aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--cluster/prod/app/woodpecker-ci/deploy/server.hcl165
1 files changed, 165 insertions, 0 deletions
diff --git a/cluster/prod/app/woodpecker-ci/deploy/server.hcl b/cluster/prod/app/woodpecker-ci/deploy/server.hcl
new file mode 100644
index 0000000..5e40701
--- /dev/null
+++ b/cluster/prod/app/woodpecker-ci/deploy/server.hcl
@@ -0,0 +1,165 @@
+job "woodpecker-ci" {
+ datacenters = ["neptune", "scorpio"]
+ type = "service"
+
+ group "server" {
+ count = 1
+
+ constraint {
+ attribute = "${attr.unique.hostname}"
+ operator = "="
+ value = "celeri"
+ }
+
+ network {
+ port "web_port" {
+ static = 14080
+ to = 14080
+ }
+ port "grpc_port" {
+ static = 14090
+ to = 14090
+ }
+ port "grpc_tls_port" {
+ static = 14453
+ to = 14453
+ }
+ }
+
+ task "server" {
+ driver = "docker"
+ config {
+ image = "woodpeckerci/woodpecker-server:v2.3.0"
+ ports = [ "web_port", "grpc_port" ]
+ network_mode = "host"
+ }
+
+ template {
+ data = <<EOH
+WOODPECKER_OPEN=true
+WOODPECKER_ORGS=Deuxfleurs
+WOODPECKER_ADMIN=lx
+
+WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr
+WOODPECKER_AGENT_SECRET={{ key "secrets/woodpecker-ci/agent_secret" }}
+
+# secret encryption is broken in woodpecker currently
+# WOODPECKER_ENCRYPTION_KEY={{ key "secrets/woodpecker-ci/secrets_encryption_key" }}
+
+WOODPECKER_SERVER_ADDR=[::]:14080
+WOODPECKER_GRPC_ADDR=[::]:14090
+# WOODPECKER_GRPC_SECRET={{ key "secrets/woodpecker-ci/grpc_secret" }}
+
+WOODPECKER_DATABASE_DRIVER=postgres
+WOODPECKER_DATABASE_DATASOURCE=postgres://woodpecker:{{ key "secrets/woodpecker-ci/db_password" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/woodpecker?sslmode=disable
+
+WOODPECKER_GITEA=true
+WOODPECKER_GITEA_URL=https://git.deuxfleurs.fr
+WOODPECKER_GITEA_CLIENT={{ key "secrets/woodpecker-ci/oauth_client_id" }}
+WOODPECKER_GITEA_SECRET={{ key "secrets/woodpecker-ci/oauth_client_secret" }}
+
+WOODPECKER_LOG_LEVEL=debug
+WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
+EOH
+ destination = "secrets/env"
+ env = true
+ }
+
+ resources {
+ cpu = 100
+ memory = 200
+ }
+
+ service {
+ name = "woodpecker"
+ tags = [
+ "woodpecker",
+ "tricot woodpecker.deuxfleurs.fr",
+ "d53-cname woodpecker.deuxfleurs.fr",
+ ]
+ port = "web_port"
+ address_mode = "host"
+ /*
+ check {
+ type = "http"
+ protocol = "http"
+ port = "web_port"
+ path = "/"
+ interval = "60s"
+ timeout = "5s"
+ check_restart {
+ limit = 3
+ grace = "600s"
+ ignore_warnings = false
+ }
+ }
+ */
+ }
+ service {
+ name = "woodpecker-grpc"
+ tags = [
+ "woodpecker-grpc",
+ ]
+ port = "grpc_port"
+ address_mode = "host"
+ }
+ }
+
+ task "grpc_tls" {
+ driver = "docker"
+ config {
+ image = "nginx:1.25.3"
+ ports = [ "grpc_tls_port" ]
+ volumes = [
+ "secrets/ssl/certs:/etc/ssl/certs",
+ "secrets/ssl/private:/etc/ssl/private",
+ "secrets/conf/:/etc/nginx/",
+ ]
+ network_mode = "host"
+ }
+
+ template {
+ data = <<EOH
+events {}
+http {
+ server {
+ listen 0.0.0.0:14453 ssl;
+ listen [::]:14453 ssl;
+ http2 on;
+ server_name woodpecker.deuxfleurs.fr;
+
+ ssl_certificate "/etc/ssl/certs/woodpecker.cert";
+ ssl_certificate_key "/etc/ssl/certs/woodpecker.key";
+
+ location / {
+ grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
+ }
+ }
+}
+EOH
+ destination = "secrets/conf/nginx.conf"
+ }
+
+ template {
+ data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
+ destination = "secrets/ssl/certs/woodpecker.key"
+ }
+ template {
+ data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
+ destination = "secrets/ssl/certs/woodpecker.cert"
+ }
+
+ service {
+ name = "woodpecker-grpc-tls"
+ tags = [
+ "woodpecker-grpc-tls",
+ "d53-a woodpecker-grpc.deuxfleurs.fr",
+ "d53-aaaa woodpecker-grpc.deuxfleurs.fr",
+ "(diplonat (tcp_port 14453))"
+ ]
+ port = "grpc_tls_port"
+ address_mode = "host"
+ }
+ }
+ }
+}