Add Drone CI server with sqlite-on-s3 thing

This commit is contained in:
Alex 2022-08-23 12:10:25 +02:00
parent 7d7efab9ee
commit 8cd804a8c0
Signed by untrusted user: lx
GPG key ID: 0E496D15096376BE
13 changed files with 264 additions and 1 deletions

View file

@ -0,0 +1,10 @@
dbs:
- path: /ephemeral/drone.db
replicas:
- url: s3://{{ key "secrets/drone-ci/s3_db_bucket" | trimSpace }}/drone.db
region: garage
endpoint: https://garage.deuxfleurs.fr
access-key-id: {{ key "secrets/drone-ci/s3_ak" | trimSpace }}
secret-access-key: {{ key "secrets/drone-ci/s3_sk" | trimSpace }}
force-path-style: true
sync-interval: 60s

View file

@ -0,0 +1,139 @@
job "drone-ci" {
datacenters = ["neptune"]
type = "service"
group "server" {
count = 1
network {
port "web_port" {
to = 80
}
}
task "restore-db" {
lifecycle {
hook = "prestart"
sidecar = false
}
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
args = [
"restore", "-config", "/etc/litestream.yml", "/ephemeral/drone.db"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 200
cpu = 1000
}
}
task "drone_server" {
driver = "docker"
config {
image = "drone/drone:2.12.0"
ports = [ "web_port" ]
volumes = [
"../alloc/data:/ephemeral",
]
}
template {
data = <<EOH
DRONE_GITEA_SERVER=https://git.deuxfleurs.fr
DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }}
DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }}
DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }}
DRONE_SERVER_HOST=drone.deuxfleurs.fr
DRONE_SERVER_PROTO=https
DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }}
DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }}
AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }}
AWS_DEFAULT_REGION=garage
AWS_REGION=garage
DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_storage_bucket" }}
DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr
DRONE_S3_PATH_STYLE=true
DRONE_DATABASE_DRIVER=sqlite3
DRONE_DATABASE_DATASOURCE=/ephemeral/drone.db
DRONE_USER_CREATE=username:lx-admin,admin:true
__DRONE_REGISTRATION_CLOSED=true
DRONE_LOGS_TEXT=true
DRONE_LOGS_PRETTY=true
DRONE_LOGS_DEBUG=true
DOCKER_API_VERSION=1.39
EOH
destination = "secrets/env"
env = true
}
resources {
cpu = 100
memory = 100
}
service {
name = "drone"
tags = [
"drone",
"tricot drone.deuxfleurs.fr",
]
port = "web_port"
address_mode = "host"
check {
type = "http"
protocol = "http"
port = "web_port"
path = "/"
interval = "60s"
timeout = "5s"
check_restart {
limit = 3
grace = "600s"
ignore_warnings = false
}
}
}
}
task "replicate-db" {
driver = "docker"
config {
image = "litestream/litestream:0.3.9"
entrypoint = [ "/bin/sh" ]
args = [
"-c",
"echo sleeping; sleep 60; echo launching; litestream replicate -config /etc/litestream.yml"
]
volumes = [
"../alloc/data:/ephemeral",
"secrets/litestream.yml:/etc/litestream.yml"
]
}
template {
data = file("../config/litestream.yml")
destination = "secrets/litestream.yml"
}
resources {
memory = 250
cpu = 100
}
}
}
}

View file

@ -0,0 +1,74 @@
## Install Debian
We recommend Debian Bullseye
## Install Docker CE from docker.io
Do not use the docker engine shipped by Debian
Doc:
- https://docs.docker.com/engine/install/debian/
- https://docs.docker.com/compose/install/
On a fresh install, as root:
```bash
apt-get remove -y docker docker-engine docker.io containerd runc
apt-get update
apt-get install apt-transport-https ca-certificates curl gnupg lsb-release
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo gpg --dearmor -o /usr/share/keyrings/docker-archive-keyring.gpg
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/docker-archive-keyring.gpg] https://download.docker.com/linux/debian $(lsb_release -cs) stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null
apt-get update
apt-get install -y docker-ce docker-ce-cli containerd.io
curl -L "https://github.com/docker/compose/releases/download/1.29.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose
chmod +x /usr/local/bin/docker-compose
```
## Prepare the runner
Nix folder must be populated before launching any build.
```bash
docker run --rm -it -v /var/lib/drone/nix:/mnt nixpkgs/nix:nixos-21.05 cp -r /nix/{store,var} /mnt/
```
This folder will grow over time and might need to be garbage collected.
As a rule of thumb, after running a full release of Garage, this folder will require 10GB.
Consider provisioning it with at least 20GB.
## Launch the runner
Because we use a shared nix folder, we set the number of concurrent builds to 1.
For more details and customizations, see `docker-compose.yml`.
```bash
DRONE_NAME=lheureduthe DRONE_OWNER=quentin DRONE_SECRET=xxx docker-compose up -d
```
That's all folks.
## Check if a given job is built by your runner
```bash
export URL=https://drone.deuxfleurs.fr
export REPO=Deuxfleurs/garage
export BUILD=1312
curl ${URL}/api/repos/${REPO}/builds/${BUILD} \
| jq -c '[.stages[] | { name: .name, machine: .machine }]'
```
It will give you the following result:
```json
[{"name":"default","machine":"1686a"},{"name":"release-linux-x86_64","machine":"vimaire"},{"name":"release-linux-i686","machine":"carcajou"},{"name":"release-linux-aarch64","machine":"caribou"},{"name":"release-linux-armv6l","machine":"cariacou"},{"name":"refresh-release-page","machine":null}]
```
## Random note
This setup is done mainly to allow nix builds with some cache.
To use the cache in Drone, you must set your repository as trusted.
The command line tool does not work (it says it successfully set your repository as trusted but it did nothing):
the only way to set your repository as trusted is to connect on the DB and set the `repo_trusted` field of your repo to true.

View file

@ -0,0 +1,32 @@
version: '3.4'
services:
drone-runner:
image: drone/drone-runner-docker:latest
restart: always
environment:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- DRONE_RUNNER_CAPACITY=1
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- DRONE_RUNNER_NAME=${DRONE_NAME}
- DRONE_RUNNER_LABELS=nix:1
#- DRONE_RUNNER_VOLUMES=/var/lib/drone/nix:/nix
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "/var/lib/drone/nix:/var/lib/drone/nix"
drone-gc:
image: drone/gc:latest
restart: always
environment:
- GC_DEBUG=true
- GC_CACHE=10gb
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"

View file

@ -0,0 +1 @@
CMD openssl rand -hex 16

View file

@ -0,0 +1 @@
CMD_ONCE openssl rand -hex 16

View file

@ -0,0 +1 @@
USER OAuth client ID (on Gitea)

View file

@ -0,0 +1 @@
USER OAuth client secret (for gitea)

View file

@ -1 +1 @@
USER Drone RPC secret CMD openssl rand -hex 16

View file

@ -0,0 +1 @@
USER S3 (garage) access key for Drone

View file

@ -0,0 +1 @@
CONST drone-db

View file

@ -0,0 +1 @@
USER S3 (garage) secret key for Drone

View file

@ -0,0 +1 @@
CONST drone-storage