|
||||
-e WOODPECKER_GRPC_SECURE=true \
|
||||
-v /var/run/docker.sock:/var/run/docker.sock \
|
||||
-d docker.io/woodpeckerci/woodpecker-agent:latest
|
||||
```
|
||||
|
||||
woodpecker-agent:
|
||||
image: woodpeckerci/woodpecker-agent:latest
|
||||
command: agent
|
||||
restart: always
|
||||
depends_on:
|
||||
- woodpecker-server
|
||||
volumes:
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
environment:
|
||||
- WOODPECKER_SERVER=woodpecker-server:9000
|
||||
- WOODPECKER_AGENT_SECRET=${WOODPECKER_AGENT_SECRET}
|
||||
The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
|
||||
For now I'll be using docker to run my agents.
|
||||
|
||||
Podman has support for using sockets since version 3.4.0.
|
||||
*TODO: try out socket access once Podman 3.4.0 is on my servers*
|
||||
*Recommended by Woodpecker is at least Podman 4.0*
|
||||
[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)
|
||||
|
||||
[Woodpecker note on using Podman](https://github.com/woodpecker-ci/woodpecker/blob/master/docs/docs/30-administration/22-backends/10-docker.md#podman-support)
|
||||
[Woodpecker issue about Podman](https://github.com/woodpecker-ci/woodpecker/issues/85)
|
||||
[Woodpecker PR for Podman backend](https://github.com/woodpecker-ci/woodpecker/pull/305)
|
||||
|
Loading…
Reference in New Issue
Block a user