diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix index a8f2fde0..58a64a5b 100644 --- a/hosts/flora-6/caddy.nix +++ b/hosts/flora-6/caddy.nix @@ -63,6 +63,14 @@ reverse_proxy :3000 ''; }; + "ci.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :4000 + ''; + }; "obs-portal.pub.solar" = { logFormat = lib.mkForce '' output discard diff --git a/hosts/flora-6/drone.nix b/hosts/flora-6/drone.nix new file mode 100644 index 00000000..c6a04f89 --- /dev/null +++ b/hosts/flora-6/drone.nix @@ -0,0 +1,87 @@ +{ config +, lib +, pkgs +, self +, ... +}: +{ + age.secrets.drone-secrets = { + file = "${self}/secrets/drone-secrets.age"; + mode = "600"; + owner = "drone"; + }; + age.secrets.drone-db-secrets = { + file = "${self}/secrets/drone-db-secrets.age"; + mode = "600"; + owner = "drone"; + }; + + users.users.drone = { + description = "Drone Service"; + home = "/var/lib/drone"; + useDefaultShell = true; + uid = 994; + group = "drone"; + isSystemUser = true; + }; + + users.groups.drone = { }; + + systemd.tmpfiles.rules = [ + "d '/var/lib/drone-db' 0750 drone drone - -" + ]; + + system.activationScripts.mkDroneNet = + let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in + '' + ${dockerBin} network inspect drone-net >/dev/null 2>&1 || ${dockerBin} network create drone-net --subnet 172.20.0.0/24 + ''; + + virtualisation = { + docker = { + enable = true; # sadly podman is not supported rightnow + }; + + oci-containers = { + backend = "docker"; + containers."drone-db" = { + image = "postgres:14"; + autoStart = true; + user = "994"; + volumes = [ + "/var/lib/drone-db:/var/lib/postgresql/data" + ]; + extraOptions = [ + "--network=drone-net" + ]; + environmentFiles = [ + config.age.secrets.drone-db-secrets.path + ]; + }; + containers."drone-server" = { + image = "drone/drone:2"; + autoStart = true; + user = "994"; + ports = [ + "4000:80" + ]; + dependsOn = [ "drone-db" ]; + extraOptions = [ + "--network=drone-net" + ]; + environment = { + DRONE_GITEA_SERVER = "https://git.pub.solar"; + DRONE_SERVER_HOST = "ci.pub.solar"; + DRONE_SERVER_PROTO = "https"; + DRONE_DATABASE_DRIVER = "postgres"; + }; + environmentFiles = [ + config.age.secrets.drone-secrets.path + ]; + }; + }; + }; +} diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index 8938dc4f..1e85352f 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -17,6 +17,7 @@ in ./triton-vmtools.nix ./caddy.nix + ./drone.nix ./keycloak.nix ./gitea.nix diff --git a/hosts/flora-6/gitea.nix b/hosts/flora-6/gitea.nix index 57e9063c..e783c0d5 100644 --- a/hosts/flora-6/gitea.nix +++ b/hosts/flora-6/gitea.nix @@ -7,12 +7,12 @@ { age.secrets.gitea-database-password = { file = "${self}/secrets/gitea-database-password.age"; - mode = "700"; + mode = "600"; owner = "gitea"; }; age.secrets.gitea-mailer-password = { file = "${self}/secrets/gitea-mailer-password.age"; - mode = "700"; + mode = "600"; owner = "gitea"; }; diff --git a/secrets/drone-db-secrets.age b/secrets/drone-db-secrets.age new file mode 100644 index 00000000..35b78569 Binary files /dev/null and b/secrets/drone-db-secrets.age differ diff --git a/secrets/drone-secrets.age b/secrets/drone-secrets.age new file mode 100644 index 00000000..38327332 --- /dev/null +++ b/secrets/drone-secrets.age @@ -0,0 +1,12 @@ +age-encryption.org/v1 +-> ssh-ed25519 Y0ZZaw 42VrEEM/4WcKKp5NZfycnkhsrkSUGGrjwrIPz9O8LhY +CrkgGDCypRzevuT5YQBZxXwdJnvlkOH1xgxgRFf2wH8 +-> ssh-ed25519 BVsyTA hUQDxkdOQxsOrB/afZWXUWSgNXfDy0W3nl13aXSmvyA +cf5WfwKKOabBR7qqYblpplSxZqvFmxKCPys8Zz6ZVnU +-> #-grease B PYdk)b5 D\, z&3Vyw9u +kJnYpRA6aL4bQQA4ihI5bFl41vIzG2gOaKCJzjxnqK9DndETSoSkhWk4AX0uT0NQ +tw +--- QloJDsaDcj08NIy5j8hPMFhHZ4DyZFDR+CNtBUSbhQ0 +ͼ()۵kMsJ-d‚lfhj6y4[}`N) *H-c¨mPEdZ|FF4ޭ0@7;Ow=R:JA3Ob0{sG6Oʯ1yde ,NV"y48P _hw?tZ"W~5"#4,OAe +#]s.|agKQΨM/c +wpp=z\țHWv%zhL7B.F `+;e$zqqzS68eC=#|Y] nVJ"V+U \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5c522962..74cf761c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -9,4 +9,6 @@ in "gitea-database-password.age".publicKeys = deployKeys; "gitea-mailer-password.age".publicKeys = deployKeys; "keycloak-database-password.age".publicKeys = deployKeys; + "drone-secrets.age".publicKeys = deployKeys; + "drone-db-secrets.age".publicKeys = deployKeys; }