Compare commits

...

2 Commits

Author SHA1 Message Date
exu
81fbf84967 Use relative links 2023-09-27 18:35:51 +02:00
exu
60e7180df3 Flesh out Woodpecker CI article 2023-09-27 18:35:18 +02:00
3 changed files with 21 additions and 12 deletions

View File

@ -109,7 +109,7 @@ host [HOSTNAME] {
### Dynamic DNS ### Dynamic DNS
_Needs a supported DNS like BIND or PowerDNS_ _Needs a supported DNS like BIND or PowerDNS_
[Configure your DNS server to accept updates](https://wiki.realstickman.net/e/en/linux/services/powerdns) [Configure your DNS server to accept updates](/linux/services/powerdns)
Add the following snippet to your `/etc/dhcp/dhcpd.conf` file Add the following snippet to your `/etc/dhcp/dhcpd.conf` file
How to generate the key is also described in the DNS article How to generate the key is also described in the DNS article

View File

@ -144,7 +144,7 @@ Enable for domain
And for reverse-zone And for reverse-zone
`# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)` `# pdnsutil set-meta (reverse ip).in-addr.arpa TSIG-ALLOW-DNSUPDATE (keyname)`
You also have to configure the DHCP server to provide updates, see [the DHCP article](https://wiki.realstickman.net/en/linux/services/dhcp-server) You also have to configure the DHCP server to provide updates, see [the DHCP article](/linux/services/dhcp-server)
### Testing with nsupdate ### Testing with nsupdate

View File

@ -5,10 +5,15 @@ visible: true
[toc] [toc]
This page details installation instructions for Woodpecker CI with a connection to a self-hosted [Gitea](/linux/gitea) instance.
Woodpecker will be deployed as a container.
## Podman ## Podman
### Network and Pod ### Network and Pod
Multiple containers will be created. To separate them from other containers while also simplifying access between member containers, a container network and pod are created.
```sh ```sh
podman network create net_woodpecker podman network create net_woodpecker
podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000 podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000
@ -16,6 +21,8 @@ podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p
#### Port Mappings #### Port Mappings
Woodpecker CI uses these ports for outside communication by default.
``` ```
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR" 8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR" 9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
@ -23,6 +30,8 @@ podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p
### Database ### Database
The database container is standard PostgreSQL.
```sh ```sh
podman run --name woodpeckerdb \ podman run --name woodpeckerdb \
-e PGDATA=/var/lib/postgresql/data/pgdata \ -e PGDATA=/var/lib/postgresql/data/pgdata \
@ -38,6 +47,8 @@ podman run --name woodpeckerdb \
> [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config) > [Official Documentation](https://woodpecker-ci.org/docs/administration/server-config)
These options apply regardless of the Git Forge you want to use.
```sh ```sh
podman run --name woodpecker-server -t \ podman run --name woodpecker-server -t \
-e WOODPECKER_HOST=https://(hostname/ip address) \ -e WOODPECKER_HOST=https://(hostname/ip address) \
@ -57,10 +68,6 @@ If one wanted to add a user manually: `$ woodpecker-cli user add`
Generate `WOODPECKER_AGENT_SECRET` with this command: Generate `WOODPECKER_AGENT_SECRET` with this command:
`$ openssl rand -hex 32` `$ openssl rand -hex 32`
#### GitHub
_TODO_
#### Gitea #### Gitea
> [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea) > [Documentation](https://woodpecker-ci.org/docs/administration/vcs/gitea)
@ -75,10 +82,10 @@ Add these environment variables to enable Woodpecker for a gitea server.
-e WOODPECKER_GITEA_SKIP_VERIFY=false \ -e WOODPECKER_GITEA_SKIP_VERIFY=false \
``` ```
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack. I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration is blocking the connection due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides) A simple workaround is adding an override rule in OPNsense under `Services > Unbound DNS > Overrides`.
> [Reddit post I used as guidance](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/) > [Helpful Reddit post](https://www.reddit.com/r/OPNsenseFirewall/comments/lrmtsz/a_potential_dns_rebind_attack/)
#### GitLab #### GitLab
@ -95,6 +102,10 @@ Add these environment variables to enable GitLab in Woodpecker.
> [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config) > [Official Documentation](https://woodpecker-ci.org/docs/administration/agent-config)
The Woodpecker agent must be deployed as a separate container.
It needs access to the docker socket to spawn new container processes on the host.
Podman isn't well supported currently, so I'll be using Docker for this one container instead (See below).
```sh ```sh
docker run --name woodpecker-agent -t \ docker run --name woodpecker-agent -t \
-e WOODPECKER_SERVER=(url/ip):(grpc port) \ -e WOODPECKER_SERVER=(url/ip):(grpc port) \
@ -107,11 +118,9 @@ docker run --name woodpecker-agent -t \
-d docker.io/woodpeckerci/woodpecker-agent:latest -d docker.io/woodpeckerci/woodpecker-agent:latest
``` ```
The Woodpecker agent needs access to the docker socket to spawn new container processes on the host. #### Podman Socket Notes
For now I'll be using docker to run my agents.
Podman has support for using sockets since version 3.4.0. Podman has support for using sockets since version 3.4.0.
_TODO: try out socket access once Podman 3.4.0 is on my servers_
_Recommended by Woodpecker is at least Podman 4.0_ _Recommended by Woodpecker is at least Podman 4.0_
[Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md) [Podman socket activation](https://github.com/containers/podman/blob/main/docs/tutorials/socket_activation.md)