aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod/app/drone-ci/integration/docker-compose.yml
diff options
context:
space:
mode:
Diffstat (limited to 'cluster/prod/app/drone-ci/integration/docker-compose.yml')
-rw-r--r--cluster/prod/app/drone-ci/integration/docker-compose.yml34
1 files changed, 28 insertions, 6 deletions
diff --git a/cluster/prod/app/drone-ci/integration/docker-compose.yml b/cluster/prod/app/drone-ci/integration/docker-compose.yml
index 1e37255..57fdd09 100644
--- a/cluster/prod/app/drone-ci/integration/docker-compose.yml
+++ b/cluster/prod/app/drone-ci/integration/docker-compose.yml
@@ -1,5 +1,14 @@
version: '3.4'
services:
+ nix-daemon:
+ image: nixpkgs/nix:nixos-22.05
+ restart: always
+ command: nix-daemon
+ privileged: true
+ volumes:
+ - "nix:/nix"
+ - "./nix.conf:/etc/nix/nix.conf:ro"
+
drone-runner:
image: drone/drone-runner-docker:latest
restart: always
@@ -7,21 +16,32 @@ services:
- DRONE_RPC_PROTO=https
- DRONE_RPC_HOST=drone.deuxfleurs.fr
- DRONE_RPC_SECRET=${DRONE_SECRET}
- - DRONE_RUNNER_CAPACITY=1
+ - DRONE_RUNNER_CAPACITY=3
- DRONE_DEBUG=true
- DRONE_LOGS_TRACE=true
- DRONE_RPC_DUMP_HTTP=true
- DRONE_RPC_DUMP_HTTP_BODY=true
- - DRONE_RUNNER_NAME=${DRONE_NAME}
- - DRONE_RUNNER_LABELS=nix:1
- #- DRONE_RUNNER_VOLUMES=/var/lib/drone/nix:/nix
+ - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
+ - DRONE_RUNNER_LABELS=nix-daemon:1
+ # we should put "nix:/nix:ro but it is not supported by
+ # drone-runner-docker because the dependency envconfig does
+ # not support having two colons (:) in the same stanza.
+ # Without the RO flag (or using docker userns), build isolation
+ # is broken.
+ # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
+ # https://github.com/kelseyhightower/envconfig/pull/153
+ #
+ # A workaround for isolation is to configure docker with a userns,
+ # so even if the folder is writable to root, it is not to any non
+ # privileged docker daemon ran by drone!
+ - DRONE_RUNNER_VOLUMES=drone_nix:/nix
+ - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
ports:
- "3000:3000/tcp"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- - "/var/lib/drone/nix:/var/lib/drone/nix"
- drone-gc:
+ drone-gc:
image: drone/gc:latest
restart: always
environment:
@@ -30,3 +50,5 @@ services:
- GC_INTERVAL=10m
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
+volumes:
+ nix: