4.1 KiB
| title |
|---|
| Woodpecker CI |
[toc]
Podman
Network and Pod
# podman network create net_woodpecker
# podman pod create --name pod_woodpecker --network net_woodpecker -p 8000:8000 -p 9000:9000
Port Mappings
8000: Woodpecker HTTP listener, Configurable with "WOODPECKER_SERVER_ADDR"
9000: Woodpecker gRPC listener, Configurable with "WOODPECKER_GRPC_ADDR"
Database
# podman run --name woodpeckerdb \
-e PGDATA=/var/lib/postgresql/data/pgdata \
-e POSTGRES_USER=woodpecker \
-e POSTGRES_PASSWORD=woodpecker \
-e POSTGRES_DB=woodpecker \
-v /mnt/postgres-woodpecker:/var/lib/postgresql/data \
--pod pod_woodpecker \
-d docker.io/postgres
Application server
# podman run --name woodpecker-server -t \
-e WOODPECKER_HOST=https://(hostname/ip address) \
-e WOODPECKER_ADMIN=RealStickman \
-e WOODPECKER_REPO_OWNERS=RealStickman \
-e WOODPECKER_OPEN=false \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_DATABASE_DRIVER=postgres \
-e WOODPECKER_DATABASE_DATASOURCE='postgres://(user):(password)@woodpeckerdb:5432/(database)?sslmode=disable' \
-v /mnt/woodpecker:/var/lib/woodpecker/ \
--pod pod_woodpecker \
-d docker.io/woodpeckerci/woodpecker-server:latest
If WOODPECKER_OPEN is set to true, any user present on the connected git server could log in to woodpecker.
I'm using WOODPECKER_REPO_OWNERS instead to allow my user on woodpecker without having to add it manually using the CLI.
If one wanted to add a user manually: $ woodpecker-cli user add
Generate WOODPECKER_AGENT_SECRET with this command:
$ openssl rand -hex 32
GitHub
TODO
Gitea
Add these environment variables to enable Woodpecker for a gitea server.
-e WOODPECKER_GITEA=true \
-e WOODPECKER_GITEA_URL=https://(gitea url) \
-e WOODPECKER_GITEA_CLIENT='(oauth client id)' \
-e WOODPECKER_GITEA_SECRET='(oauth client secret)' \
-e WOODPECKER_GITEA_SKIP_VERIFY=false \
I run gitea and woodpecker behind an OPNsense firewall. The default NAT configuration alerts due to a suspected DNS rebind attack.
Therefor I set added an override rule for my gitea url in OPNsense (Services > Unbound DNS > Overrides)
GitLab
Add these environment variables to enable GitLab in Woodpecker.
-e WOODPECKER_GITLAB=true \
-e WOODPECKER_GITLAB_URL=https://(gitlab url) \
-e WOODPECKER_GITLAB_CLIENT=(oauth client id) \
-e WOODPECKER_GITLAB_SECRET=(oauth client secret) \
Application agent
# docker run --name woodpecker-agent -t \
-e WOODPECKER_SERVER=(url/ip):(grpc port) \
-e WOODPECKER_AGENT_SECRET=(shared secret for server and agents) \
-e WOODPECKER_HOSTNAME=(agent hostname, def: empty) \
-e WOODPECKER_MAX_PROCS=(number of parallel builds, def: 1) \
-e WOODPECKER_GRPC_SECURE=true \
-v /var/run/docker.sock:/var/run/docker.sock \
--restart unless-stopped \
-d docker.io/woodpeckerci/woodpecker-agent:latest
The Woodpecker agent needs access to the docker socket to spawn new container processes on the host.
For now I'll be using docker to run my agents.
Podman has support for using sockets since version 3.4.0.
TODO: try out socket access once Podman 3.4.0 is on my servers
Recommended by Woodpecker is at least Podman 4.0
Podman socket activation
Woodpecker note on using Podman
Woodpecker issue about Podman
Woodpecker PR for Podman backend