From 41170511deeba0bcc2c742956d1c65851679fe6e Mon Sep 17 00:00:00 2001
From: Michael Grote <michael.grote@posteo.de>
Date: Wed, 8 Nov 2023 13:20:55 +0100
Subject: [PATCH] Woodpecker: finetuning (#595)

Reviewed-on: https://git.mgrote.net/mg/homeserver/pulls/595
Co-authored-by: Michael Grote <michael.grote@posteo.de>
Co-committed-by: Michael Grote <michael.grote@posteo.de>
---
 README.md                                     |  2 ++
 .../woodpecker/docker-compose.yml.j2          | 31 +++++++++++++++++--
 host_vars/docker10.grote.lan.yml              |  1 +
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 195fa744..af50bf25 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,3 @@
 # ansible_heimserver
+
+[![status-badge](https://ci.mgrote.net/api/badges/2/status.svg)](https://ci.mgrote.net/repos/2)
diff --git a/docker-compose/woodpecker/docker-compose.yml.j2 b/docker-compose/woodpecker/docker-compose.yml.j2
index f31e1b94..30286ee5 100644
--- a/docker-compose/woodpecker/docker-compose.yml.j2
+++ b/docker-compose/woodpecker/docker-compose.yml.j2
@@ -11,7 +11,7 @@ services:
       - server-data:/var/lib/woodpecker/
     environment:
       WOODPECKER_OPEN: false
-      WOODPECKER_HOST: http://docker10.grote.lan:8000
+      WOODPECKER_HOST: https://ci.mgrote.net
       WOODPECKER_GITEA: true
       WOODPECKER_GITEA_URL: https://git.mgrote.net
       WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
@@ -20,10 +20,25 @@ services:
       WOODPECKER_ADMIN: mg
       WOODPECKER_LOG_LEVEL: info
       WOODPECKER_DEBUG_PRETTY: true
-
+    networks:
+      - intern
+      - traefik
     labels:
       com.centurylinklabs.watchtower.enable: true
 
+      traefik.http.routers.woodpecker.rule: Host(`ci.mgrote.net`)
+      traefik.enable: true
+      traefik.http.routers.woodpecker.tls: true
+      traefik.http.routers.woodpecker.tls.certresolver: resolver_letsencrypt
+      traefik.http.routers.woodpecker.entrypoints: entry_https
+      traefik.http.services.woodpecker.loadbalancer.server.port: 8000
+
+      traefik.http.routers.woodpecker.middlewares: woodpecker-ipwhitelist
+
+      traefik.http.middlewares.woodpecker-ipwhitelist.ipwhitelist.sourcerange: 192.168.2.0/24
+      traefik.http.middlewares.woodpecker-ipwhitelist.ipwhitelist.ipstrategy.depth: 0 # https://doc.traefik.io/traefik/middlewares/http/ipwhitelist/#ipstrategydepth
+
+
   woodpecker-agent:
     container_name: woodpecker-agent
     image: woodpeckerci/woodpecker-agent:latest
@@ -46,6 +61,9 @@ services:
       WOODPECKER_BACKEND: docker
     labels:
       com.centurylinklabs.watchtower.enable: true
+    networks:
+      - intern
+
 
 volumes:
   server-data:
@@ -54,4 +72,11 @@ volumes:
 # git.mgrote.net -> Settings -> Applications -> woodpecker
 # WOODPECKER_GITEA_CLIENT: {{ lookup('keepass', 'woodpecker-oauth2-client-id', 'password') }}
 # WOODPECKER_GITEA_SECRET: {{ lookup('keepass', 'woodpecker-oauth2-client-secret', 'password') }}
-# Redirect URL: http://docker10.grote.lan:8000/authorize
+# Redirect URL: https://ci.mgrote.net/authorize
+
+######## Networks ########
+networks:
+  traefik:
+    external: true
+  intern:
+    driver: bridge
diff --git a/host_vars/docker10.grote.lan.yml b/host_vars/docker10.grote.lan.yml
index c128054a..0202eb43 100644
--- a/host_vars/docker10.grote.lan.yml
+++ b/host_vars/docker10.grote.lan.yml
@@ -56,6 +56,7 @@ compose_files:
     network: mail-relay
   - name: woodpecker
     state: present
+    network: traefik
 
 ### oefenweb.ufw
 ufw_rules: