fuuko: Remove drone

I don’t actually use it and it is somewhat of a risk to run code-execution-as-a-service. Also, the confinement does not work currently (tries to write to /var/empty), which prompted the removal, because the low usage does not justify that amount of maintainance.
2022-01-14 17:20:52 +01:00 · 2022-01-14 17:20:52 +01:00 · 8748cfdf11
parent ac22d1bc39
commit 8748cfdf11
6 changed files with 2 additions and 142 deletions
--- a/machines/fuuko/configuration.nix
+++ b/machines/fuuko/configuration.nix
@ -8,7 +8,6 @@
    ./services/ankisyncd.nix
    ./services/binary-cache.nix
    ./services/dnsmasq.nix
-    ./services/drone
    ./services/factorio.nix
    ./services/gitea.nix
    ./services/grafana.nix
--- a/machines/fuuko/secrets.yaml
+++ b/machines/fuuko/secrets.yaml
@ -1,5 +1,3 @@
-drone-rpc-environment: ENC[AES256_GCM,data:2Alck43ZrOFzhY7fKonIyboROD5qGuKkalTXlUZM0vBYTNeFLblU4u4tIIaA4t9nNO4=,iv:EakQQ/8pVZlIzM9PbNB0EGzSW46t/dWbxOtQo6uVAhs=,tag:NEhSgzkx8AxIjqtGetGG9w==,type:str]
-drone-server-environment: ENC[AES256_GCM,data:73uDSq+u3nGiKhLqdhdegTIvec9mF9jxVLJLtCjer5jUiFEZu5PkeYv0AWAyLWbB7s8b0V+4fxNQo/QsAfBWH0eP2TVOAy1TAo/sOso9PEVRaQCdilw39UJBdT8II3dy9YIfGFUXRUXCMU+1xfzUFjhU0s7sc+mYQ4jEj2ZX90UbUDcbgppNjC7KIHo8mQdrxFHeMq+wQpaoncwFMlwwzn8lFlG75+dMnkPGYa4xSqkwjHn2tewLM8f9dCiBQVoMVQCWo+1RieMq2cd3CYEkP7MPl+y3OA==,iv:kggBBXdN01LJ82azzxOZap1lfWglshCjkKqaU+oi+T4=,tag:Zg0Ay2aLGok4fgX3/y4ILA==,type:str]
 gitea-mail: ENC[AES256_GCM,data:ck4S9YJ1BLUb6+mOrRmg22KWI1xQwsdIw1dowNk1OOk=,iv:+aQiTSGzmBOLYbIVgwH/SIhslKgdJKoL1ZaGAXCeqHY=,tag:H3vCEGMktqAV/9BASVR5tg==,type:str]
 go-neb-overrides: ENC[AES256_GCM,data:Ws/2yCNNLLEpa9MbN7mZk6BBBaJxtHN2X9I41baWJylZeUld6/h4WCxyHw4MWzigK7k26E+7CGVGThF5Ucd6AuvuD9dd21uaoOtwsAKJVsCavk6VPQvfAuSqYJcBYY2pSwDpA6KbXbQqhC9OgcktvYQdnvNPbsSffK4zhrDjcFpDYYyBRQWxqHu/ZGh2088ECbhm2OCWeC9/5u/2id8dHutip6tUXBIalFmWObc6zgx4atCJGdq9/bOPgajQzrpWlauV0h3ioMwp0gsulOJl2LuI7Lvbsvm+UWe8hVd9ZLqR+4ZAwC5oCQht68AxekKrLNl02KQ8rM4fmWJpbK4NsR/m8+ifMZhqIe8tqUUhWGvJqbxEI/Rsbqm92ToIHL5x9hNSZ/crm+hF4c2Uh9jnSA3E/tOxjZaMU5hB+2Y4tF83nz61tzFnwhQ32VxFeq6IHyMOhgQzGZkDPAyFg2e4tbG6zp5oMx2lsUlgbaXrSrzBU73CjWiLDiJFNyGLx7ADeZ4aZVsZnvGL6y7K4p0uVuK7KSNzoW0=,iv:tniWSP8RgSDJ8ap+PK83TcPAvRdaXWC/gchF6+8uffs=,tag:SC6RB8zyVmjjbLA73cFb4A==,type:str]
 hcloud_exporter-environment: ENC[AES256_GCM,data:TPMeNK7uC716PC8UqDCnUKtriueIkg3l1ql9e3lse46Ko3TVvwW1oAQRSbwK8CG5AjuF2s2Y8GJdYcI8PN6Z5kERYF1RL2GDpN4pLSuw/l0YqsFkt0uK,iv:cmB+hZHvbk1p8uRmLDyYdPr6rTsFxKcoTcQVo729sAQ=,tag:nkiSvy7rsoInDN0l+1FOOQ==,type:str]
@ -17,8 +15,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2021-08-28T11:43:22Z"
-    mac: ENC[AES256_GCM,data:vMOdapzHflV6LtUQbSmP2y0wgPXFxKqC3XtVfThy7DvBcZNSa/TN/ZOGMdKXx4qX0na1lwd8JEQ97i4FOgyediCwshjJXVFLqcFP5roXlA+hgeWtWEsrWdnZlz9KoWsFX5Cm+QU3oV+0g8tAnznfXCwDPlBTnqPAnj8BtjQVSIc=,iv:8F07K351cJBpNA0BURSeVYeW7CuC9hpNeODNF8Qq2W4=,tag:BHx83f+hHghPEt7q5xzVyg==,type:str]
+    lastmodified: "2022-01-14T16:18:19Z"
+    mac: ENC[AES256_GCM,data:i6TJ+X85H+ptli5GaodNh6KbjqBLuJcs/Cy88JIQdq5az6nVJUtB55SuhkOAu35pPqlGX4tTBRO7OHupkEwS0Gpl2rC+OQB8gvnfuANzK8uFKGs4EK29BJsqNjsRdDmH1NjGjrIjau4spLz0wfELUcKtKofkZeLvzITsgzjRj+4=,iv:ZuFOIeXb+k1PWfWYPyIBKAnBaLZu+E4SeThysXCQ+iI=,tag:BFMwx9Am66pRSmWQWnVpgA==,type:str]
    pgp:
        - created_at: "2021-04-06T11:27:21Z"
          enc: |
--- a/machines/fuuko/services/drone/default.nix
+++ b/machines/fuuko/services/drone/default.nix
@ -1,6 +0,0 @@
-{
-  imports = [
-    ./runner-exec.nix
-    ./server.nix
-  ];
-}
--- a/machines/fuuko/services/drone/runner-exec.nix
+++ b/machines/fuuko/services/drone/runner-exec.nix
@ -1,61 +0,0 @@
-# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/exec-runner.nix
-{ config, lib, pkgs, ... }:
-let
-  user = "drone-runner-exec";
-  group = "drone-runner-exec";
-
-  availablePkgs = with pkgs; [
-    bash
-    git
-    git-lfs
-    gnutar
-    gzip
-    nixFlakes
-  ];
-in
-{
-  systemd.services.drone-runner-exec = {
-    wantedBy = [ "multi-user.target" ];
-    # might break deployment
-    restartIfChanged = false;
-    confinement = {
-      enable = true;
-      packages = availablePkgs;
-    };
-    path = availablePkgs;
-    environment = {
-      DRONE_HTTP_BIND = ":3002";
-      DRONE_RPC_HOST = "ci.sbruder.de";
-      DRONE_RPC_PROTO = "https";
-      DRONE_RUNNER_CAPACITY = "2";
-      NIX_REMOTE = "daemon";
-      PAGER = "cat";
-    };
-    serviceConfig = {
-      EnvironmentFile = lib.singleton config.sops.secrets.drone-rpc-environment.path;
-      BindPaths = [
-        "/nix/var/nix/daemon-socket/socket"
-        "/run/nscd/socket"
-      ];
-      BindReadOnlyPaths = [
-        "/etc/group:/etc/group"
-        "/etc/machine-id"
-        "/etc/nix:/etc/nix"
-        "/etc/passwd:/etc/passwd"
-        "/etc/ssh/ssh_known_hosts:/etc/ssh/ssh_known_hosts"
-        "/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt"
-        "/etc/static"
-        "/nix"
-      ];
-      ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec";
-      User = user;
-      Group = group;
-    };
-  };
-
-  users.users."${user}" = {
-    isSystemUser = true;
-    inherit group;
-  };
-  users.groups."${group}" = { };
-}
--- a/machines/fuuko/services/drone/server.nix
+++ b/machines/fuuko/services/drone/server.nix
@ -1,62 +0,0 @@
-# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix
-{ config, lib, pkgs, ... }:
-let
-  user = "drone-server";
-  group = "drone-server";
-in
-{
-  sops.secrets = {
-    drone-rpc-environment.sopsFile = ../../secrets.yaml;
-    drone-server-environment.sopsFile = ../../secrets.yaml;
-  };
-
-  systemd.services.drone-server = {
-    wantedBy = [ "multi-user.target" ];
-    after = [ "postgres.service" ];
-    environment = {
-      DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql";
-      DRONE_DATABASE_DRIVER = "postgres";
-      DRONE_GITEA_SERVER = "https://git.sbruder.de";
-      DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true";
-      DRONE_SERVER_HOST = "ci.sbruder.de";
-      DRONE_SERVER_PORT = "127.0.0.1:8011";
-      DRONE_SERVER_PROTO = "https";
-      DRONE_USER_CREATE = "username:simon,admin:true";
-    };
-    serviceConfig = {
-      EnvironmentFile = with config.sops.secrets; [
-        drone-rpc-environment.path
-        drone-server-environment.path
-      ];
-      ExecStart = "${pkgs.drone}/bin/drone-server";
-      Restart = "on-failure";
-      User = user;
-      Group = group;
-    };
-  };
-
-  services.postgresql = {
-    ensureDatabases = [ "drone-server" ];
-    ensureUsers = [{
-      name = user;
-      ensurePermissions = {
-        "DATABASE \"drone-server\"" = "ALL PRIVILEGES";
-      };
-    }];
-  };
-
-  services.nginx.virtualHosts."ci.sbruder.de" = {
-    enableACME = true;
-    forceSSL = true;
-    locations = {
-      "/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}";
-      "/metrics".return = "403";
-    };
-  };
-
-  users.users."${user}" = {
-    isSystemUser = true;
-    inherit group;
-  };
-  users.groups."${group}" = { };
-}
--- a/machines/fuuko/services/prometheus.nix
+++ b/machines/fuuko/services/prometheus.nix
@ -94,14 +94,6 @@ in
          };
        }
      )
-      {
-        job_name = "drone";
-        static_configs = mkStaticTarget config.systemd.services.drone-server.environment.DRONE_SERVER_PORT;
-        relabel_configs = lib.singleton {
-          target_label = "instance";
-          replacement = "ci.sbruder.de";
-        };
-      }
      {
        job_name = "dnsmasq";
        static_configs = mkStaticTarget (with config.services.prometheus.exporters.dnsmasq; "${listenAddress}:${toString port}");