aboutsummaryrefslogtreecommitdiff
path: root/cluster/prod/app/drone-ci/integration/docker-compose.yml
blob: 41938c2f69a2cda7e6699a4cdf864e0e71217f6c (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
version: '3.4'
services:
  nix-daemon:
    image: nixpkgs/nix:nixos-22.05
    restart: always
    command: nix-daemon
    privileged: true
    volumes:
      - "nix:/nix"
      - "./nix.conf:/etc/nix/nix.conf:ro"

  drone-runner:
    image: drone/drone-runner-docker:1.8.2
    restart: always
    environment:
      - DRONE_RPC_PROTO=https
      - DRONE_RPC_HOST=drone.deuxfleurs.fr
      - DRONE_RPC_SECRET=${DRONE_SECRET}
      - DRONE_RUNNER_CAPACITY=3
      - DRONE_DEBUG=true
      - DRONE_LOGS_TRACE=true
      - DRONE_RPC_DUMP_HTTP=true
      - DRONE_RPC_DUMP_HTTP_BODY=true
      - DRONE_RUNNER_NAME=i_forgot_to_change_my_runner_name
      - DRONE_RUNNER_LABELS=nix-daemon:1
      # we should put "nix:/nix:ro but it is not supported by
      # drone-runner-docker because the dependency envconfig does
      # not support having two colons (:) in the same stanza.
      # Without the RO flag (or using docker userns), build isolation
      # is broken.
      # https://discourse.drone.io/t/allow-mounting-a-host-volume-as-read-only/10071
      # https://github.com/kelseyhightower/envconfig/pull/153
      #
      # A workaround for isolation is to configure docker with a userns,
      # so even if the folder is writable to root, it is not to any non
      # privileged docker daemon ran by drone!
      - DRONE_RUNNER_VOLUMES=drone_nix:/nix
      - DRONE_RUNNER_ENVIRON=NIX_REMOTE:daemon
    ports:
      - "3000:3000/tcp"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"

  drone-gc:
    image: drone/gc:latest
    restart: always
    environment:
      - GC_DEBUG=true
      - GC_CACHE=10gb
      - GC_INTERVAL=10m
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
volumes:
  nix: