wiki-grav/pages/02.linux/28.woodpecker-ci/default.en.md

4.0 KiB

title
Woodpecker CI

[toc]

Podman

Network and Pod

# podman network create net_woodpecker
# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000

Port Mappings

8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"

Database

# podman run --name woodpeckerdb \
    -e PGDATA=/var/lib/postgresql/data/pgdata \
    -e POSTGRES_USER=woodpecker \
    -e POSTGRES_PASSWORD=woodpecker \
    -e POSTGRES_DB=woodpecker \
    -v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
    --pod pod_woodpecker \
    -d docker.io/postgres

Application server

Official Documentation

# podman run --name woodpecker-server -t \
    -e WOODPECKER_HOST=https://(hostname/ip address) \
    -e WOODPECKER_ADMIN=RealStickman \
    -e WOODPECKER_OPEN=false \
    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
    -e WOODPECKER_DATABASE_DRIVER=postgres \
    -e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
    -v /mnt/woodpecker:/var/lib/woodpecker/ \
    --pod pod_woodpecker \
    -d docker.io/woodpeckerci/woodpecker-server:latest

If WOODPECKER_OPEN is set to true, any user present on the connected git server could log in to woodpecker.
If one wanted to add a user manually: $ woodpecker-cli user add

Generate WOODPECKER_AGENT_SECRET with this command:
$ openssl rand -hex 32

GitHub

TODO

Gitea

Documentation

Add these environment variables to enable Woodpecker for a gitea server.

    -e WOODPECKER_GITEA=true \
    -e WOODPECKER_GITEA_URL=https://(gitea url) \
    -e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
    -e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
    -e WOODPECKER_GITEA_SKIP_VERIFY=false \

I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)

Reddit post I used as guidance

GitLab

Add these environment variables to enable GitLab in Woodpecker.

    -e WOODPECKER_GITLAB=true \
    -e WOODPECKER_GITLAB_URL=https://(gitlab url) \
    -e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
    -e WOODPECKER_GITLAB_SECRET=(oauth client secret) \

Application agent

Official Documentation

# docker run --name woodpecker-agent -t \
    -e WOODPECKER_SERVER=(url/ip):(grpc port) \
    -e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
    -e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
    -e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
    -e WOODPECKER_GRPC_SECURE=true \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --restart unless-stopped \
    -d docker.io/woodpeckerci/woodpecker-agent:latest

The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
For now I'll be using docker to run my agents.

Podman has support for using sockets since version 3.4.0.
TODO: try out socket access once Podman 3.4.0 is on my servers
Recommended by Woodpecker is at least Podman 4.0
Podman socket activation

Woodpecker note on using Podman
Woodpecker issue about Podman
Woodpecker PR for Podman backend