cluster/prod/app/woodpecker-ci/deploy/server.hcl


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161

job "woodpecker-ci" {
  # prefer scorpio as neptune has bad ipv6 routes to git.deuxfleurs.fr
  # and bad networking makes woodpecker fail to run builds
  datacenters = [/*"neptune",*/ "scorpio"]
  type = "service"

  group "server" {
    count = 1

    network {
      port "web_port" {
        static = 14080
        to = 14080
      }
      port "grpc_port" {
        static = 14090
        to = 14090
      }
      port "grpc_tls_port" {
        static = 14453
        to = 14453
      }
    }

    task "server" {
      driver = "docker"
      config {
        image = "woodpeckerci/woodpecker-server:v2.3.0"
        ports = [ "web_port", "grpc_port" ]
        network_mode = "host"
      }

      template {
        data = <<EOH
WOODPECKER_OPEN=true
WOODPECKER_ORGS=Deuxfleurs
WOODPECKER_ADMIN=lx

WOODPECKER_HOST=https://woodpecker.deuxfleurs.fr
WOODPECKER_AGENT_SECRET={{ key "secrets/woodpecker-ci/agent_secret" }}

# secret encryption is broken in woodpecker currently
# WOODPECKER_ENCRYPTION_KEY={{ key "secrets/woodpecker-ci/secrets_encryption_key" }}

WOODPECKER_SERVER_ADDR=[::]:14080
WOODPECKER_GRPC_ADDR=[::]:14090
# WOODPECKER_GRPC_SECRET={{ key "secrets/woodpecker-ci/grpc_secret" }}

WOODPECKER_DATABASE_DRIVER=postgres
WOODPECKER_DATABASE_DATASOURCE=postgres://woodpecker:{{ key "secrets/woodpecker-ci/db_password" | trimSpace }}@{{ env "meta.site" }}.psql-proxy.service.prod.consul:5432/woodpecker?sslmode=disable

WOODPECKER_GITEA=true
WOODPECKER_GITEA_URL=https://git.deuxfleurs.fr
WOODPECKER_GITEA_CLIENT={{ key "secrets/woodpecker-ci/oauth_client_id" }}
WOODPECKER_GITEA_SECRET={{ key "secrets/woodpecker-ci/oauth_client_secret" }}

WOODPECKER_LOG_LEVEL=debug
WOODPECKER_ENVIRONMENT=NIX_REMOTE:daemon
EOH
        destination = "secrets/env"
        env = true
      }

      resources {
        cpu = 100
        memory = 200
      }

      service {
        name = "woodpecker"
        tags = [
          "woodpecker",
          "tricot woodpecker.deuxfleurs.fr",
          "d53-cname woodpecker.deuxfleurs.fr",
        ]
        port = "web_port"
        address_mode = "host"
      /*
        check {
          type = "http"
          protocol = "http"
          port = "web_port"
          path = "/"
          interval = "60s"
          timeout = "5s"
          check_restart {
            limit = 3
            grace = "600s"
            ignore_warnings = false
          }
        }
      */
      }
      service {
        name = "woodpecker-grpc"
        tags = [
          "woodpecker-grpc",
        ]
        port = "grpc_port"
        address_mode = "host"
      }
    }

    task "grpc_tls" {
      driver = "docker"
      config {
        image = "nginx:1.25.3"
        ports = [ "grpc_tls_port" ]
        volumes = [
          "secrets/ssl/certs:/etc/ssl/certs",
          "secrets/ssl/private:/etc/ssl/private",
          "secrets/conf/:/etc/nginx/",
        ]
        network_mode = "host"
      }

      template {
        data = <<EOH
events {}
http {
  server {
    listen 0.0.0.0:14453 ssl;
    listen [::]:14453 ssl;
    http2 on;
    server_name woodpecker.deuxfleurs.fr;

    ssl_certificate "/etc/ssl/certs/woodpecker.cert";
    ssl_certificate_key "/etc/ssl/certs/woodpecker.key";

    location / {
        grpc_pass grpc://woodpecker-grpc.service.prod.consul:14090;
    }
  }
}
EOH
        destination = "secrets/conf/nginx.conf"
      }

      template {
        data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.key_pem }}{{ end }}"
        destination = "secrets/ssl/certs/woodpecker.key"
      }
      template {
        data = "{{ with $d := key \"tricot/certs/woodpecker.deuxfleurs.fr\" | parseJSON }}{{ $d.cert_pem }}{{ end }}"
        destination = "secrets/ssl/certs/woodpecker.cert"
      }

      service {
        name = "woodpecker-grpc-tls"
        tags = [
          "woodpecker-grpc-tls",
      "d53-a woodpecker-grpc.deuxfleurs.fr",
      "d53-aaaa woodpecker-grpc.deuxfleurs.fr",
          "(diplonat (tcp_port 14453))"
        ]
        port = "grpc_tls_port"
        address_mode = "host"
      }
    }
  }
}