/
drone.nix
109 lines (103 loc) · 2.86 KB
/
drone.nix
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
{ pkgs, config, ... }:
let
droneserver = config.users.users.droneserver.name;
in {
systemd.services.drone-server = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = [
config.sops.secrets.drone.path
];
Environment = [
"DRONE_DATABASE_DATASOURCE=postgres:///droneserver?host=/run/postgresql"
"DRONE_DATABASE_DRIVER=postgres"
"DRONE_SERVER_PORT=:3030"
"DRONE_USER_CREATE=username:Mic92,admin:true"
];
ExecStart = "${pkgs.drone}/bin/drone-server";
User = droneserver;
Group = droneserver;
};
};
services.postgresql = {
ensureDatabases = [ droneserver ];
ensureUsers = [{
name = droneserver;
ensurePermissions = {
"DATABASE ${droneserver}" = "ALL PRIVILEGES";
};
}];
};
services.nginx.virtualHosts."drone.thalheim.io" = {
useACMEHost = "thalheim.io";
forceSSL = true;
locations."/".extraConfig = ''
proxy_pass http://localhost:3030;
'';
};
systemd.services.drone-runner-exec = {
wantedBy = [ "multi-user.target" ];
# might break deployment
restartIfChanged = false;
confinement.enable = true;
confinement.packages = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nixUnstable
pkgs.gzip
];
path = [
pkgs.git
pkgs.gnutar
pkgs.bash
pkgs.nixUnstable
pkgs.gzip
];
serviceConfig = {
Environment = [
"DRONE_RUNNER_CAPACITY=10"
"CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
"NIX_REMOTE=daemon"
"PAGER=cat"
];
BindPaths = [
"/nix/var/nix/daemon-socket/socket"
"/run/nscd/socket"
"/var/lib/drone"
];
BindReadOnlyPaths = [
"/etc/passwd:/etc/passwd"
"/etc/group:/etc/group"
"/nix/var/nix/profiles/system/etc/nix:/etc/nix"
"${config.environment.etc."ssl/certs/ca-certificates.crt".source}:/etc/ssl/certs/ca-certificates.crt"
"${config.environment.etc."ssh/ssh_known_hosts".source}:/etc/ssh/ssh_known_hosts"
"${builtins.toFile "ssh_config" ''
Host eve.thalheim.io
ForwardAgent yes
''}:/etc/ssh/ssh_config"
"/etc/machine-id"
# channels are dynamic paths in the nix store, therefore we need to bind mount the whole thing
"/nix/"
];
EnvironmentFile = [
config.sops.secrets.drone.path
];
ExecStart = "${pkgs.nur.repos.mic92.drone-runner-exec}/bin/drone-runner-exec";
User = "drone-runner-exec";
Group = "drone-runner-exec";
};
};
users.users.drone-runner-exec = {
isSystemUser = true;
group = "drone-runner-exec";
};
users.groups.drone-runner-exec = {};
users.users.droneserver = {
isSystemUser = true;
createHome = true;
group = droneserver;
};
users.groups.droneserver = {};
sops.secrets.drone = { };
}