forked from Deuxfleurs/infrastructure
54 lines
1.7 KiB
YAML
54 lines
1.7 KiB
YAML
version: '3.4'
|
|
services:
|
|
nix-daemon:
|
|
image: nixpkgs/nix:nixos-22.05
|
|
restart: always
|
|
command: nix-daemon
|
|
privileged: true
|
|
volumes:
|
|
- "nix:/nix"
|
|
- "./nix.conf:/etc/nix/nix.conf:ro"
|
|
|
|
drone-runner:
|
|
image: drone/drone-runner-docker:latest
|
|
restart: always
|
|
environment:
|
|
- DRONE_RPC_PROTO=https
|
|
- DRONE_RPC_HOST=drone.deuxfleurs.fr
|
|
- DRONE_RPC_SECRET=${DRONE_SECRET}
|
|
- DRONE_RUNNER_CAPACITY=3
|
|
- DRONE_DEBUG=true
|
|
- DRONE_LOGS_TRACE=true
|
|
- DRONE_RPC_DUMP_HTTP=true
|
|
- DRONE_RPC_DUMP_HTTP_BODY=true
|
|
- DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
|
|
- DRONE_RUNNER_LABELS=nix-daemon:1
|
|
# we should put "nix:/nix:ro but it is not supported by
|
|
# drone-runner-docker because the dependency envconfig does
|
|
# not support having two colons (:) in the same stanza.
|
|
# Without the RO flag (or using docker userns), build isolation
|
|
# is broken.
|
|
# https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
|
|
# https://github.com/kelseyhightower/envconfig/pull/153
|
|
#
|
|
# A workaround for isolation is to configure docker with a userns,
|
|
# so even if the folder is writable to root, it is not to any non
|
|
# privileged docker daemon ran by drone!
|
|
- DRONE_RUNNER_VOLUMES=drone_nix:/nix
|
|
- DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
|
|
ports:
|
|
- "3000:3000/tcp"
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
|
|
drone-gc:
|
|
image: drone/gc:latest
|
|
restart: always
|
|
environment:
|
|
- GC_DEBUG=true
|
|
- GC_CACHE=10gb
|
|
- GC_INTERVAL=10m
|
|
volumes:
|
|
- "/var/run/docker.sock:/var/run/docker.sock"
|
|
volumes:
|
|
nix:
|