add drone.io
This commit is contained in:
parent
ff1abe9513
commit
57c061da97
|
|
@ -3,7 +3,7 @@ version: "2.2"
|
|||
services:
|
||||
|
||||
gitea:
|
||||
image: gitea/gitea:1.14
|
||||
image: gitea/gitea:1.15
|
||||
restart: always
|
||||
volumes:
|
||||
- ./volumes/gitea:/data
|
||||
|
|
@ -19,7 +19,7 @@ services:
|
|||
mem_limit: 500m
|
||||
|
||||
weblate:
|
||||
image: weblate/weblate:4.4-1
|
||||
image: weblate/weblate:4.8.1-2
|
||||
restart: always
|
||||
ports:
|
||||
- 127.0.0.1:3001:8080
|
||||
|
|
@ -48,6 +48,20 @@ services:
|
|||
- redis
|
||||
- postfix
|
||||
|
||||
drone:
|
||||
image: drone/drone:2.4
|
||||
restart: always
|
||||
ports:
|
||||
- 127.0.0.1:8194:80
|
||||
environment:
|
||||
- DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID}
|
||||
- DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET}
|
||||
- DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
|
||||
- DRONE_SERVER_HOST=${DRONE_HOSTNAME}
|
||||
- DRONE_SERVER_PROTO=https
|
||||
volumes:
|
||||
- ./volumes/drone:/data
|
||||
|
||||
postgres:
|
||||
image: postgres:12-alpine
|
||||
restart: always
|
||||
|
|
|
|||
|
|
@ -27,3 +27,26 @@ weblate_postgres_password: !vault |
|
|||
66353238623038366230323239303634613963643635626632353739636564396430386565623466
|
||||
6562383763396235340a313463643239333662393430613465363965666466303461663066386533
|
||||
61323161323732396533373062663762383031336330653336376533633633393035
|
||||
drone_rpc_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
66363032363339393932623162663832363766346630343764663361666434393733623666643830
|
||||
3165323062333037613932353164326535393331303235630a633035393434353761343430636330
|
||||
36396263643530313261373366383936393938663838366237316435326261383031396262623531
|
||||
6330316237373439320a663333653539333063353433383337373166376561313038626536643066
|
||||
64666431616666666165643236396166373137663262306262663938356639363832656636363764
|
||||
3435383030386161666239623039366331633036306263626162
|
||||
drone_github_client_id: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
63663036346336323730356363656366646638636361656238323461356439306661316534366331
|
||||
3938333636376634373161653238356364643165343462310a353937346466373364333732623162
|
||||
62623139363834323538306663346261653735313631373765366635396163666162326363653034
|
||||
3836363266396165620a623932386161383836383666316136396564633636383638353233623334
|
||||
64643364366632663030363763346563636435633539643063373966653735623861
|
||||
drone_github_client_secret: !vault |
|
||||
$ANSIBLE_VAULT;1.1;AES256
|
||||
30656636366436646462313662303866653131666362313430386164633464376636356138346666
|
||||
6564613736386236323963383433306163623230626231360a666239653663633764346335633539
|
||||
63653532656162336339396363313037343034373039326639363334396532313765353265373964
|
||||
6435306461616664650a313532356161636132646362326536376362303963303561643362663430
|
||||
37653332383662663861363436326434643935623866356439623737303332343036343736656437
|
||||
3732303134653333356436393130326231646438343064613365
|
||||
|
|
|
|||
|
|
@ -55,6 +55,7 @@
|
|||
shell: |
|
||||
certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||
certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||
certbot certonly --nginx --agree-tos -d 'drone.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||
|
||||
- name: reload nginx config and certs
|
||||
shell: nginx -s reload
|
||||
|
|
@ -72,3 +73,10 @@
|
|||
name=certbot-renew-weblate
|
||||
user=root
|
||||
job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'"
|
||||
|
||||
- name: renew drone certificates
|
||||
cron:
|
||||
special_time=daily
|
||||
name=certbot-renew-drone
|
||||
user=root
|
||||
job="certbot certonly --nginx -d drone.{{ domain }} -n --deploy-hook 'nginx -s reload'"
|
||||
|
|
|
|||
|
|
@ -0,0 +1,51 @@
|
|||
server {
|
||||
listen 80;
|
||||
server_name drone.{{ domain }};
|
||||
location /.well-known/acme-challenge/ {
|
||||
root /var/www/certbot;
|
||||
}
|
||||
location / {
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name drone.{{ domain }};
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/drone.{{ domain }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/drone.{{ domain }}/privkey.pem;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||
ssl_prefer_server_ciphers on;
|
||||
|
||||
ssl_session_timeout 1d;
|
||||
ssl_session_cache shared:SSL:50m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_stapling on;
|
||||
ssl_stapling_verify on;
|
||||
|
||||
add_header X-Frame-Options SAMEORIGIN;
|
||||
add_header X-Content-Type-Options nosniff;
|
||||
add_header X-XSS-Protection "1; mode=block";
|
||||
add_header Strict-Transport-Security "max-age=15768000";
|
||||
add_header Referrer-Policy "same-origin";
|
||||
fastcgi_hide_header X-Powered-By;
|
||||
server_tokens off;
|
||||
|
||||
client_max_body_size 100M;
|
||||
|
||||
# No compression for json to avoid BREACH attack.
|
||||
gzip on;
|
||||
gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg;
|
||||
gzip_proxied any;
|
||||
gzip_vary on;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8194;
|
||||
+ proxy_set_header X-Forwarded-For $remote_addr;
|
||||
+ proxy_set_header X-Forwarded-Proto $scheme;
|
||||
}
|
||||
}
|
||||
|
|
@ -2,3 +2,7 @@ GITEA_HOSTNAME={{ domain }}
|
|||
WEBLATE_HOSTNAME=weblate.{{ domain }}
|
||||
WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
|
||||
WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
|
||||
DRONE_HOSTNAME=drone.{{ domain }}
|
||||
DRONE_RPC_SECRET={{ drone_rpc_secret }}
|
||||
DRONE_GITHUB_CLIENT_ID={{ drone_github_client_id }}
|
||||
DRONE_GITHUB_CLIENT_SECRET={{ drone_github_client_secret }}
|
||||
|
|
|
|||
|
|
@ -8,20 +8,6 @@ map $geoip_country_code $allowed_country {
|
|||
IN no;
|
||||
}
|
||||
|
||||
# forward from old domain
|
||||
server {
|
||||
listen 80;
|
||||
server_name yerbamate.dev;
|
||||
return https://yerbamate.ml$request_uri;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name yerbamate.dev;
|
||||
ssl_certificate /etc/letsencrypt/live/yerbamate.dev/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/yerbamate.dev/privkey.pem;
|
||||
return https://yerbamate.ml$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name {{ domain }};
|
||||
|
|
|
|||
|
|
@ -3,20 +3,6 @@ map $geoip_country_code $allowed_country {
|
|||
CN no;
|
||||
}
|
||||
|
||||
# forward from old domain
|
||||
server {
|
||||
listen 80;
|
||||
server_name weblate.yerbamate.dev;
|
||||
return https://weblate.yerbamate.ml$request_uri;
|
||||
}
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
server_name weblate.yerbamate.dev;
|
||||
ssl_certificate /etc/letsencrypt/live/weblate.yerbamate.dev/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/weblate.yerbamate.dev/privkey.pem;
|
||||
return https://weblate.yerbamate.ml$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
listen 80;
|
||||
server_name weblate.{{ domain }};
|
||||
|
|
|
|||
Loading…
Reference in New Issue