2023-01-29 22:45:13 +01:00
|
|
|
{ config, pkgs, ... }:
|
|
|
|
|
|
|
|
let
|
|
|
|
hostname = "drone.hq.c3d2.de";
|
|
|
|
in
|
|
|
|
{
|
|
|
|
c3d2.deployment.server = "server10";
|
|
|
|
|
|
|
|
microvm.mem = 4 * 1024;
|
|
|
|
|
|
|
|
networking.hostName = "drone";
|
|
|
|
|
|
|
|
services = {
|
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts.${hostname} = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/".proxyPass = "http://localhost:8080";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
|
|
|
ensureDatabases = [
|
|
|
|
"drone"
|
|
|
|
];
|
|
|
|
ensureUsers = [{
|
|
|
|
name = "drone";
|
|
|
|
ensurePermissions = {
|
|
|
|
# TODO: fix permissions issues fixed by running the following SQL:
|
|
|
|
# ALTER DATABASE drone OWNER TO drone;
|
|
|
|
"DATABASE drone" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}];
|
|
|
|
package = pkgs.postgresql_15;
|
|
|
|
upgrade.stopServices = [ "drone-server" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services = {
|
2023-02-01 00:26:16 +01:00
|
|
|
# TODO: hardening
|
|
|
|
# https://github.com/Mic92/dotfiles/commit/ca50aa545934f12999cb58f7cd452876c8b486de#diff-c83b36ea5739cf058ef055b65b20fa5e7fad16135b2d49c0f8968903146b985aL29-L64
|
2023-01-29 22:45:13 +01:00
|
|
|
drone-runner-ssh = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
after = [ "drone-server.service" ];
|
|
|
|
requires = [ "drone-server.service" ];
|
|
|
|
serviceConfig = {
|
|
|
|
Environment = [
|
|
|
|
"DRONE_RPC_HOST=drone.hq.c3d2.de"
|
|
|
|
"DRONE_RPC_PROTO=https"
|
|
|
|
];
|
|
|
|
EnvironmentFile = config.sops.secrets."drone/runner/environmentFile".path;
|
|
|
|
ExecStart = "${pkgs.drone-runner-ssh}/bin/drone-runner-ssh";
|
|
|
|
User = "drone";
|
|
|
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
ProtectSystem = "full";
|
|
|
|
# ReadWritePaths = [ "/tmp" ];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
drone-server = {
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
after = [ "nginx.service" ];
|
|
|
|
serviceConfig = {
|
|
|
|
Environment = [
|
|
|
|
"DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
|
|
|
|
"DRONE_DATABASE_DRIVER=postgres"
|
|
|
|
"DRONE_DATADOG_ENABLED=false"
|
2023-01-30 00:46:19 +01:00
|
|
|
"DRONE_DATADOG_ENDPOINT=null"
|
2023-01-29 22:45:13 +01:00
|
|
|
"DRONE_GITEA_SERVER=https://gitea.c3d2.de"
|
|
|
|
"DRONE_SERVER_HOST=${hostname}"
|
|
|
|
"DRONE_SERVER_PROTO=https"
|
|
|
|
"DRONE_USER_CREATE=username:sandro,admin:true"
|
2023-01-30 00:46:19 +01:00
|
|
|
"DRONE_USER_FILTER=sandro,c3d2"
|
2023-01-29 22:45:13 +01:00
|
|
|
];
|
|
|
|
EnvironmentFile = config.sops.secrets."drone/server/environmentFile".path;
|
|
|
|
ExecStart = "${pkgs.drone}/bin/drone-server";
|
|
|
|
User = "drone";
|
|
|
|
|
|
|
|
PrivateTmp = true;
|
|
|
|
ProtectSystem = "full";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
sops = {
|
|
|
|
defaultSopsFile = ./secrets.yaml;
|
|
|
|
secrets = {
|
|
|
|
"drone/runner/environmentFile".owner = "drone";
|
|
|
|
"drone/server/environmentFile".owner = "drone";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
system.stateVersion = "22.11";
|
|
|
|
|
|
|
|
users = {
|
|
|
|
groups.drone = { };
|
|
|
|
users."drone" = {
|
|
|
|
group = "drone";
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# only using ssh right now
|
|
|
|
# virtualisation.docker = {
|
|
|
|
# enable = true;
|
|
|
|
# autoPrune = {
|
|
|
|
# enable = true;
|
|
|
|
# flags = [
|
|
|
|
# "--all"
|
|
|
|
# "--force"
|
|
|
|
# "--volumes"
|
|
|
|
# ];
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
}
|