Update doc

This commit is contained in:
Quentin 2022-07-28 17:34:49 +02:00
parent 64172fc999
commit ef265b87de
Signed by: quentin
GPG key ID: E9602264D639FF68
3 changed files with 47 additions and 10 deletions

View file

@ -26,17 +26,18 @@ curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compo
chmod +x /usr/local/bin/docker-compose chmod +x /usr/local/bin/docker-compose
``` ```
## Prepare the runner ## Install the runner
*The folder does not need to be prepared anymore* *This is our Nix runner version 2, previously we had another way to start Nix runners. This one has a proper way to handle concurrency, require less boilerplate, and should be safer and more idiomatic.*
## Launch the runner
Because we use a shared nix folder, we set the number of concurrent builds to 1.
For more details and customizations, see `docker-compose.yml`.
```bash ```bash
DRONE_NAME=lheureduthe DRONE_OWNER=quentin DRONE_SECRET=xxx docker-compose up -d wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/nix.conf
wget https://git.deuxfleurs.fr/Deuxfleurs/infrastructure/raw/branch/main/app/drone-ci/integration/docker-compose.yml
# Edit the docker-compose.yml to adapt its variables to your needs,
# especially the capacitiy value and its name.
COMPOSE_PROJECT_NAME=drone DRONE_SECRET=xxx docker-compose up -d
``` ```
That's all folks. That's all folks.
@ -59,6 +60,8 @@ It will give you the following result:
## Random note ## Random note
*This part might be deprecated!*
This setup is done mainly to allow nix builds with some cache. This setup is done mainly to allow nix builds with some cache.
To use the cache in Drone, you must set your repository as trusted. To use the cache in Drone, you must set your repository as trusted.
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing): The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):

View file

@ -1,5 +1,14 @@
version: '3.4' version: '3.4'
services: services:
nix-daemon:
image: nixpkgs/nix:nixos-22.05
restart: always
command: nix-daemon
privileged: true
volumes:
- "nix:/nix"
- "./nix.conf:/etc/nix/nix.conf:ro"
drone-runner: drone-runner:
image: drone/drone-runner-docker:latest image: drone/drone-runner-docker:latest
restart: always restart: always
@ -7,18 +16,32 @@ services:
- DRONE_RPC_PROTO=https - DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr - DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET} - DRONE_RPC_SECRET=${DRONE_SECRET}
- DRONE_RUNNER_CAPACITY=1 - DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true - DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true - DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true - DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true - DRONE_RPC_DUMP_HTTP_BODY=true
- DRONE_RUNNER_NAME=${DRONE_NAME} - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
- DRONE_RUNNER_LABELS=nix-daemon:1
# we should put "nix:/nix:ro but it is not supported by
# drone-runner-docker because the dependency envconfig does
# not support having two colons (:) in the same stanza.
# Without the RO flag (or using docker userns), build isolation
# is broken.
# https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
# https://github.com/kelseyhightower/envconfig/pull/153
#
# A workaround for isolation is to configure docker with a userns,
# so even if the folder is writable to root, it is not to any non
# privileged docker daemon ran by drone!
- DRONE_RUNNER_VOLUMES=drone_nix:/nix
- DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports: ports:
- "3000:3000/tcp" - "3000:3000/tcp"
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock" - "/var/run/docker.sock:/var/run/docker.sock"
drone-gc: drone-gc:
image: drone/gc:latest image: drone/gc:latest
restart: always restart: always
environment: environment:
@ -27,3 +50,5 @@ services:
- GC_INTERVAL=10m - GC_INTERVAL=10m
volumes: volumes:
- "/var/run/docker.sock:/var/run/docker.sock" - "/var/run/docker.sock:/var/run/docker.sock"
volumes:
nix:

View file

@ -0,0 +1,9 @@
substituters = https://cache.nixos.org https://nix.web.deuxfleurs.fr
trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= nix.web.deuxfleurs.fr:eTGL6kvaQn6cDR/F9lDYUIP9nCVR/kkshYfLDJf1yKs=
max-jobs = auto
cores = 0
log-lines = 200
filter-syscalls = true
sandbox = true
keep-outputs = true
keep-derivations = true