# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix { config, lib, pkgs, ... }: let user = "drone-server"; group = "drone-server"; in { sops.secrets = { drone-rpc-environment.sopsFile = ../../secrets.yaml; drone-server-environment.sopsFile = ../../secrets.yaml; }; systemd.services.drone-server = { wantedBy = [ "multi-user.target" ]; after = [ "postgres.service" ]; environment = { DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql"; DRONE_DATABASE_DRIVER = "postgres"; DRONE_GITEA_SERVER = "https://git.sbruder.de"; DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true"; DRONE_SERVER_HOST = "ci.sbruder.de"; DRONE_SERVER_PORT = "127.0.0.1:8011"; DRONE_SERVER_PROTO = "https"; DRONE_USER_CREATE = "username:simon,admin:true"; }; serviceConfig = { EnvironmentFile = with config.sops.secrets; [ drone-rpc-environment.path drone-server-environment.path ]; ExecStart = "${pkgs.unstable.drone}/bin/drone-server"; Restart = "on-failure"; User = user; Group = group; }; }; services.postgresql = { ensureDatabases = [ "drone-server" ]; ensureUsers = [{ name = user; ensurePermissions = { "DATABASE \"drone-server\"" = "ALL PRIVILEGES"; }; }]; }; services.nginx.virtualHosts."ci.sbruder.de" = { enableACME = true; forceSSL = true; locations = { "/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}"; "/metrics".return = "403"; }; }; users.users."${user}" = { isSystemUser = true; inherit group; }; users.groups."${group}" = { }; }