-
-
Notifications
You must be signed in to change notification settings - Fork 376
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
bb7e0f9
commit f3857f3
Showing
2 changed files
with
83 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,82 @@ | ||
| # Kubernetes backend | ||
|
|
||
| :::info | ||
| Note that this module is not maintained by the woodpecker-developers | ||
| ::: | ||
|
|
||
| The NixOS install is in theory quite similar to the binary install and supports multiple backends. | ||
| In practice you specify the settings decoratively in your NixOS config and don't have to do any manual steps. | ||
|
|
||
| ## General Configuration | ||
|
|
||
| ```nix | ||
| { config | ||
| , ... | ||
| }: | ||
| let | ||
| domain = "woodpecker.example.org"; | ||
| in | ||
| { | ||
| # This automatically sets up certificates via let's encrypt | ||
| security.acme.certs."${domain}" = { }; | ||
| # Setting up a nginx proxy that handles tls for us | ||
| services.nginx.virtualHosts."${domain}" = { | ||
| enableACME = true; | ||
| forceSSL = true; | ||
| locations."/" = { | ||
| proxyPass = "http://localhost:3007"; | ||
| proxyWebsockets = true; | ||
| }; | ||
| }; | ||
| # This is needed so the agents can reach the server via grpc | ||
| networking.firewall.allowedTCPPorts = [ 9000 ]; | ||
| services.woodpecker-server = { | ||
| enable = true; | ||
| environment = { | ||
| WOODPECKER_HOST = "https://${domain}"; | ||
| WOODPECKER_SERVER_ADDR = ":3007"; | ||
| WOODPECKER_OPEN = "true"; | ||
| }; | ||
| # You can pass a file with env vars to the system it could look like: | ||
| # WOODPECKER_AGENT_SECRET=XXXXXXXXXXXXXXXXXXXXXX | ||
| environmentFile = "/path/to/my/secrets/file"; | ||
| }; | ||
| # This sets up a woodpecker agent | ||
| services.woodpecker-agents.agents."docker" = { | ||
| enable = true; | ||
| # We need this to talk to the podman socket | ||
| extraGroups = [ "podman" ]; | ||
| environment = { | ||
| WOODPECKER_SERVER = "${domain}:9000"; | ||
| WOODPECKER_MAX_WORKFLOWS = "4"; | ||
| DOCKER_HOST = "unix:///run/podman/podman.sock"; | ||
| WOODPECKER_BACKEND = "docker"; | ||
| }; | ||
| # Same as with woodpecker-server | ||
| environmentFile = [ "/var/lib/secrets/woodpecker.env" ]; | ||
| }; | ||
| # Here we setup podman and enable dns | ||
| virtualisation.podman = { | ||
| enable = true; | ||
| defaultNetwork.settings = { | ||
| dns_enabled = true; | ||
| }; | ||
| }; | ||
| # This is needed for podman to be able to talk over dns | ||
| networking.firewall.interfaces."podman0" = { | ||
| allowedUDPPorts = [ 53 ]; | ||
| allowedTCPPorts = [ 53 ]; | ||
| }; | ||
| } | ||
| ``` | ||
|
|
||
| You can find all the configuration options [here](https://search.nixos.org/options?channel=unstable&size=200&sort=relevance&query=woodpecker) | ||
|
|
||
| ## Tips and tricks | ||
|
|
||
| There is some resources on how to utilize woodpecker more effectively with nix in the [awesome](#awesome) section, like using the runners nix-store in the pipeline |