From f9450c2e819067dc62be31b0e633cea5ad00e38a Mon Sep 17 00:00:00 2001
From: Julien Malka <julien.malka@me.com>
Date: Sat, 25 Dec 2021 12:53:48 +0100
Subject: [PATCH] Added drone module
---
machines/newton/default.nix | 9 +++-
modules/drone/default.nix | 100 ++++++++++++++++++++++++++++++++++++
modules/nix/default.nix | 1 +
secrets/secrets.yaml | 5 +-
4 files changed, 111 insertions(+), 4 deletions(-)
create mode 100644 modules/drone/default.nix
diff --git a/machines/newton/default.nix b/machines/newton/default.nix
index 9d7de91..4aec8c7 100644
--- a/machines/newton/default.nix
+++ b/machines/newton/default.nix
@@ -13,6 +13,11 @@ in
luj = {
filerun.enable = true;
+ drone.enable = true;
+ drone.nginx = {
+ enable = true;
+ subdomain = "ci";
+ };
zfs-mails.enable = true;
hydra = {
enable = true;
@@ -30,8 +35,8 @@ in
networking.interfaces.enp2s0f0.useDHCP = true;
networking.interfaces.enp2s0f1.useDHCP = true;
networking.firewall.enable = true;
- networking.firewall.allowedTCPPorts = [ 22 80 443 ];
- networking.firewall.allowedUDPPorts = [ 22 80 443 ];
+ networking.firewall.allowedTCPPorts = [ 22 80 8080 443 ];
+ networking.firewall.allowedUDPPorts = [ 22 80 8080 443 ];
networking.firewall.allowedUDPPortRanges = [{ from = 60000; to = 61000; }];
diff --git a/modules/drone/default.nix b/modules/drone/default.nix
new file mode 100644
index 0000000..8179050
--- /dev/null
+++ b/modules/drone/default.nix
@@ -0,0 +1,100 @@
+{ lib, pkgs, config, ... }:
+with lib;
+let
+ cfg = config.luj.drone;
+ droneserver = config.users.users.droneserver.name;
+ port = 3030;
+in
+{
+
+ options.luj.drone = {
+ enable = mkEnableOption "activate drone CI";
+ nginx.enable = mkEnableOption "activate nginx";
+ nginx.subdomain = mkOption {
+ type = types.str;
+ };
+ };
+
+ config = mkIf cfg.enable (
+ mkMerge [{
+
+ sops.secrets.drone = { };
+
+ systemd.services.drone-server = {
+ wantedBy = [ "multi-user.target" ];
+ serviceConfig = {
+ EnvironmentFile = [ config.sops.secrets.drone.path ];
+ Environment = [
+ "DRONE_SERVER_HOST=${cfg.nginx.subdomain}.julienmalka.me"
+ "DRONE_SERVER_PROTO=https"
+ "DRONE_DATABASE_DATASOURCE=postgres:///droneserver?host=/run/postgresql"
+ "DRONE_DATABASE_DRIVER=postgres"
+ "DRONE_SERVER_PORT=:3030"
+ "DRONE_USER_CREATE=username:Julien,admin:true"
+ ];
+ ExecStart = "${pkgs.drone}/bin/drone-server";
+ User = droneserver;
+ Group = droneserver;
+ };
+ };
+ services.postgresql = {
+ enable = true;
+ ensureDatabases = [ droneserver ];
+ ensureUsers = [{
+ name = droneserver;
+ ensurePermissions = {
+ "DATABASE ${droneserver}" = "ALL PRIVILEGES";
+ };
+ }];
+ };
+ users.users.droneserver = {
+ isSystemUser = true;
+ createHome = true;
+ group = droneserver;
+ };
+ users.groups.droneserver = { };
+
+ #environment.etc.drone-runner-exec = {
+ # target = "drone-runner-exec/config";
+ # text = ''
+ # DRONE_RPC_PROTO=https
+ # DRONE_RPC_HOST=${cfg.nginx.subdomain}.julienmalka.me
+ # DRONE_RPC_SECRET=JIJ1pfTgJldCMAgKtGLOnbQE5e8oUPSo2DqlWayVLQFVXDe3898DYvixRiprddY1M
+ # DRONE_UI_USERNAME=root
+ # DRONE_UI_PASSWORD=root
+ # '';
+ #};
+
+ systemd.services.drone-runner-exec = {
+ description = "Drone Exec Runner";
+ startLimitIntervalSec = 5;
+ serviceConfig = {
+ EnvironmentFile = [ config.sops.secrets.drone.path ];
+ Environment = [
+ "DRONE_SERVER_HOST=${cfg.nginx.subdomain}.julienmalka.me"
+ "DRONE_SERVER_PROTO=https"
+ "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
+ ];
+
+ ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec service run";
+ };
+ wantedBy = [ "multi-user.target" ];
+ path = [ pkgs.git pkgs.docker pkgs.docker-compose ];
+ };
+
+ }
+
+ (mkIf cfg.nginx.enable {
+ luj.nginx.enable = true;
+ services.nginx.virtualHosts."${cfg.nginx.subdomain}.julienmalka.me" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://localhost:${toString port}";
+ };
+ };
+
+ })]);
+
+
+}
diff --git a/modules/nix/default.nix b/modules/nix/default.nix
index aca6e23..52e1e87 100644
--- a/modules/nix/default.nix
+++ b/modules/nix/default.nix
@@ -10,6 +10,7 @@ with lib;
config = mkIf cfg.enable
{
+ nixpkgs.config.allowUnfree = true;
nix = {
autoOptimiseStore = true;
allowedUsers = [ "julien" "hydra" ];
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index a4281e8..6ff687d 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -3,6 +3,7 @@ user-root-password: ENC[AES256_GCM,data:RPdunJvhHm7jKVCjtUEjrWvICCMUy/iMNgu/ApE+
ens-mail-passwd: ENC[AES256_GCM,data:NLJ2D09xUNXVdA==,iv:rql17Ox9QIVtfkZWUS7+M3rgEOOd02hn390zNdSBAj0=,tag:SbajW6RjNWIJsiikFMliww==,type:str]
sendinblue-mail-passwd: ENC[AES256_GCM,data:XpB255skeWKwwK2AqMwqEw==,iv:cuS58ISY9J1qMkAAjxWdHpEYHPFBBmCS8hwNX4BBV4w=,tag:dhJSN6ozThH4wKsw8M8Mug==,type:str]
git-gpg-private-key: ENC[AES256_GCM,data:5F2sfu9zRKRyqL3eQa2XAqmBPuOwRSPT/LZVfyaLWvOcWYE1dkcB/mxerU/PF9LTh9q7jZVLAsr8k/NceCKg5sKbeBItxiQ6W40vf7GOOxySVczwmEqcSviffyyPBYbXkcBn//1nD6cyoCk23TOKKey8kWzB7O7fKyg4Bt8a1siCXp1HLdfPHLu7Ppk8qMlWE67c1HN9b3oLAXPA4dXG3Yl3vcflTZtjZkhstLf1sesgLPwPNVPaVVHW7WzlIbN8/jtTOiXJagdCbFF/XU9awJLsmy82fN6ip6e83EhE9Ej+B2Wvqb30nRtj85fFMIlkgbRrdJyQRe8p2CajRvcztn9GrEI3LFTLvE+yGxKcCJ/96IJOInqWhJf5f1Kc8qimxBHdloPQKI+iMgfcmnLIIfL6azs7SKNkRGzs9YInl5xOxsH3w/r9qz58l1dk1o+kZsSIDrU9XAx9x6u8RyNTAjue8aJ2Knqg8NrmoRat0IKIFiaymGvxnxEm9JNM4M8JAgYbsuT8Vx9oF9N/D8emd3Ue0FAlObIs4Aw2P8wcSVwbq2dWcFW+LTJ2+Iye9XE2E3+AZg9IiVU1Ik5gs3jxK+HKnZdv2HcnUd1pxTzrIhsyxnWZHBbZqM2gtg9kUaSBUhNZh59DoNtuP3g2PO+krsnnNT/wt2r7oP1SZm63ldkKk6mI+IDyiqo72UuI8ipgWicFvpJnhk06pbt+Z5hb1w4u/e4AkJ/Htv+RGRsZFJbtfH66nFkvagW981BKQ8IsHIUMXqP7qpufUT3ERmcYEoKp9hx3zUPpY6PasqKSlJecRJi4hhUty9C9BqrUP7v4+3n5Cf747HiL58nFUQ1YlRo8McAfRCrBtLwtsGys1EJzM8VKHXj7bQjtOj/apkEkW45Krp8MP+lOctx51t/J+uidF0xTq5DOeBIpl/et6+j8knyBA/qTkgvG12uxhD1L3Ya9MhAjRiycmbe0N0995lLkFsg4Dp02RGEcDujKg92vc4TINJHUey/91GSBlNN6yGa/ZHFvnGr0/pY3Ecc96QkYosGuy7pH4qVHwYJot4+nlctSwuMbbS1ptiawH2/O9qy8SHeH3RiTfUj7qZko2dRzW2E565ykCaOBu9f2iXMwjEGwg0b4v2xzN+BufvCWbvhI6U7bXEjO0PWG+a7ay7+x5Cb1OWC4xRUeWsyzAbtSsGLrpoaiEAR90eWiP8nlVNSJBErDIyK62N5zpb+iCcPAZi05DS2qFRL70VMstK8/Nkwe8QnZIkCrNURAX9sp03/u3EviB9RfdG118ib8ExgODNo9pkgQhYSTiq2wX8e2nmXCGDsyCtYIc3LMpSHtL2YVElBUM8aqncBuoO/XZ/EbrqDpzmXfvd/nXhGmoWY+nI48j1Ek5hvs6jXermA3A8qciUfgvwTha8LaBYggJrjnSsqS9dgTEMrQUUhsf/iT3rSp54AoIxKdyXvGwxZVLGDr8pEExLBC5kkv6o75VJ3MCX3QHnAoLpMXlRpghwYGHstRDKkOeaWmdvaj6a+KuJfbPRi5wz4DgygVYB4133uqC54RLsR8SOF6Y1AN6JCwj21SmHXOGmfKQKkl2P7vs95qWYo63Nykr7bUkh4+Vh/wt4ZwJR5MJXpALn1C70iZCV1bmEYWi4ktW3UHkMX/jUArHiC9QE0r5ND7XwcNbCjKIvyR8IjtbKlQRK5zMI/9hu74rn9cklMaKxEdvVOUVxZZn3d97FWgDjyjqdPbfEbn9eqyl3BdzUERAhHLqUTQ25dn4K+x4CvPMSgRZX1aLY4ZAns2ebXExC55Qf6rx+eqPn57Wq3ZFjSgG26VeB3KSDCP5amwnWyXb+jOOoC02VfrXx9gPcEaBZg6N0X4+sqi9acvtNe8KNBaH1Lcs7Ckdcfkm1HEbAHZ+kP++x7+sR4OBQkvUMXONrxMz9aGHMAMLf1vki2EW5uvOO/AHXraLrji6htcNPF47ZRDBh2IMzMn3DzVREFCjhm0c6mFV8976MpmfpAZfG89Bu2dDGS6N6q/oFRmdfbUKbq8CLvii+YtMljsGJRJo8i8RbuF70HvuH9okXZvIEXsM8U5LN4cM4H03MXuz6V3FFTvB31pgDQHfURpgUakqL6mv8UpxatFCcStIFc0SWENHriIXDRCpk47mxw31roCIlrqKmnI22wVEtmVWw+pXk2sPudY3PRgwvP//1vP0GtxJJLuPFDXEfpuMCdMmyI8egn3kGuaUzh4AiXLPB+CnXWmN0kRBBJiOJ3h74g0TwHCqaWrKthTyxFTi4wC7TVgBXPwkavxctWtAFfHsJYQb6MK0Bj38v4bMR5SPC3uTZSNgOs2Nbh6c6rnnGCOuSwgmM3KFBBTnRn7a6LuhcisFODijDE6n1dsCpAZ4onkMwVHJuP6iExdygZ9lhmnc+pPFvmhf/XqlyuRSsDEzbZa2m3g3ZU757Wbwch64ITNS9JcHoBT+/1g50SBra/xhS3nic1psTAy5tSuRCcFcyc/zp7hAB9Y+rLHYwu2kFqDvkefCibPZTNUNXRm0UBCNHT+5bLvh3x5q2FCljYy75++w6hHammoIydFYfY+MR7HPDUJU+rFAcNLARf8ixxzkcG+uzpmSTvkGIx80Ydehjmgim9HtWi1i0T5U8ouJAQJ/PhBOZGNDdbGSwvt7Zqvqtf6pj2KSPaIQ/SsQ5l+mdSiM5y+F0fUNHRA1ck9VGI9mvP924z8Fv/GCjSVBv9HTs7tQX9LtELTxrnbqd+pvMQ4Hg5Cwzg9yhwMI1NCY9N/xu7hR5CWXIGHGTaoSRWUgFbOOAS3a6o0S7ZKJuRBikTjIIvHon4CucmGz5G3aJBkaBIme1bmQ85e6PpXRztKnxYbGR16kR/OTqs0cpIoFUabRdpgajlEjbJUL3wJpKnm7iGjd3s4jBbzMe8DQ05UnT+IKwOm4pIKOGbSAUIS1N8OBPxiQU9eyDKzKdc6yHrEg322sbsQ3zq0Yv2P9PoJRD3IX6TseRYGcwL/S6sWn4oS76wrli+DmpmOHi7DUFX+B67U3VMlZy8UmE+TYJyEsZINvDJqvxqr7DB1Hm/DjRVdA5Djwgkd0gTTDrMPmsSWcJk3Ft51s/sGw+GJq7gYIBBtb3updzEazdNqsHvwmWo0E3hpMRrXhHfO+ErOoCCLKLY1koIlglawqBBnySS7J7qBlV+KpEIw4aNVPdmavPTDUmuI2WhsNS8U5S/+A1aMkHaC7G5sQGiuHVKBlyFj6nvEsiaK/6+rBcTD7NFWWK8PvNgCukEUUGnNswERqBVAOsthegtLqlY6Y86DfmS2PjiuZMdRbaqKAfL+LMt+7sK/x4hJXUXtDuxKl0G4U2bOr/eEAEe6pJLHdrFEE6RjbYdHli05SJzfm8D/o2Vep+JuhxSTv4VRUVOa/6h3ow+S6OXQAIwNUSlzQCJj2r0T/4kfRssNaxugIYy/90kHs+zoQDG921+T1QABpRBtxKTDDmk3idoo1pc1CuSmoCa5pAIkUSni3i5jfOb/hdZwBXcokLqlUYtEoV8P8RrK5cfAIV01UobR81538RhMecdjcvzAHT8Ewnj2Mah6HlybbWcDyQi6J4akQ4ucMpBIbXZic67d/iO72tpBQZ2lJq9tUae2Yaoj5GN5aWk4yFfe2ZaVa4kYDY7rbiSgnlm/s1A7U0d9bXp2XK9G/8bg5FoZislsTkPJpnrtcybVKM+678B0gKCfP/kHwVp2q0w5EGP3IbuQKsaYuJwuA9kuZyWb42ggpTlQhitaRMHvPs+3MydnD870t1nY6et3bp8rso/OJhBPIM9Bpjf884CkoKe+jDM4qGhi+fRBiR7xYZwhcAEnld190LBYCadXX9QQcXEQa9VQjXxfKYyaWF6llwSbG5FAiHjPUQ76jKX0JUkgYJnEQ00RBF1PxkfewpxyWU1RgYHnHeMFSIfNnmq6dw5vesKY3cpRmOdM2eCJ4Hxs2oLnr+egTZKpK7BbRsHJCkh0aefjKx12/SfbZ7SLTfBjY8qcBMW+a2BIaugDV+lcVHJ2lNtQ0kLKxVRCapLmXLv9KvoDrTs5kuSNsgzdM2QUVCJNGIdlg6qQg3FGbEUDWSPjspQGlDj5+RNDBK+3t789FeyTOocI/7IyNsoY6rx6sMS4u0B2+3SFRYEfnmULWVjw3eWsgYDRT4apt7ncMwTbpjxTzhdET0gxoH914AWRDLky2BXL2NWOX70nPB1Xe2NmH6UUwv7iI6Ovx9UIM/3ngEqDpH8GnjptfYkMo2OFbA4yn1DxnP0sT+nFtNeRqK/d246bA6UQJuYcvxKUx7cKDFmpWGC5SCFs1g977nBlUAuFS+RGvmAPTNgxBO+Vpu/UApOQMEOAqv174PlPkEQqt1paVR3KKnaocOh4hnmb8T/GvJ1MAMTngOfgqHU9l0SGE2y05/KyPWbD23wzC4IGks6DR6rICVRsaRpyrWogX5qi003ac0yG/PaDeL3zzmuR8/0WCcDPNAGc59p+nPeb0KSqcZ0iyS9FIk+hJ5upPhO2siQ=,iv:6fgJYa40Lc1SAOG7Uik4GY67yPcup5B3KBGSoud7lEc=,tag:ExvyrzrUuGLM7x6Di1/jAw==,type:str]
+drone: ENC[AES256_GCM,data:3xuu0Lo8hmzobCxcLNXbi9t6o8oc3huKzaORPeTQGv4q4DUei4XxoTYmTvav7gc5uZbMQJbGr63tFn8sxUMwHMKYlh0jsMbgZudb5L9nIPYUlGCXZPkMEo/MTKG9N5lrUNpg18PoJTv0BjBa9P/AizJi++YJBJ5Ae3iL6OeV7kfpDkiO1z1DtgwpEh0svlz7wKsxzalrQlHPxGrp1FbFNE2x1vIW236ZRZsPly/rrCXHk4OJ0w+oFXs/e68/r0Fdrxrn,iv:0RGnjEoAe6DbSr5JU1cyOxnM7poR8HJeyJQQ98oA9Bk=,tag:rvAHCevD/i0/xRDbFkiUaA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -36,8 +37,8 @@ sops:
YlZjaTNZL29VcHlReGxWRENobHcyUDgK1518yGevHiTP1WiaIvqeqYBi8Y9ZhoJZ
okemTbpj3Svv/TVIjKp3iO/KHHPYrCZPOQAmvxf/PP14ahOmEv255g==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2021-12-22T23:36:22Z"
- mac: ENC[AES256_GCM,data:UxTkr0AI60BOv0NQAjUbO0PerpQCT1S0V5DOP8JprfucY0aJgekFCcKLuCN6gjNsEFW7Y2Ze1C9dz6YN91XpMGr7twjHLijAVZy3xjWfuoAuuQ76lpSase5IhVwCoAYDYdXJ6iG+8Xko6U9OEch+T4bK2oMj67Jj6zPjkFDgnIo=,iv:noV6Cbaz5vO6EesXanw/dSkPPLPN70OhiNaTM43l3FE=,tag:FTeUasBHnXDxDG3iw/4l0A==,type:str]
+ lastmodified: "2021-12-25T11:28:53Z"
+ mac: ENC[AES256_GCM,data:xkWioBftczFuIAUhLg+hxhHW2/GTaGs9jbJi8uorjFkQlFdRf8UtKUOqWjv1pS88SuVaRh4Lrb2GYIqRE/EjVVxxBBKTBOCFUu5gbUV9tjqbAq4wZSsZRJvWKvzNdwEmJvbLA0GynyDsZEIN+QdyxVGl+ElDHlqlwJChNDjzMLo=,iv:TuqPv+FGw9Hqc2mxxsTIh0qlX3rSn0QbGj9G97GZwsw=,tag:y6ybgxAHP4qmUsF3piXhow==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.1