From ea1ddda327e2ad894745e837e6bb0134eb528907 Mon Sep 17 00:00:00 2001 From: Julien Malka Date: Sat, 25 Dec 2021 12:53:48 +0100 Subject: [PATCH] Added drone module --- machines/newton/default.nix | 9 +++- modules/drone/default.nix | 100 ++++++++++++++++++++++++++++++++++++ modules/nix/default.nix | 1 + 3 files changed, 108 insertions(+), 2 deletions(-) create mode 100644 modules/drone/default.nix diff --git a/machines/newton/default.nix b/machines/newton/default.nix index 9d7de91..4aec8c7 100644 --- a/machines/newton/default.nix +++ b/machines/newton/default.nix @@ -13,6 +13,11 @@ in luj = { filerun.enable = true; + drone.enable = true; + drone.nginx = { + enable = true; + subdomain = "ci"; + }; zfs-mails.enable = true; hydra = { enable = true; @@ -30,8 +35,8 @@ in networking.interfaces.enp2s0f0.useDHCP = true; networking.interfaces.enp2s0f1.useDHCP = true; networking.firewall.enable = true; - networking.firewall.allowedTCPPorts = [ 22 80 443 ]; - networking.firewall.allowedUDPPorts = [ 22 80 443 ]; + networking.firewall.allowedTCPPorts = [ 22 80 8080 443 ]; + networking.firewall.allowedUDPPorts = [ 22 80 8080 443 ]; networking.firewall.allowedUDPPortRanges = [{ from = 60000; to = 61000; }]; diff --git a/modules/drone/default.nix b/modules/drone/default.nix new file mode 100644 index 0000000..8179050 --- /dev/null +++ b/modules/drone/default.nix @@ -0,0 +1,100 @@ +{ lib, pkgs, config, ... }: +with lib; +let + cfg = config.luj.drone; + droneserver = config.users.users.droneserver.name; + port = 3030; +in +{ + + options.luj.drone = { + enable = mkEnableOption "activate drone CI"; + nginx.enable = mkEnableOption "activate nginx"; + nginx.subdomain = mkOption { + type = types.str; + }; + }; + + config = mkIf cfg.enable ( + mkMerge [{ + + sops.secrets.drone = { }; + + systemd.services.drone-server = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + EnvironmentFile = [ config.sops.secrets.drone.path ]; + Environment = [ + "DRONE_SERVER_HOST=${cfg.nginx.subdomain}.julienmalka.me" + "DRONE_SERVER_PROTO=https" + "DRONE_DATABASE_DATASOURCE=postgres:///droneserver?host=/run/postgresql" + "DRONE_DATABASE_DRIVER=postgres" + "DRONE_SERVER_PORT=:3030" + "DRONE_USER_CREATE=username:Julien,admin:true" + ]; + ExecStart = "${pkgs.drone}/bin/drone-server"; + User = droneserver; + Group = droneserver; + }; + }; + services.postgresql = { + enable = true; + ensureDatabases = [ droneserver ]; + ensureUsers = [{ + name = droneserver; + ensurePermissions = { + "DATABASE ${droneserver}" = "ALL PRIVILEGES"; + }; + }]; + }; + users.users.droneserver = { + isSystemUser = true; + createHome = true; + group = droneserver; + }; + users.groups.droneserver = { }; + + #environment.etc.drone-runner-exec = { + # target = "drone-runner-exec/config"; + # text = '' + # DRONE_RPC_PROTO=https + # DRONE_RPC_HOST=${cfg.nginx.subdomain}.julienmalka.me + # DRONE_RPC_SECRET=JIJ1pfTgJldCMAgKtGLOnbQE5e8oUPSo2DqlWayVLQFVXDe3898DYvixRiprddY1M + # DRONE_UI_USERNAME=root + # DRONE_UI_PASSWORD=root + # ''; + #}; + + systemd.services.drone-runner-exec = { + description = "Drone Exec Runner"; + startLimitIntervalSec = 5; + serviceConfig = { + EnvironmentFile = [ config.sops.secrets.drone.path ]; + Environment = [ + "DRONE_SERVER_HOST=${cfg.nginx.subdomain}.julienmalka.me" + "DRONE_SERVER_PROTO=https" + "CLIENT_DRONE_RPC_HOST=127.0.0.1:3030" + ]; + + ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec service run"; + }; + wantedBy = [ "multi-user.target" ]; + path = [ pkgs.git pkgs.docker pkgs.docker-compose ]; + }; + + } + + (mkIf cfg.nginx.enable { + luj.nginx.enable = true; + services.nginx.virtualHosts."${cfg.nginx.subdomain}.julienmalka.me" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:${toString port}"; + }; + }; + + })]); + + +} diff --git a/modules/nix/default.nix b/modules/nix/default.nix index aca6e23..52e1e87 100644 --- a/modules/nix/default.nix +++ b/modules/nix/default.nix @@ -10,6 +10,7 @@ with lib; config = mkIf cfg.enable { + nixpkgs.config.allowUnfree = true; nix = { autoOptimiseStore = true; allowedUsers = [ "julien" "hydra" ];