aboutsummaryrefslogtreecommitdiff
path: root/app/drone-ci/integration/docker-compose.yml
diff options
context:
space:
mode:
authorQuentin Dufour <quentin@deuxfleurs.fr>2022-07-28 17:34:49 +0200
committerQuentin Dufour <quentin@deuxfleurs.fr>2022-07-28 17:34:49 +0200
commitef265b87de2e929886928f94862ad91effca9fdb (patch)
tree5f24ffaa447173a31fa0dccd067fd759e756c7d0 /app/drone-ci/integration/docker-compose.yml
parent64172fc999d56f288a28b9ae106424e8e7247935 (diff)
downloadinfrastructure-ef265b87de2e929886928f94862ad91effca9fdb.tar.gz
infrastructure-ef265b87de2e929886928f94862ad91effca9fdb.zip
Update doc
Diffstat (limited to 'app/drone-ci/integration/docker-compose.yml')
-rw-r--r--app/drone-ci/integration/docker-compose.yml31
1 files changed, 28 insertions, 3 deletions
diff --git a/app/drone-ci/integration/docker-compose.yml b/app/drone-ci/integration/docker-compose.yml
index 2644918..57fdd09 100644
--- a/app/drone-ci/integration/docker-compose.yml
+++ b/app/drone-ci/integration/docker-compose.yml
@@ -1,5 +1,14 @@
version: '3.4'
services:
+ nix-daemon:
+ image: nixpkgs/nix:nixos-22.05
+ restart: always
+ command: nix-daemon
+ privileged: true
+ volumes:
+ - "nix:/nix"
+ - "./nix.conf:/etc/nix/nix.conf:ro"
+
drone-runner:
image: drone/drone-runner-docker:latest
restart: always
@@ -7,18 +16,32 @@ services:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- - DRONE_RUNNER_CAPACITY=1
+ - DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- - DRONE_RUNNER_NAME=${DRONE_NAME}
+ - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
+ - DRONE_RUNNER_LABELS=nix-daemon:1
+ # we should put "nix:/nix:ro but it is not supported by
+ # drone-runner-docker because the dependency envconfig does
+ # not support having two colons (:) in the same stanza.
+ # Without the RO flag (or using docker userns), build isolation
+ # is broken.
+ # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
+ # https://github.com/kelseyhightower/envconfig/pull/153
+ #
+ # A workaround for isolation is to configure docker with a userns,
+ # so even if the folder is writable to root, it is not to any non
+ # privileged docker daemon ran by drone!
+ - DRONE_RUNNER_VOLUMES=drone_nix:/nix
+ - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- drone-gc:
+ drone-gc:
image: drone/gc:latest
restart: always
environment:
@@ -27,3 +50,5 @@ services:
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
+volumes:
+ nix: