From f375843f43a6966c8d5aaa75fdd813b08a93fce4 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Sat, 28 Jan 2023 21:26:13 +0100 Subject: [PATCH] flora-6: init drone ci --- hosts/flora-6/caddy.nix | 8 ++++ hosts/flora-6/drone.nix | 87 +++++++++++++++++++++++++++++++++++ hosts/flora-6/flora-6.nix | 1 + hosts/flora-6/gitea.nix | 4 +- secrets/drone-db-secrets.age | Bin 0 -> 489 bytes secrets/drone-secrets.age | 12 +++++ secrets/secrets.nix | 2 + 7 files changed, 112 insertions(+), 2 deletions(-) create mode 100644 hosts/flora-6/drone.nix create mode 100644 secrets/drone-db-secrets.age create mode 100644 secrets/drone-secrets.age diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix index a8f2fde0..58a64a5b 100644 --- a/hosts/flora-6/caddy.nix +++ b/hosts/flora-6/caddy.nix @@ -63,6 +63,14 @@ reverse_proxy :3000 ''; }; + "ci.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :4000 + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/drone.nix b/hosts/flora-6/drone.nix new file mode 100644 index 00000000..c6a04f89 --- /dev/null +++ b/hosts/flora-6/drone.nix @@ -0,0 +1,87 @@ +{ config +, lib +, pkgs +, self +, ... +}: +{ + age.secrets.drone-secrets = { + file = "${self}/secrets/drone-secrets.age"; + mode = "600"; + owner = "drone"; + }; + age.secrets.drone-db-secrets = { + file = "${self}/secrets/drone-db-secrets.age"; + mode = "600"; + owner = "drone"; + }; + + users.users.drone = { + description = "Drone Service"; + home = "/var/lib/drone"; + useDefaultShell = true; + uid = 994; + group = "drone"; + isSystemUser = true; + }; + + users.groups.drone = { }; + + systemd.tmpfiles.rules = [ + "d '/var/lib/drone-db' 0750 drone drone - -" + ]; + + system.activationScripts.mkDroneNet = + let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in + '' + ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 + ''; + + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-db" = { + image = "postgres:14"; + autoStart = true; + user = "994"; + volumes = [ + "/var/lib/drone-db:/var/lib/postgresql/data" + ]; + extraOptions = [ + "--network=drone-net" + ]; + environmentFiles = [ + config.age.secrets.drone-db-secrets.path + ]; + }; + containers."drone-server" = { + image = "drone/drone:2"; + autoStart = true; + user = "994"; + ports = [ + "4000:80" + ]; + dependsOn = [ "drone-db" ]; + extraOptions = [ + "--network=drone-net" + ]; + environment = { + DRONE_GITEA_SERVER = "https://git.pub.solar"; + DRONE_SERVER_HOST = "ci.pub.solar"; + DRONE_SERVER_PROTO = "https"; + DRONE_DATABASE_DRIVER = "postgres"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + }; + }; +} diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index 8938dc4f..1e85352f 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -17,6 +17,7 @@ in ./triton-vmtools.nix ./caddy.nix + ./drone.nix ./keycloak.nix ./gitea.nix diff --git a/hosts/flora-6/gitea.nix b/hosts/flora-6/gitea.nix index 57e9063c..e783c0d5 100644 --- a/hosts/flora-6/gitea.nix +++ b/hosts/flora-6/gitea.nix @@ -7,12 +7,12 @@ { age.secrets.gitea-database-password = { file = "${self}/secrets/gitea-database-password.age"; - mode = "700"; + mode = "600"; owner = "gitea"; }; age.secrets.gitea-mailer-password = { file = "${self}/secrets/gitea-mailer-password.age"; - mode = "700"; + mode = "600"; owner = "gitea"; }; diff --git a/secrets/drone-db-secrets.age b/secrets/drone-db-secrets.age new file mode 100644 index 0000000000000000000000000000000000000000..35b78569976cfb9c76c91089d15156a4e7dd59d3 GIT binary patch literal 489 zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTSG>D2yELSk}PD#^F zEw0KoDlSaTFi1`>jL0@~4GPV(^vpI0jttDzH%>FJ3M%t-OXe!hPA?9~FilAe3d;)* z%P)zt40F$O4fQk1@Gi>mPcqC%ElKh)j&$;^GC{Y^DXh3M#8JU5sL0YMzbetKD$u!H zzu3>+)YUboFx=HUJ*=?A!Xhmyv(l#|G&RCCBa|z>C_FXG%-284-AKD2$i+E1pgbtN zAS*aABH1-1$h^GV%OW+`-Mca+q#R_MVS;XYQEFmwszOmxibf1qMXsescx7c~g+*ba zyPJEizjj7)j=qIykymzDMxuL(rFW3Ok71IjTX?9Sb9P~QZkVO3Q*wbjm#(g^LTZ#- zZmL0crD>jjpr2P+W@@5aj)hBLl~1Zkd9Hbuw|QxWw?$52sY$*G*A5mwDdBqEG`oct zeb|oGpQ^E`eI{Dm`^|8}cd4@Ks3`*8ychc1pWDs1J~7AXui9cK&X(PG=B;%3JWZ_A zmHlwgS|)SlLv!r(wf;YH+xlBDZen{u)oY{QK7w1<9{I7M_0g5f0^b%-cx_QK?WRgq TgSFQVhI#30WTIv-xONQyhg-B6 literal 0 HcmV?d00001 diff --git a/secrets/drone-secrets.age b/secrets/drone-secrets.age new file mode 100644 index 00000000..38327332 --- /dev/null +++ b/secrets/drone-secrets.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw 42VrEEM/4WcKKp5NZfycnkhsrkSUGGrjwrIPz9O8LhY +CrkgGDCypRzevuT5YQBZxXwdJnvlkOH1xgxgRFf2wH8 +-> ssh-ed25519 BVsyTA hUQDxkdOQxsOrB/afZWXUWSgNXfDy0W3nl13aXSmvyA +cf5WfwKKOabBR7qqYblpplSxZqvFmxKCPys8Zz6ZVnU +-> #-grease B PYdk)b5 D\, z&3Vyw9u +kJnYpRA6aL4bQQA4ihI5bFl41vIzG2gOaKCJzjxnqK9DndETSoSkhWk4AX0uT0NQ +tw +--- QloJDsaDcj08NIy5j8hPMFhHZ4DyZFDR+CNtBUSbhQ0 +ͼ()۵kMsJ-d‚lfhj6y4[}`N) *H-c¨mPEdZ|FF4ޭ0@7;Ow=R:JA3Ob0{sG6Oʯ1yde ,NV"y48P _hw?tZ"W~5"#4,OAe +#]s.|agKQΨM/c +wpp=z\țHWv%zhL7B.F `+;e$zqqzS68eC=#|Y] nVJ"V+U \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5c522962..74cf761c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,6 @@ in "gitea-database-password.age".publicKeys = deployKeys; "gitea-mailer-password.age".publicKeys = deployKeys; "keycloak-database-password.age".publicKeys = deployKeys; + "drone-secrets.age".publicKeys = deployKeys; + "drone-db-secrets.age".publicKeys = deployKeys; }