fuuko/drone: Init

2021-04-03 18:47:01 +02:00 · 2021-04-03 18:47:01 +02:00 · 0212f2adbd
parent ac7e1c1123
commit 0212f2adbd
6 changed files with 140 additions and 1 deletions
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@ -7,6 +7,7 @@

    ./services/ankisyncd.nix
    ./services/dnsmasq.nix
+    ./services/drone
    ./services/gitea.nix
    ./services/grafana.nix
    ./services/hedgedoc.nix
@ -32,6 +33,7 @@
        "/data/torrent"
      ];
    };
+    unfree.allowSoftware = true;
  };

  services.nginx = {
--- a/machines/fuuko/services/drone/default.nix
+++ b/machines/fuuko/services/drone/default.nix
@ -0,0 +1,6 @@
+{
+  imports = [
+    ./runner-exec.nix
+    ./server.nix
+  ];
+}
--- a/machines/fuuko/services/drone/runner-exec.nix
+++ b/machines/fuuko/services/drone/runner-exec.nix
@ -0,0 +1,59 @@
+# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
+{ config, lib, pkgs, ... }:
+let
+  user = "drone-runner-exec";
+  group = "drone-runner-exec";
+
+  availablePkgs = with pkgs; [
+    bash
+    git
+    git-lfs
+    gnutar
+    gzip
+    nix
+  ];
+in
+{
+  systemd.services.drone-runner-exec = {
+    wantedBy = [ "multi-user.target" ];
+    # might break deployment
+    restartIfChanged = false;
+    confinement = {
+      enable = true;
+      packages = availablePkgs;
+    };
+    path = availablePkgs;
+    environment = {
+      DRONE_RPC_HOST = "ci.sbruder.de";
+      DRONE_RPC_PROTO = "https";
+      DRONE_RUNNER_CAPACITY = "2";
+      NIX_REMOTE = "daemon";
+      PAGER = "cat";
+    };
+    serviceConfig = {
+      EnvironmentFile = lib.singleton config.krops.secrets.drone-rpc-environment.path;
+      BindPaths = [
+        "/nix/var/nix/daemon-socket/socket"
+        "/run/nscd/socket"
+      ];
+      BindReadOnlyPaths = [
+        "/etc/group:/etc/group"
+        "/etc/machine-id"
+        "/etc/nix:/etc/nix"
+        "/etc/passwd:/etc/passwd"
+        "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
+        "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
+        "/nix"
+      ];
+      ExecStart = "${pkgs.unstable.drone-runner-exec}/bin/drone-runner-exec";
+      User = user;
+      Group = group;
+    };
+  };
+
+  users.users."${user}" = {
+    isSystemUser = true;
+    inherit group;
+  };
+  users.groups."${group}" = { };
+}
--- a/machines/fuuko/services/drone/server.nix
+++ b/machines/fuuko/services/drone/server.nix
@ -0,0 +1,62 @@
+# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix
+{ config, lib, pkgs, ... }:
+let
+  user = "drone-server";
+  group = "drone-server";
+in
+{
+  krops.secrets = {
+    drone-rpc-environment = { };
+    drone-server-environment = { };
+  };
+
+  systemd.services.drone-server = {
+    wantedBy = [ "multi-user.target" ];
+    after = [ "postgres.service" ];
+    environment = {
+      DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql";
+      DRONE_DATABASE_DRIVER = "postgres";
+      DRONE_GITEA_SERVER = "https://git.sbruder.de";
+      DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true";
+      DRONE_SERVER_HOST = "ci.sbruder.de";
+      DRONE_SERVER_PORT = "127.0.0.1:8011";
+      DRONE_SERVER_PROTO = "https";
+      DRONE_USER_CREATE = "username:simon,admin:true";
+    };
+    serviceConfig = {
+      EnvironmentFile = with config.krops.secrets; [
+        drone-rpc-environment.path
+        drone-server-environment.path
+      ];
+      ExecStart = "${pkgs.unstable.drone}/bin/drone-server";
+      Restart = "on-failure";
+      User = user;
+      Group = group;
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "drone-server" ];
+    ensureUsers = [{
+      name = user;
+      ensurePermissions = {
+        "DATABASE \"drone-server\"" = "ALL PRIVILEGES";
+      };
+    }];
+  };
+
+  services.nginx.virtualHosts."ci.sbruder.de" = {
+    enableACME = true;
+    forceSSL = true;
+    locations = {
+      "/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}";
+      "/metrics".return = "403";
+    };
+  };
+
+  users.users."${user}" = {
+    isSystemUser = true;
+    inherit group;
+  };
+  users.groups."${group}" = { };
+}
--- a/machines/fuuko/services/prometheus.nix
+++ b/machines/fuuko/services/prometheus.nix
@ -103,6 +103,14 @@ in
          };
        }
      )
+      {
+        job_name = "drone";
+        static_configs = mkStaticTarget config.systemd.services.drone-server.environment.DRONE_SERVER_PORT;
+        relabel_configs = lib.singleton {
+          target_label = "instance";
+          replacement = "ci.sbruder.de";
+        };
+      }
    ];

    rules =
--- a/modules/unfree.nix
+++ b/modules/unfree.nix
@ -26,9 +26,11 @@ in
        "vista-fonts"
        "wallpaper-unfree" # defined in users/simon/modules/sway.nix
      ] ++ lib.optionals cfg.allowSoftware [
+        "drone-runner-exec" # exception: same as drone.io
+        "drone.io" # exception: is open source (but has usage restriction)
+        "fahclient" # exception: for science
        "osu-lazer" # exception: is mostly free (just has one unfree dependency) and runs in container
        "p7zip" # exception: rar source code is not free, but available; p7zip with `enableUnfree` includes it
-        "fahclient" # exception: for science
      ]
    ));
  };