mash-playbook/docs/services/woodpecker-ci.md

164 lines
7.1 KiB
Markdown

# Woodpecker CI
This playbook can install and configure [Woodpecker CI](https://woodpecker-ci.org/) for you.
Woodpecker CI is a [Continuous Integration](https://en.wikipedia.org/wiki/Continuous_integration) engine which can build and deploy your code automatically after pushing to a [Gitea](./gitea.md) or [Forgejo](./forgejo.md) repository.
If you are using [Forgejo](./forgejo.md), you might also be interested in [Forgejo Runner](https://code.forgejo.org/forgejo/runner) (that this playbook also [supports](forgejo-runner.md)).
A Woodpecker CI installation contains 2 components:
- one [Woodpecker CI **server**](#woodpecker-ci-server) (web interface, central management node)
- one or more [Woodpecker CI **agent**](#woodpecker-ci-agent) instances (which run your CI jobs)
It's better to run the **agent** instances elsewhere (not on the source-control server or a server serving anything of value) - on a machine that doesn't contain sensitive data.
Small installations which only run trusted CI jobs can afford to run an agent instance on the source-control server itself.
## Woodpecker CI Server
### Dependencies
This service requires the following other services:
- a [Postgres](postgres.md) database
- a [Traefik](traefik.md) reverse-proxy server
### Configuration
To enable this service, add the following configuration to your `vars.yml` file and re-run the [installation](../installing.md) process:
```yaml
########################################################################
# #
# woodpecker-ci-server #
# #
########################################################################
woodpecker_ci_server_enabled: true
woodpecker_ci_server_hostname: mash.example.com
woodpecker_ci_server_path_prefix: /ci
# Generate this secret with `openssl rand -hex 32`
#
# Note that this playbook only supports agent-specific secrets, which
# means that if you choose to share this secret with an agent, the
# server will register it as a non-persistent agent.
#
# See the definition of
# woodpecker_ci_agent_config_agent_secret below for more details.
woodpecker_ci_server_config_agent_secret: ''
woodpecker_ci_server_config_admins: [YOUR_USERNAME_HERE]
# Add one or more usernames that match your version control system (e.g. Gitea) below.
# These users will have admin privileges upon signup.
woodpecker_ci_server_config_admins:
- YOUR_USERNAME_HERE
- ANOTHER_USERNAME_HERE
# Uncomment the line below if you'll be running Woodpecker CI agents on remote machines.
# If you'll only run agents on the same machine as the server, you can keep gRPC expose disabled.
# woodpecker_ci_server_container_labels_traefik_grpc_enabled: true
########################################################################
# #
# /woodpecker-ci-server #
# #
########################################################################
```
In the example configuration above, we configure the service to be hosted at `https://mash.example.com/ci`.
If you want to host the service at the root path, remove the `woodpecker_ci_server_path_prefix` variable override.
#### Gitea Integration
The Woodpecker CI server can integrate with [Gitea](gitea.md) using the following **additional** `vars.yml` configuration:
```yaml
woodpecker_ci_server_provider: gitea
# We must use the public URL here, because it's also used for login redirects
woodpecker_ci_server_config_gitea_url: "{{ gitea_config_root_url }}"
# Populate these with the OAuth 2 application information
# (see the Gitea configuration section above)
woodpecker_ci_server_config_gitea_client: GITEA_OAUTH_CLIENT_ID_HERE
woodpecker_ci_server_config_gitea_secret: GITEA_OAUTH_CLIENT_SECRET_HERE
woodpecker_ci_server_container_add_host_domain_name: "{{ gitea_hostname }}"
woodpecker_ci_server_container_add_host_ip_address: "{{ ansible_host }}"
```
To integrate with version-control systems other than Gitea (e.g. [Forgejo](forgejo.md)), you'll need similar configuration.
### Usage
After installation, you should be able to access the Woodpecker CI server instance at `https://mash.DOMAIN/ci` (matching the `woodpecker_ci_server_hostname` and `woodpecker_ci_server_path_prefix` values configured in `vars.yml`).
The **Log in** button should take you to Gitea, where you can authorize Woodpecker CI with the OAuth 2 application.
Follow the official Woodpecker CI [Getting started](https://woodpecker-ci.org/docs/usage/intro) documentation for additional usage details.
## Woodpecker CI Agent
As mentioned above, unless you completely trust your CI workloads, it's best to run the Woodpecker CI Agent on another machine.
### Dependencies
This service requires the following other services:
- a Woodpecker CI Server - installed via this playbook or otherwise
### Configuration
```yaml
########################################################################
# #
# woodpecker-ci-agent #
# #
########################################################################
woodpecker_ci_agent_enabled: true
# If the agent runs on the same machine as the server, enabling the agent
# is everything you need. The agent and server will be wired automatically.
#
# Otherwise, you'll need to configure the variables below:
# This needs to point to the server's gRPC host:port.
# If your Woodpecker CI Server is deployed using this playbook, its
# gRPC port will likely be 443. E.g., ci.example.com:443.
woodpecker_ci_agent_config_server: ''
# This playbook only supports agent-specific secrets, i.e., it is not recommended to use
# a shared secret between Woodpecker CI Server and all of its agents. Please refer to
# the following upstream documentation in order to learn how to register an agent and
# obtain a secret for it:
#
# https://woodpecker-ci.org/docs/administration/agent-config#using-agent-token
#
# then, when you have the agent secret, uncomment the following line.
#woodpecker_ci_agent_config_agent_secret: ''
# Uncomment the line below if you want the agent to connect to the
# server over a secure gRPC channel (recommended).
#woodpecker_ci_agent_config_grpc_secure: true
# Uncomment the line below if you want the agent to verify the
# server's TLS certificate when connecting over a secure gRPC channel.
#woodpecker_ci_agent_config_grpc_verify: true
########################################################################
# #
# /woodpecker-ci-agent #
# #
########################################################################
```
### Usage
The agent should automatically register with the [Woodpecker CI server](#woodpecker-ci-server) and take jobs from it.