diff options
Diffstat (limited to 'app')
-rw-r--r-- | app/drone-ci/deploy/drone.hcl | 123 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/cookie_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/db_enc_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/db_pass | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/db_user | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/oauth_client_id | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/oauth_client_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/rpc_secret | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_ak | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_bucket | 1 | ||||
-rw-r--r-- | app/drone-ci/secrets/drone-ci/s3_sk | 1 | ||||
-rwxr-xr-x | app/secretmgr.py | 3 |
12 files changed, 136 insertions, 0 deletions
diff --git a/app/drone-ci/deploy/drone.hcl b/app/drone-ci/deploy/drone.hcl new file mode 100644 index 0000000..8d39422 --- /dev/null +++ b/app/drone-ci/deploy/drone.hcl @@ -0,0 +1,123 @@ +job "drone-ci" { + datacenters = ["dc1"] + type = "service" + + group "server" { + count = 1 + + network { + port "web_port" { + to = 80 + } + } + + task "drone_server" { + driver = "docker" + config { + image = "drone/drone:1.10.1" + ports = [ "web_port" ] + } + + template { + data = <<EOH +DRONE_GITEA_SERVER=https://git.deuxfleurs.fr +DRONE_GITEA_CLIENT_ID={{ key "secrets/drone-ci/oauth_client_id" }} +DRONE_GITEA_CLIENT_SECRET={{ key "secrets/drone-ci/oauth_client_secret" }} +DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }} +DRONE_SERVER_HOST=drone.deuxfleurs.fr +DRONE_SERVER_PROTO=https +DRONE_DATABASE_SECRET={{ key "secrets/drone-ci/db_enc_secret" }} +DRONE_COOKIE_SECRET={{ key "secrets/drone-ci/cookie_secret" }} +AWS_ACCESS_KEY_ID={{ key "secrets/drone-ci/s3_ak" }} +AWS_SECRET_ACCESS_KEY={{ key "secrets/drone-ci/s3_sk" }} +AWS_DEFAULT_REGION=garage +AWS_REGION=garage +DRONE_S3_BUCKET={{ key "secrets/drone-ci/s3_bucket" }} +DRONE_S3_ENDPOINT=https://garage.deuxfleurs.fr +DRONE_S3_PATH_STYLE=true +DRONE_DATABASE_DRIVER=postgres +DRONE_DATABASE_DATASOURCE=postgres://{{ key "secrets/drone-ci/db_user" }}:{{ key "secrets/drone-ci/db_pass" }}@psql-proxy.service.2.cluster.deuxfleurs.fr:5432/postgres?sslmode=disable +DRONE_USER_CREATE=username:lx-admin,admin:true +DRONE_LOGS_TEXT=true +DRONE_LOGS_PRETTY=true +DRONE_LOGS_DEBUG=true +DOCKER_API_VERSION=1.39 +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 100 + cpu = 100 + } + + service { + name = "drone" + tags = [ + "drone", + "traefik.enable=true", + "traefik.frontend.entryPoints=https,http", + "traefik.frontend.rule=Host:drone.deuxfleurs.fr", + ] + port = "web_port" + address_mode = "host" + check { + type = "http" + protocol = "http" + port = "web_port" + path = "/" + interval = "60s" + timeout = "5s" + check_restart { + limit = 3 + grace = "600s" + ignore_warnings = false + } + } + } + } + } + + group "runner" { + count = 3 + + constraint { + operator = "distinct_hosts" + value = "true" + } + + task "drone_runner" { + driver = "docker" + config { + network_mode = "host" + + #image = "drone/drone-runner-nomad:latest" + + image = "drone/drone-runner-docker:latest" + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock" + ] + } + + template { + data = <<EOH +DRONE_RPC_SECRET={{ key "secrets/drone-ci/rpc_secret" }} +DRONE_RPC_HOST=drone.deuxfleurs.fr +DRONE_RPC_PROTO=https +DRONE_RUNNER_NAME={{ env "node.unique.name" }} +DRONE_DEBUG=true +NOMAD_ADDR=http://nomad-client.service.2.cluster.deuxfleurs.fr:4646 +DOCKER_API_VERSION=1.39 +EOH + destination = "secrets/env" + env = true + } + + resources { + memory = 100 + cpu = 100 + } + } + } +} diff --git a/app/drone-ci/secrets/drone-ci/cookie_secret b/app/drone-ci/secrets/drone-ci/cookie_secret new file mode 100644 index 0000000..04c819e --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/cookie_secret @@ -0,0 +1 @@ +CMD openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/db_enc_secret b/app/drone-ci/secrets/drone-ci/db_enc_secret new file mode 100644 index 0000000..3f9e696 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/db_enc_secret @@ -0,0 +1 @@ +CMD_ONCE openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/db_pass b/app/drone-ci/secrets/drone-ci/db_pass new file mode 100644 index 0000000..0c971a6 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/db_pass @@ -0,0 +1 @@ +SERVICE_PASSWORD drone diff --git a/app/drone-ci/secrets/drone-ci/db_user b/app/drone-ci/secrets/drone-ci/db_user new file mode 100644 index 0000000..dc07c5d --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/db_user @@ -0,0 +1 @@ +CONST drone diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_id b/app/drone-ci/secrets/drone-ci/oauth_client_id new file mode 100644 index 0000000..c801b28 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/oauth_client_id @@ -0,0 +1 @@ +USER OAuth client ID (on Gitea) diff --git a/app/drone-ci/secrets/drone-ci/oauth_client_secret b/app/drone-ci/secrets/drone-ci/oauth_client_secret new file mode 100644 index 0000000..b79b688 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/oauth_client_secret @@ -0,0 +1 @@ +USER OAuth client secret (for gitea) diff --git a/app/drone-ci/secrets/drone-ci/rpc_secret b/app/drone-ci/secrets/drone-ci/rpc_secret new file mode 100644 index 0000000..04c819e --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/rpc_secret @@ -0,0 +1 @@ +CMD openssl rand -hex 16 diff --git a/app/drone-ci/secrets/drone-ci/s3_ak b/app/drone-ci/secrets/drone-ci/s3_ak new file mode 100644 index 0000000..3a8e4a2 --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/s3_ak @@ -0,0 +1 @@ +USER S3 (garage) access key for Drone diff --git a/app/drone-ci/secrets/drone-ci/s3_bucket b/app/drone-ci/secrets/drone-ci/s3_bucket new file mode 100644 index 0000000..dc07c5d --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/s3_bucket @@ -0,0 +1 @@ +CONST drone diff --git a/app/drone-ci/secrets/drone-ci/s3_sk b/app/drone-ci/secrets/drone-ci/s3_sk new file mode 100644 index 0000000..46fd9fa --- /dev/null +++ b/app/drone-ci/secrets/drone-ci/s3_sk @@ -0,0 +1 @@ +USER S3 (garage) secret key for Drone diff --git a/app/secretmgr.py b/app/secretmgr.py index 62eb93a..8b17f61 100755 --- a/app/secretmgr.py +++ b/app/secretmgr.py @@ -373,5 +373,8 @@ if __name__ == "__main__": elif val == "regen": gen_secrets(sys.argv[i+1:], True) break + else: + print("Usage:") + print(" secretmgr.py [check|gen|regen] <module name>...") |