networks: cicd: external: true secrets: woodpecker_vault_role_id: external: true woodpecker_vault_secret_id: external: true configs: woodpecker_vault_agent_hcl: file: ./vault/agent.hcl tpl_agent_secret: file: ./vault/templates/agent_secret.ctmpl tpl_gitea_client_id: file: ./vault/templates/gitea_client_id.ctmpl tpl_gitea_client_secret: file: ./vault/templates/gitea_client_secret.ctmpl tpl_pg_dsn: file: ./vault/templates/pg_dsn.ctmpl volumes: vault_secrets: driver: local driver_opts: type: tmpfs device: tmpfs o: size=32m,uid=0,gid=0,mode=0750 services: vault-agent-woodpecker: image: hashicorp/vault:latest networks: [cicd] cap_add: ["IPC_LOCK"] environment: VAULT_ADDR: "http://vault:8200" # or your HTTPS URL secrets: - source: woodpecker_vault_role_id target: /vault/secrets/role_id - source: woodpecker_vault_secret_id target: /vault/secrets/secret_id volumes: - vault_secrets:/vault/secrets:rw configs: - source: woodpecker_vault_agent_hcl target: /etc/vault/agent.hcl - source: tpl_agent_secret target: /etc/vault/templates/agent_secret.ctmpl - source: tpl_gitea_client_id target: /etc/vault/templates/gitea_client_id.ctmpl - source: tpl_gitea_client_secret target: /etc/vault/templates/gitea_client_secret.ctmpl - source: tpl_pg_dsn target: /etc/vault/templates/pg_dsn.ctmpl command: [ "sh", "-lc", "vault agent -config=/etc/vault/agent.hcl" ] healthcheck: test: ["CMD-SHELL", "test -s /vault/secrets/agent_secret -a -s /vault/secrets/gitea_client_id -a -s /vault/secrets/gitea_client_secret -a -s /vault/secrets/pg_dsn" ] interval: 10s timeout: 3s retries: 30 woodpecker-server: image: woodpeckerci/woodpecker-server:latest networks: [cicd] depends_on: [vault-agent-woodpecker] volumes: - vault_secrets:/vault/secrets:ro environment: WOODPECKER_HOST: "https://ci.sendico.io" WOODPECKER_OPEN: "false" # Gitea (now your URL) WOODPECKER_GITEA: "true" WOODPECKER_GITEA_URL: "https://git.sendico.io" WOODPECKER_GITEA_CLIENT_FILE: "/vault/secrets/gitea_client_id" WOODPECKER_GITEA_SECRET_FILE: "/vault/secrets/gitea_client_secret" # Agent shared secret (lowercase file, env stays uppercase) WOODPECKER_AGENT_SECRET_FILE: "/vault/secrets/agent_secret" # Postgres (from Vault Agent rendered file) WOODPECKER_DATABASE_DRIVER: "postgres" WOODPECKER_DATABASE_DATASOURCE_FILE: "/vault/secrets/pg_dsn" WOODPECKER_BACKEND_DOCKER_NETWORK: "cicd" deploy: labels: traefik.enable: "true" traefik.docker.network: "cicd" traefik.http.routers.woodpecker-server.rule: "Host(`ci.sendico.io`)" traefik.http.routers.woodpecker-server.entrypoints: "websecure" traefik.http.routers.woodpecker-server.tls: "true" traefik.http.routers.woodpecker-server.tls.certresolver: "letsencrypt" traefik.http.services.woodpecker-server.loadbalancer.server.port: "3000" healthcheck: test: ["CMD", "/bin/woodpecker-server", "ping"] interval: 10s timeout: 3s retries: 10 start_period: 20s woodpecker-agent: image: woodpeckerci/woodpecker-agent:latest networks: [cicd] depends_on: [woodpecker-server, vault-agent-woodpecker] volumes: - /var/run/docker.sock:/var/run/docker.sock - vault_secrets:/vault/secrets:ro environment: WOODPECKER_SERVER: "woodpecker-server:9000" # gRPC in overlay WOODPECKER_AGENT_SECRET_FILE: "/vault/secrets/agent_secret" WOODPECKER_BACKEND: "docker" WOODPECKER_BACKEND_DOCKER_NETWORK: "cicd" WOODPECKER_MAX_WORKFLOWS: "2" healthcheck: test: ["CMD", "/bin/woodpecker-agent", "ping"] interval: 10s timeout: 3s retries: 10 start_period: 20s