version: '3.4' services: nix-daemon: image: nixpkgs/nix:nixos-22.05 restart: always command: nix-daemon privileged: true volumes: - "nix:/nix" - "./nix.conf:/etc/nix/nix.conf:ro" drone-runner: image: drone/drone-runner-docker:1.8.2 restart: always environment: - DRONE_RPC_PROTO=https - DRONE_RPC_HOST=drone.deuxfleurs.fr - DRONE_RPC_SECRET=${DRONE_SECRET} - DRONE_RUNNER_CAPACITY=3 - DRONE_DEBUG=true - DRONE_LOGS_TRACE=true - DRONE_RPC_DUMP_HTTP=true - DRONE_RPC_DUMP_HTTP_BODY=true - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name - DRONE_RUNNER_LABELS=nix-daemon:1 # we should put "nix:/nix:ro but it is not supported by # drone-runner-docker because the dependency envconfig does # not support having two colons (:) in the same stanza. # Without the RO flag (or using docker userns), build isolation # is broken. # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071 # https://github.com/kelseyhightower/envconfig/pull/153 # # A workaround for isolation is to configure docker with a userns, # so even if the folder is writable to root, it is not to any non # privileged docker daemon ran by drone! - DRONE_RUNNER_VOLUMES=drone_nix:/nix - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon ports: - "3000:3000/tcp" volumes: - "/var/run/docker.sock:/var/run/docker.sock" drone-gc: image: drone/gc:latest restart: always environment: - GC_DEBUG=true - GC_CACHE=10gb - GC_INTERVAL=10m volumes: - "/var/run/docker.sock:/var/run/docker.sock" volumes: nix: