drone.io

deploy-drone.yml

@@ -0,0 +1,4 @@
+- name: drone setup
+  hosts: drone
+  roles:
+    - drone

group_vars/drone.yml

@@ -0,0 +1,4 @@
+---
+drone_gitea_client_id: "{{ lookup('env', 'DRONE_GITEA_CLIENT_ID') }}"
+drone_gitea_client_secret: "{{ lookup('env', 'DRONE_GITEA_CLIENT_SECRET') }}"
+drone_rpc_secret: "{{ lookup('env', 'DRONE_RPC_SECRET') }}"

inventory

@@ -3,6 +3,7 @@ nijika  ansible_user=root ansible_connection=ssh
 ryo  ansible_user=root ansible_connection=ssh
 levi  ansible_user=root ansible_connection=ssh
 mail.simponic.xyz ansible_user=root ansible_connection=ssh
+mcbeta.simponic.xyz ansible_user=root ansible_connection=ssh
 
 [private]
 johan  ansible_user=root ansible_connection=ssh
@@ -60,3 +61,6 @@ levi  ansible_user=root ansible_connection=ssh
 
 [owncloud]
 europa  ansible_user=root ansible_connection=ssh
+
+[drone]
+europa  ansible_user=root ansible_connection=ssh

roles/drone/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: ensure drone docker/compose exist
+  file:
+    path: /etc/docker/compose/drone
+    state: directory
+    owner: root
+    group: root
+    mode: 0700
+
+- name: build drone docker-compose.yml.j2
+  template:
+    src: ../templates/docker-compose.yml.j2
+    dest: /etc/docker/compose/drone/docker-compose.yml
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+
+- name: daemon-reload and enable drone
+  ansible.builtin.systemd_service:
+    state: restarted
+    enabled: true
+    name: docker-compose@drone

roles/drone/templates/docker-compose.yml.j2

@@ -0,0 +1,29 @@
+version: '3'
+
+services:
+  drone:
+    container_name: drone
+    image: drone/drone:latest
+    volumes:
+      - ./drone:/data
+    ports:
+      - "127.0.0.1:2201:80"
+    environment:
+      - DRONE_GITEA_SERVER=https://git.simponic.xyz
+      - DRONE_GITEA_CLIENT_ID={{ drone_gitea_client_id }}
+      - DRONE_GITEA_CLIENT_SECRET={{ drone_gitea_client_secret }}
+      - DRONE_GIT_ALWAYS_AUTH=true
+      - DRONE_SERVER_PROTO=https
+      - DRONE_SERVER_HOST=drone.internal.simponic.xyz
+      - DRONE_RPC_SECRET={{ drone_rpc_secret }}
+  drone-runner:
+    container_name: drone_runner
+    image: drone/drone-runner-docker:latest
+    userns_mode: 'host' # Needed to get access to docker socket
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - DRONE_RPC_SECRET={{ drone_rpc_secret }}
+      - DRONE_RPC_HOST=drone:80
+      - DRONE_RPC_PROTO=http
+      - DRONE_RUNNER_CAPACITY=4 

roles/gitea/templates/docker-compose.yml.j2

@@ -18,3 +18,5 @@ services:
     ports:
       - "127.0.0.1:9966:3000"
       - "{{ nijika_ip }}:222:22"
+    dns:
+      - {{ johan_ip }}

roles/nameservers/templates/db.simponic.xyz.j2

@@ -17,6 +17,7 @@ simponic.xyz.    IN      NS      {{ dns_replica_hostname }}.simponic.xyz.
 
 johan.simponic.xyz. 1 IN  A 23.95.20.192
 osaka.simponic.xyz. 1 IN  A 129.123.76.14
+mcbeta.simponic.xyz.    1   IN  A   23.95.20.45
 
 mail.simponic.xyz.	1	IN	A	192.3.248.205
 
@@ -45,3 +46,4 @@ mail._domainkey.simponic.xyz. 1 IN      TXT    ( "v=DKIM1; h=sha256; k=rsa; "
           "lKZ3nglGzPfdJEpfLyXBP4l5UlxqWYUIrCzqHY9bNmyPepb1CJT97AD5jGGngCrnMCmllAdyOKa1ds5uoPjjGaLO8bOoBWXQuacn++hDsdyQ78Y673T2935CN/uGgrLBs9UiA0BQIDAQAB" )  ; ----- DKIM key mail for simponic.xyz 
 _dmarc.simponic.xyz.  1 IN TXT "v=DMARC1; p=quarantine; sp=quarantine; fo=0; adkim=r; aspf=r; pct=100; rf=afrf; ri=86400; rua=mailto:dmarc.report@simponic.xyz; ruf=mailto:dmarc.report@simponic.xyz"
 simponic.xyz.	1	IN	TXT	"v=spf1 mx ip4:192.3.248.205 ~all"
+simponic.xyz.   1   IN  TXT "google-site-verification=iP51S608sxhIkualEX6iODQBGVV8YVe8PY_tij4fdIM"

roles/private/files/europa/http.drone.internal.simponic.xyz.conf

@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name drone.internal.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://drone.internal.simponic.xyz$request_uri? permanent;
+  }
+}

roles/private/files/europa/https.drone.internal.simponic.xyz.conf

@@ -0,0 +1,32 @@
+server {
+  listen 443 ssl;
+  server_name drone.internal.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/drone.internal.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/drone.internal.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/drone.internal.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  location / {
+    proxy_pass http://127.0.0.1:2201;
+    proxy_http_version 1.1;
+    proxy_set_header Upgrade $http_upgrade;
+    proxy_set_header Connection "upgrade";
+    proxy_set_header Host $server_name;
+    proxy_buffering off;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
+    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+  }
+}

roles/webservers/files/nijika/https.git.simponic.xyz.conf

@@ -17,9 +17,11 @@ server {
   ssl_dhparam /etc/nginx/dhparams.pem;
   ssl_prefer_server_ciphers on;
 
+  
   location / {
     proxy_pass http://127.0.0.1:9966;
 
+    client_max_body_size 500M;
     client_body_buffer_size 128k;
 
     proxy_set_header Host $host;