nixos-config/machines/fuuko/services/drone/server.nix
Simon Bruder 4a8a7e0a4f
Use sops for secrets
Since I currently do not have access to sayuri, sayuri’s migration is
not done yet. The host keys and wg-home-private-key secret still have to
be added.
2021-04-06 14:05:48 +02:00

63 lines
1.7 KiB
Nix

# adapted from https://github.com/Mic92/dotfiles/blob/master/nixos/eve/modules/drone/server.nix
{ config, lib, pkgs, ... }:
let
user = "drone-server";
group = "drone-server";
in
{
sops.secrets = {
drone-rpc-environment.sopsFile = ../../secrets.yaml;
drone-server-environment.sopsFile = ../../secrets.yaml;
};
systemd.services.drone-server = {
wantedBy = [ "multi-user.target" ];
after = [ "postgres.service" ];
environment = {
DRONE_DATABASE_DATASOURCE = "postgres:///drone-server?host=/run/postgresql";
DRONE_DATABASE_DRIVER = "postgres";
DRONE_GITEA_SERVER = "https://git.sbruder.de";
DRONE_PROMETHEUS_ANONYMOUS_ACCESS = "true";
DRONE_SERVER_HOST = "ci.sbruder.de";
DRONE_SERVER_PORT = "127.0.0.1:8011";
DRONE_SERVER_PROTO = "https";
DRONE_USER_CREATE = "username:simon,admin:true";
};
serviceConfig = {
EnvironmentFile = with config.sops.secrets; [
drone-rpc-environment.path
drone-server-environment.path
];
ExecStart = "${pkgs.unstable.drone}/bin/drone-server";
Restart = "on-failure";
User = user;
Group = group;
};
};
services.postgresql = {
ensureDatabases = [ "drone-server" ];
ensureUsers = [{
name = user;
ensurePermissions = {
"DATABASE \"drone-server\"" = "ALL PRIVILEGES";
};
}];
};
services.nginx.virtualHosts."ci.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations = {
"/".proxyPass = "http://${config.systemd.services.drone-server.environment.DRONE_SERVER_PORT}";
"/metrics".return = "403";
};
};
users.users."${user}" = {
isSystemUser = true;
inherit group;
};
users.groups."${group}" = { };
}