forked from pub-solar/infra
Benjamin Yule Bädorf
68278ad983
This works towards having reusable modules * `config.pub-solar-os.networking.domain` is used for the main domain * `config.pub-solar-os.privacyPolicUrl` links towards the privacy policy * `config.pub-solar-os.imprintUrl` links towards the imprint * `config.pub-solar-os.auth.enable` enables the keycloak installation. This is needed because `config.pub-solar-os.auth` has to be available everywhere, but we do not want to install keycloak everywhere. * `config.pub-solar-os.auth.realm` sets the keycloak realm name
129 lines
3.3 KiB
Nix
129 lines
3.3 KiB
Nix
{ config
|
|
, lib
|
|
, pkgs
|
|
, flake
|
|
, ...
|
|
}: {
|
|
age.secrets.drone-secrets = {
|
|
file = "${flake.self}/secrets/drone-secrets.age";
|
|
mode = "600";
|
|
owner = "drone";
|
|
};
|
|
age.secrets.drone-db-secrets = {
|
|
file = "${flake.self}/secrets/drone-db-secrets.age";
|
|
mode = "600";
|
|
owner = "drone";
|
|
};
|
|
|
|
users.users.drone = {
|
|
description = "Drone Service";
|
|
home = "/var/lib/drone";
|
|
useDefaultShell = true;
|
|
uid = 994;
|
|
group = "drone";
|
|
isSystemUser = true;
|
|
};
|
|
|
|
users.groups.drone = { };
|
|
|
|
systemd.tmpfiles.rules = [
|
|
"d '/var/lib/drone-db' 0750 drone drone - -"
|
|
];
|
|
|
|
services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = {
|
|
logFormat = lib.mkForce ''
|
|
output discard
|
|
'';
|
|
extraConfig = ''
|
|
reverse_proxy :4000
|
|
'';
|
|
};
|
|
|
|
systemd.services."docker-network-drone" =
|
|
let
|
|
docker = config.virtualisation.oci-containers.backend;
|
|
dockerBin = "${pkgs.${docker}}/bin/${docker}";
|
|
in
|
|
{
|
|
serviceConfig.Type = "oneshot";
|
|
before = [ "docker-drone-server.service" ];
|
|
script = ''
|
|
${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24
|
|
'';
|
|
};
|
|
|
|
virtualisation = {
|
|
docker = {
|
|
enable = true; # sadly podman is not supported rightnow
|
|
extraOptions = ''
|
|
--data-root /data/docker
|
|
'';
|
|
};
|
|
|
|
oci-containers = {
|
|
backend = "docker";
|
|
containers."drone-db" = {
|
|
image = "postgres:14";
|
|
autoStart = true;
|
|
user = "994";
|
|
volumes = [
|
|
"/var/lib/drone-db:/var/lib/postgresql/data"
|
|
];
|
|
extraOptions = [
|
|
"--network=drone-net"
|
|
];
|
|
environmentFiles = [
|
|
config.age.secrets.drone-db-secrets.path
|
|
];
|
|
};
|
|
containers."drone-server" = {
|
|
image = "drone/drone:2";
|
|
autoStart = true;
|
|
user = "994";
|
|
ports = [
|
|
"127.0.0.1:4000:80"
|
|
];
|
|
dependsOn = [ "drone-db" ];
|
|
extraOptions = [
|
|
"--network=drone-net"
|
|
"--pull=always"
|
|
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
|
|
];
|
|
environment = {
|
|
DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}";
|
|
DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}";
|
|
DRONE_SERVER_PROTO = "https";
|
|
DRONE_DATABASE_DRIVER = "postgres";
|
|
};
|
|
environmentFiles = [
|
|
config.age.secrets.drone-secrets.path
|
|
];
|
|
};
|
|
containers."drone-docker-runner" = {
|
|
image = "drone/drone-runner-docker:1";
|
|
autoStart = true;
|
|
# needs to run as root
|
|
#user = "994";
|
|
volumes = [
|
|
"/var/run/docker.sock:/var/run/docker.sock"
|
|
];
|
|
dependsOn = [ "drone-db" ];
|
|
extraOptions = [
|
|
"--network=drone-net"
|
|
"--pull=always"
|
|
"--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1"
|
|
];
|
|
environment = {
|
|
DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}";
|
|
DRONE_RPC_PROTO = "https";
|
|
DRONE_RUNNER_CAPACITY = "2";
|
|
DRONE_RUNNER_NAME = "flora-6-docker-runner";
|
|
};
|
|
environmentFiles = [
|
|
config.age.secrets.drone-secrets.path
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|