{ config, lib, pkgs, flake, ... }: { age.secrets.drone-secrets = { file = "${flake.self}/secrets/drone-secrets.age"; mode = "600"; owner = "drone"; }; age.secrets.drone-db-secrets = { file = "${flake.self}/secrets/drone-db-secrets.age"; mode = "600"; owner = "drone"; }; users.users.drone = { description = "Drone Service"; home = "/var/lib/drone"; useDefaultShell = true; uid = 994; group = "drone"; isSystemUser = true; }; users.groups.drone = { }; systemd.tmpfiles.rules = [ "d '/var/lib/drone-db' 0750 drone drone - -" ]; services.caddy.virtualHosts."ci.${config.pub-solar-os.networking.domain}" = { logFormat = lib.mkForce '' output discard ''; extraConfig = '' reverse_proxy :4000 ''; }; systemd.services."docker-network-drone" = let docker = config.virtualisation.oci-containers.backend; dockerBin = "${pkgs.${docker}}/bin/${docker}"; in { serviceConfig.Type = "oneshot"; before = [ "docker-drone-server.service" ]; script = '' ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 ''; }; virtualisation = { docker = { enable = true; # sadly podman is not supported rightnow extraOptions = '' --data-root /data/docker ''; }; oci-containers = { backend = "docker"; containers."drone-db" = { image = "postgres:14"; autoStart = true; user = "994"; volumes = [ "/var/lib/drone-db:/var/lib/postgresql/data" ]; extraOptions = [ "--network=drone-net" ]; environmentFiles = [ config.age.secrets.drone-db-secrets.path ]; }; containers."drone-server" = { image = "drone/drone:2"; autoStart = true; user = "994"; ports = [ "127.0.0.1:4000:80" ]; dependsOn = [ "drone-db" ]; extraOptions = [ "--network=drone-net" "--pull=always" "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1" ]; environment = { DRONE_GITEA_SERVER = "https://git.${config.pub-solar-os.networking.domain}"; DRONE_SERVER_HOST = "ci.${config.pub-solar-os.networking.domain}"; DRONE_SERVER_PROTO = "https"; DRONE_DATABASE_DRIVER = "postgres"; }; environmentFiles = [ config.age.secrets.drone-secrets.path ]; }; containers."drone-docker-runner" = { image = "drone/drone-runner-docker:1"; autoStart = true; # needs to run as root #user = "994"; volumes = [ "/var/run/docker.sock:/var/run/docker.sock" ]; dependsOn = [ "drone-db" ]; extraOptions = [ "--network=drone-net" "--pull=always" "--add-host=nachtigall.${config.pub-solar-os.networking.domain}:10.7.6.1" ]; environment = { DRONE_RPC_HOST = "ci.${config.pub-solar-os.networking.domain}"; DRONE_RPC_PROTO = "https"; DRONE_RUNNER_CAPACITY = "2"; DRONE_RUNNER_NAME = "flora-6-docker-runner"; }; environmentFiles = [ config.age.secrets.drone-secrets.path ]; }; }; }; }