diff options
author | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-07-28 17:34:49 +0200 |
---|---|---|
committer | Quentin Dufour <quentin@deuxfleurs.fr> | 2022-07-28 17:34:49 +0200 |
commit | ef265b87de2e929886928f94862ad91effca9fdb (patch) | |
tree | 5f24ffaa447173a31fa0dccd067fd759e756c7d0 /app/drone-ci/integration/docker-compose.yml | |
parent | 64172fc999d56f288a28b9ae106424e8e7247935 (diff) | |
download | infrastructure-ef265b87de2e929886928f94862ad91effca9fdb.tar.gz infrastructure-ef265b87de2e929886928f94862ad91effca9fdb.zip |
Update doc
Diffstat (limited to 'app/drone-ci/integration/docker-compose.yml')
-rw-r--r-- | app/drone-ci/integration/docker-compose.yml | 31 |
1 files changed, 28 insertions, 3 deletions
diff --git a/app/drone-ci/integration/docker-compose.yml b/app/drone-ci/integration/docker-compose.yml index 2644918..57fdd09 100644 --- a/app/drone-ci/integration/docker-compose.yml +++ b/app/drone-ci/integration/docker-compose.yml @@ -1,5 +1,14 @@ version: '3.4' services: + nix-daemon: + image: nixpkgs/nix:nixos-22.05 + restart: always + command: nix-daemon + privileged: true + volumes: + - "nix:/nix" + - "./nix.conf:/etc/nix/nix.conf:ro" + drone-runner: image: drone/drone-runner-docker:latest restart: always @@ -7,18 +16,32 @@ services: - DRONE_RPC_PROTO=https - DRONE_RPC_HOST=drone.deuxfleurs.fr - DRONE_RPC_SECRET=${DRONE_SECRET} - - DRONE_RUNNER_CAPACITY=1 + - DRONE_RUNNER_CAPACITY=3 - DRONE_DEBUG=true - DRONE_LOGS_TRACE=true - DRONE_RPC_DUMP_HTTP=true - DRONE_RPC_DUMP_HTTP_BODY=true - - DRONE_RUNNER_NAME=${DRONE_NAME} + - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name + - DRONE_RUNNER_LABELS=nix-daemon:1 + # we should put "nix:/nix:ro but it is not supported by + # drone-runner-docker because the dependency envconfig does + # not support having two colons (:) in the same stanza. + # Without the RO flag (or using docker userns), build isolation + # is broken. + # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071 + # https://github.com/kelseyhightower/envconfig/pull/153 + # + # A workaround for isolation is to configure docker with a userns, + # so even if the folder is writable to root, it is not to any non + # privileged docker daemon ran by drone! + - DRONE_RUNNER_VOLUMES=drone_nix:/nix + - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon ports: - "3000:3000/tcp" volumes: - "/var/run/docker.sock:/var/run/docker.sock" - drone-gc: + drone-gc: image: drone/gc:latest restart: always environment: @@ -27,3 +50,5 @@ services: - GC_INTERVAL=10m volumes: - "/var/run/docker.sock:/var/run/docker.sock" +volumes: + nix: |