add drone.io
This commit is contained in:
parent
ff1abe9513
commit
57c061da97
7 changed files with 102 additions and 30 deletions
|
@ -3,7 +3,7 @@ version: "2.2"
|
||||||
services:
|
services:
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
image: gitea/gitea:1.14
|
image: gitea/gitea:1.15
|
||||||
restart: always
|
restart: always
|
||||||
volumes:
|
volumes:
|
||||||
- ./volumes/gitea:/data
|
- ./volumes/gitea:/data
|
||||||
|
@ -19,7 +19,7 @@ services:
|
||||||
mem_limit: 500m
|
mem_limit: 500m
|
||||||
|
|
||||||
weblate:
|
weblate:
|
||||||
image: weblate/weblate:4.4-1
|
image: weblate/weblate:4.8.1-2
|
||||||
restart: always
|
restart: always
|
||||||
ports:
|
ports:
|
||||||
- 127.0.0.1:3001:8080
|
- 127.0.0.1:3001:8080
|
||||||
|
@ -48,6 +48,20 @@ services:
|
||||||
- redis
|
- redis
|
||||||
- postfix
|
- postfix
|
||||||
|
|
||||||
|
drone:
|
||||||
|
image: drone/drone:2.4
|
||||||
|
restart: always
|
||||||
|
ports:
|
||||||
|
- 127.0.0.1:8194:80
|
||||||
|
environment:
|
||||||
|
- DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID}
|
||||||
|
- DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET}
|
||||||
|
- DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
|
||||||
|
- DRONE_SERVER_HOST=${DRONE_HOSTNAME}
|
||||||
|
- DRONE_SERVER_PROTO=https
|
||||||
|
volumes:
|
||||||
|
- ./volumes/drone:/data
|
||||||
|
|
||||||
postgres:
|
postgres:
|
||||||
image: postgres:12-alpine
|
image: postgres:12-alpine
|
||||||
restart: always
|
restart: always
|
||||||
|
|
|
@ -27,3 +27,26 @@ weblate_postgres_password: !vault |
|
||||||
66353238623038366230323239303634613963643635626632353739636564396430386565623466
|
66353238623038366230323239303634613963643635626632353739636564396430386565623466
|
||||||
6562383763396235340a313463643239333662393430613465363965666466303461663066386533
|
6562383763396235340a313463643239333662393430613465363965666466303461663066386533
|
||||||
61323161323732396533373062663762383031336330653336376533633633393035
|
61323161323732396533373062663762383031336330653336376533633633393035
|
||||||
|
drone_rpc_secret: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
66363032363339393932623162663832363766346630343764663361666434393733623666643830
|
||||||
|
3165323062333037613932353164326535393331303235630a633035393434353761343430636330
|
||||||
|
36396263643530313261373366383936393938663838366237316435326261383031396262623531
|
||||||
|
6330316237373439320a663333653539333063353433383337373166376561313038626536643066
|
||||||
|
64666431616666666165643236396166373137663262306262663938356639363832656636363764
|
||||||
|
3435383030386161666239623039366331633036306263626162
|
||||||
|
drone_github_client_id: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
63663036346336323730356363656366646638636361656238323461356439306661316534366331
|
||||||
|
3938333636376634373161653238356364643165343462310a353937346466373364333732623162
|
||||||
|
62623139363834323538306663346261653735313631373765366635396163666162326363653034
|
||||||
|
3836363266396165620a623932386161383836383666316136396564633636383638353233623334
|
||||||
|
64643364366632663030363763346563636435633539643063373966653735623861
|
||||||
|
drone_github_client_secret: !vault |
|
||||||
|
$ANSIBLE_VAULT;1.1;AES256
|
||||||
|
30656636366436646462313662303866653131666362313430386164633464376636356138346666
|
||||||
|
6564613736386236323963383433306163623230626231360a666239653663633764346335633539
|
||||||
|
63653532656162336339396363313037343034373039326639363334396532313765353265373964
|
||||||
|
6435306461616664650a313532356161636132646362326536376362303963303561643362663430
|
||||||
|
37653332383662663861363436326434643935623866356439623737303332343036343736656437
|
||||||
|
3732303134653333356436393130326231646438343064613365
|
||||||
|
|
|
@ -55,6 +55,7 @@
|
||||||
shell: |
|
shell: |
|
||||||
certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||||
certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||||
|
certbot certonly --nginx --agree-tos -d 'drone.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
|
||||||
|
|
||||||
- name: reload nginx config and certs
|
- name: reload nginx config and certs
|
||||||
shell: nginx -s reload
|
shell: nginx -s reload
|
||||||
|
@ -72,3 +73,10 @@
|
||||||
name=certbot-renew-weblate
|
name=certbot-renew-weblate
|
||||||
user=root
|
user=root
|
||||||
job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'"
|
job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'"
|
||||||
|
|
||||||
|
- name: renew drone certificates
|
||||||
|
cron:
|
||||||
|
special_time=daily
|
||||||
|
name=certbot-renew-drone
|
||||||
|
user=root
|
||||||
|
job="certbot certonly --nginx -d drone.{{ domain }} -n --deploy-hook 'nginx -s reload'"
|
||||||
|
|
51
templates/drone.conf
Normal file
51
templates/drone.conf
Normal file
|
@ -0,0 +1,51 @@
|
||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name drone.{{ domain }};
|
||||||
|
location /.well-known/acme-challenge/ {
|
||||||
|
root /var/www/certbot;
|
||||||
|
}
|
||||||
|
location / {
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
server_name drone.{{ domain }};
|
||||||
|
|
||||||
|
ssl_certificate /etc/letsencrypt/live/drone.{{ domain }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/drone.{{ domain }}/privkey.pem;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1.2 TLSv1.3;
|
||||||
|
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
|
ssl_session_timeout 1d;
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_tickets off;
|
||||||
|
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header X-XSS-Protection "1; mode=block";
|
||||||
|
add_header Strict-Transport-Security "max-age=15768000";
|
||||||
|
add_header Referrer-Policy "same-origin";
|
||||||
|
fastcgi_hide_header X-Powered-By;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
client_max_body_size 100M;
|
||||||
|
|
||||||
|
# No compression for json to avoid BREACH attack.
|
||||||
|
gzip on;
|
||||||
|
gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg;
|
||||||
|
gzip_proxied any;
|
||||||
|
gzip_vary on;
|
||||||
|
|
||||||
|
location / {
|
||||||
|
proxy_pass http://127.0.0.1:8194;
|
||||||
|
+ proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
+ proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
}
|
||||||
|
}
|
|
@ -2,3 +2,7 @@ GITEA_HOSTNAME={{ domain }}
|
||||||
WEBLATE_HOSTNAME=weblate.{{ domain }}
|
WEBLATE_HOSTNAME=weblate.{{ domain }}
|
||||||
WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
|
WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
|
||||||
WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
|
WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
|
||||||
|
DRONE_HOSTNAME=drone.{{ domain }}
|
||||||
|
DRONE_RPC_SECRET={{ drone_rpc_secret }}
|
||||||
|
DRONE_GITHUB_CLIENT_ID={{ drone_github_client_id }}
|
||||||
|
DRONE_GITHUB_CLIENT_SECRET={{ drone_github_client_secret }}
|
||||||
|
|
|
@ -8,20 +8,6 @@ map $geoip_country_code $allowed_country {
|
||||||
IN no;
|
IN no;
|
||||||
}
|
}
|
||||||
|
|
||||||
# forward from old domain
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name yerbamate.dev;
|
|
||||||
return https://yerbamate.ml$request_uri;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name yerbamate.dev;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/yerbamate.dev/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/yerbamate.dev/privkey.pem;
|
|
||||||
return https://yerbamate.ml$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name {{ domain }};
|
server_name {{ domain }};
|
||||||
|
|
|
@ -3,20 +3,6 @@ map $geoip_country_code $allowed_country {
|
||||||
CN no;
|
CN no;
|
||||||
}
|
}
|
||||||
|
|
||||||
# forward from old domain
|
|
||||||
server {
|
|
||||||
listen 80;
|
|
||||||
server_name weblate.yerbamate.dev;
|
|
||||||
return https://weblate.yerbamate.ml$request_uri;
|
|
||||||
}
|
|
||||||
server {
|
|
||||||
listen 443 ssl http2;
|
|
||||||
server_name weblate.yerbamate.dev;
|
|
||||||
ssl_certificate /etc/letsencrypt/live/weblate.yerbamate.dev/fullchain.pem;
|
|
||||||
ssl_certificate_key /etc/letsencrypt/live/weblate.yerbamate.dev/privkey.pem;
|
|
||||||
return https://weblate.yerbamate.ml$request_uri;
|
|
||||||
}
|
|
||||||
|
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name weblate.{{ domain }};
|
server_name weblate.{{ domain }};
|
||||||
|
|
Loading…
Reference in a new issue