fuuko: Remove drone

I don’t actually use it and it is somewhat of a risk to run
code-execution-as-a-service. Also, the confinement does not work
currently (tries to write to /var/empty), which prompted the removal,
because the low usage does not justify that amount of maintainance.
This commit is contained in:
Simon Bruder 2022-01-14 17:20:52 +01:00
parent ac22d1bc39
commit 8748cfdf11
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC
6 changed files with 2 additions and 142 deletions

View file

@ -8,7 +8,6 @@
./services/ankisyncd.nix
./services/binary-cache.nix
./services/dnsmasq.nix
./services/drone
./services/factorio.nix
./services/gitea.nix
./services/grafana.nix

View file

@ -1,5 +1,3 @@
drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
go-neb-overrides: ENC[AES256_GCM,data:Ws/2yCNNLLEpa9MbN7mZk6BBBaJxtHN2X9I41baWJylZeUld6/h4WCxyHw4MWzigK7k26E+7CGVGThF5Ucd6AuvuD9dd21uaoOtwsAKJVsCavk6VPQvfAuSqYJcBYY2pSwDpA6KbXbQqhC9OgcktvYQdnvNPbsSffK4zhrDjcFpDYYyBRQWxqHu/ZGh2088ECbhm2OCWeC9/5u/2id8dHutip6tUXBIalFmWObc6zgx4atCJGdq9/bOPgajQzrpWlauV0h3ioMwp0gsulOJl2LuI7Lvbsvm+UWe8hVd9ZLqR+4ZAwC5oCQht68AxekKrLNl02KQ8rM4fmWJpbK4NsR/m8+ifMZhqIe8tqUUhWGvJqbxEI/Rsbqm92ToIHL5x9hNSZ/crm+hF4c2Uh9jnSA3E/tOxjZaMU5hB+2Y4tF83nz61tzFnwhQ32VxFeq6IHyMOhgQzGZkDPAyFg2e4tbG6zp5oMx2lsUlgbaXrSrzBU73CjWiLDiJFNyGLx7ADeZ4aZVsZnvGL6y7K4p0uVuK7KSNzoW0=,iv:tniWSP8RgSDJ8ap+PK83TcPAvRdaXWC/gchF6+8uffs=,tag:SC6RB8zyVmjjbLA73cFb4A==,type:str]
hcloud_exporter-environment: ENC[AES256_GCM,data:TPMeNK7uC716PC8UqDCnUKtriueIkg3l1ql9e3lse46Ko3TVvwW1oAQRSbwK8CG5AjuF2s2Y8GJdYcI8PN6Z5kERYF1RL2GDpN4pLSuw/l0YqsFkt0uK,iv:cmB+hZHvbk1p8uRmLDyYdPr6rTsFxKcoTcQVo729sAQ=,tag:nkiSvy7rsoInDN0l+1FOOQ==,type:str]
@ -17,8 +15,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-08-28T11:43:22Z"
mac: ENC[AES256_GCM,data:vMOdapzHflV6LtUQbSmP2y0wgPXFxKqC3XtVfThy7DvBcZNSa/TN/ZOGMdKXx4qX0na1lwd8JEQ97i4FOgyediCwshjJXVFLqcFP5roXlA+hgeWtWEsrWdnZlz9KoWsFX5Cm+QU3oV+0g8tAnznfXCwDPlBTnqPAnj8BtjQVSIc=,iv:8F07K351cJBpNA0BURSeVYeW7CuC9hpNeODNF8Qq2W4=,tag:BHx83f+hHghPEt7q5xzVyg==,type:str]
lastmodified: "2022-01-14T16:18:19Z"
mac: ENC[AES256_GCM,data:i6TJ+X85H+ptli5GaodNh6KbjqBLuJcs/Cy88JIQdq5az6nVJUtB55SuhkOAu35pPqlGX4tTBRO7OHupkEwS0Gpl2rC+OQB8gvnfuANzK8uFKGs4EK29BJsqNjsRdDmH1NjGjrIjau4spLz0wfELUcKtKofkZeLvzITsgzjRj+4=,iv:ZuFOIeXb+k1PWfWYPyIBKAnBaLZu+E4SeThysXCQ+iI=,tag:BFMwx9Am66pRSmWQWnVpgA==,type:str]
pgp:
- created_at: "2021-04-06T11:27:21Z"
enc: |

View file

@ -1,6 +0,0 @@
{
imports = [
./runner-exec.nix
./server.nix
];
}

View file

@ -1,61 +0,0 @@
# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
{ config, lib, pkgs, ... }:
let
user = "drone-runner-exec";
group = "drone-runner-exec";
availablePkgs = with pkgs; [
bash
git
git-lfs
gnutar
gzip
nixFlakes
];
in
{
systemd.services.drone-runner-exec = {
wantedBy = [ "multi-user.target" ];
# might break deployment
restartIfChanged = false;
confinement = {
enable = true;
packages = availablePkgs;
};
path = availablePkgs;
environment = {
DRONE_HTTP_BIND = ":3002";
DRONE_RPC_HOST = "ci.sbruder.de";
DRONE_RPC_PROTO = "https";
DRONE_RUNNER_CAPACITY = "2";
NIX_REMOTE = "daemon";
PAGER = "cat";
};
serviceConfig = {
EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"
];
BindReadOnlyPaths = [
"/etc/group:/etc/group"
"/etc/machine-id"
"/etc/nix:/etc/nix"
"/etc/passwd:/etc/passwd"
"/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
"/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
"/etc/static"
"/nix"
];
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
User = user;
Group = group;
};
};
users.users."${user}" = {
isSystemUser = true;
inherit group;
};
users.groups."${group}" = { };
}

View file

@ -1,62 +0,0 @@
# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix
{ config, lib, pkgs, ... }:
let
user = "drone-server";
group = "drone-server";
in
{
sops.secrets = {
drone-rpc-environment.sopsFile = ../../secrets.yaml;
drone-server-environment.sopsFile = ../../secrets.yaml;
};
systemd.services.drone-server = {
wantedBy = [ "multi-user.target" ];
after = [ "postgres.service" ];
environment = {
DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql";
DRONE_DATABASE_DRIVER = "postgres";
DRONE_GITEA_SERVER = "https://git.sbruder.de";
DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true";
DRONE_SERVER_HOST = "ci.sbruder.de";
DRONE_SERVER_PORT = "127.0.0.1:8011";
DRONE_SERVER_PROTO = "https";
DRONE_USER_CREATE = "username:simon,admin:true";
};
serviceConfig = {
EnvironmentFile = with config.sops.secrets; [
drone-rpc-environment.path
drone-server-environment.path
];
ExecStart = "${pkgs.drone}/bin/drone-server";
Restart = "on-failure";
User = user;
Group = group;
};
};
services.postgresql = {
ensureDatabases = [ "drone-server" ];
ensureUsers = [{
name = user;
ensurePermissions = {
"DATABASE \"drone-server\"" = "ALL PRIVILEGES";
};
}];
};
services.nginx.virtualHosts."ci.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}";
"/metrics".return = "403";
};
};
users.users."${user}" = {
isSystemUser = true;
inherit group;
};
users.groups."${group}" = { };
}

View file

@ -94,14 +94,6 @@ in
};
}
)
{
job_name = "drone";
static_configs = mkStaticTarget config.systemd.services.drone-server.environment.DRONE_SERVER_PORT;
relabel_configs = lib.singleton {
target_label = "instance";
replacement = "ci.sbruder.de";
};
}
{
job_name = "dnsmasq";
static_configs = mkStaticTarget (with config.services.prometheus.exporters.dnsmasq; "${listenAddress}:${toString port}");