add drone.io

This commit is contained in:
Felix Ableitner 2021-09-28 14:19:06 +02:00
parent ff1abe9513
commit 57c061da97
7 changed files with 102 additions and 30 deletions

View file

@ -3,7 +3,7 @@ version: "2.2"
services: services:
gitea: gitea:
image: gitea/gitea:1.14 image: gitea/gitea:1.15
restart: always restart: always
volumes: volumes:
- ./volumes/gitea:/data - ./volumes/gitea:/data
@ -19,7 +19,7 @@ services:
mem_limit: 500m mem_limit: 500m
weblate: weblate:
image: weblate/weblate:4.4-1 image: weblate/weblate:4.8.1-2
restart: always restart: always
ports: ports:
- 127.0.0.1:3001:8080 - 127.0.0.1:3001:8080
@ -48,6 +48,20 @@ services:
- redis - redis
- postfix - postfix
drone:
image: drone/drone:2.4
restart: always
ports:
- 127.0.0.1:8194:80
environment:
- DRONE_GITHUB_CLIENT_ID=${DRONE_GITHUB_CLIENT_ID}
- DRONE_GITHUB_CLIENT_SECRET=${DRONE_GITHUB_CLIENT_SECRET}
- DRONE_RPC_SECRET=${DRONE_RPC_SECRET}
- DRONE_SERVER_HOST=${DRONE_HOSTNAME}
- DRONE_SERVER_PROTO=https
volumes:
- ./volumes/drone:/data
postgres: postgres:
image: postgres:12-alpine image: postgres:12-alpine
restart: always restart: always

View file

@ -27,3 +27,26 @@ weblate_postgres_password: !vault |
66353238623038366230323239303634613963643635626632353739636564396430386565623466 66353238623038366230323239303634613963643635626632353739636564396430386565623466
6562383763396235340a313463643239333662393430613465363965666466303461663066386533 6562383763396235340a313463643239333662393430613465363965666466303461663066386533
61323161323732396533373062663762383031336330653336376533633633393035 61323161323732396533373062663762383031336330653336376533633633393035
drone_rpc_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
66363032363339393932623162663832363766346630343764663361666434393733623666643830
3165323062333037613932353164326535393331303235630a633035393434353761343430636330
36396263643530313261373366383936393938663838366237316435326261383031396262623531
6330316237373439320a663333653539333063353433383337373166376561313038626536643066
64666431616666666165643236396166373137663262306262663938356639363832656636363764
3435383030386161666239623039366331633036306263626162
drone_github_client_id: !vault |
$ANSIBLE_VAULT;1.1;AES256
63663036346336323730356363656366646638636361656238323461356439306661316534366331
3938333636376634373161653238356364643165343462310a353937346466373364333732623162
62623139363834323538306663346261653735313631373765366635396163666162326363653034
3836363266396165620a623932386161383836383666316136396564633636383638353233623334
64643364366632663030363763346563636435633539643063373966653735623861
drone_github_client_secret: !vault |
$ANSIBLE_VAULT;1.1;AES256
30656636366436646462313662303866653131666362313430386164633464376636356138346666
6564613736386236323963383433306163623230626231360a666239653663633764346335633539
63653532656162336339396363313037343034373039326639363334396532313765353265373964
6435306461616664650a313532356161636132646362326536376362303963303561643362663430
37653332383662663861363436326434643935623866356439623737303332343036343736656437
3732303134653333356436393130326231646438343064613365

View file

@ -55,6 +55,7 @@
shell: | shell: |
certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n certbot certonly --nginx --agree-tos -d 'weblate.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
certbot certonly --nginx --agree-tos -d 'drone.{{ domain }}' -m '{{ letsencrypt_contact_email }}' -n
- name: reload nginx config and certs - name: reload nginx config and certs
shell: nginx -s reload shell: nginx -s reload
@ -72,3 +73,10 @@
name=certbot-renew-weblate name=certbot-renew-weblate
user=root user=root
job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'" job="certbot certonly --nginx -d weblate.{{ domain }} -n --deploy-hook 'nginx -s reload'"
- name: renew drone certificates
cron:
special_time=daily
name=certbot-renew-drone
user=root
job="certbot certonly --nginx -d drone.{{ domain }} -n --deploy-hook 'nginx -s reload'"

51
templates/drone.conf Normal file
View file

@ -0,0 +1,51 @@
server {
listen 80;
server_name drone.{{ domain }};
location /.well-known/acme-challenge/ {
root /var/www/certbot;
}
location / {
return 301 https://$host$request_uri;
}
}
server {
listen 443 ssl http2;
server_name drone.{{ domain }};
ssl_certificate /etc/letsencrypt/live/drone.{{ domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/drone.{{ domain }}/privkey.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_prefer_server_ciphers on;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=15768000";
add_header Referrer-Policy "same-origin";
fastcgi_hide_header X-Powered-By;
server_tokens off;
client_max_body_size 100M;
# No compression for json to avoid BREACH attack.
gzip on;
gzip_types text/plain text/xml text/css application/xml application/javascript image/svg+xml image/svg;
gzip_proxied any;
gzip_vary on;
location / {
proxy_pass http://127.0.0.1:8194;
+ proxy_set_header X-Forwarded-For $remote_addr;
+ proxy_set_header X-Forwarded-Proto $scheme;
}
}

View file

@ -2,3 +2,7 @@ GITEA_HOSTNAME={{ domain }}
WEBLATE_HOSTNAME=weblate.{{ domain }} WEBLATE_HOSTNAME=weblate.{{ domain }}
WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }} WEBLATE_ADMIN_PASSWORD={{ weblate_admin_password }}
WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }} WEBLATE_POSTGRES_PASSWORD={{ weblate_postgres_password }}
DRONE_HOSTNAME=drone.{{ domain }}
DRONE_RPC_SECRET={{ drone_rpc_secret }}
DRONE_GITHUB_CLIENT_ID={{ drone_github_client_id }}
DRONE_GITHUB_CLIENT_SECRET={{ drone_github_client_secret }}

View file

@ -8,20 +8,6 @@ map $geoip_country_code $allowed_country {
IN no; IN no;
} }
# forward from old domain
server {
listen 80;
server_name yerbamate.dev;
return https://yerbamate.ml$request_uri;
}
server {
listen 443 ssl http2;
server_name yerbamate.dev;
ssl_certificate /etc/letsencrypt/live/yerbamate.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yerbamate.dev/privkey.pem;
return https://yerbamate.ml$request_uri;
}
server { server {
listen 80; listen 80;
server_name {{ domain }}; server_name {{ domain }};

View file

@ -3,20 +3,6 @@ map $geoip_country_code $allowed_country {
CN no; CN no;
} }
# forward from old domain
server {
listen 80;
server_name weblate.yerbamate.dev;
return https://weblate.yerbamate.ml$request_uri;
}
server {
listen 443 ssl http2;
server_name weblate.yerbamate.dev;
ssl_certificate /etc/letsencrypt/live/weblate.yerbamate.dev/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/weblate.yerbamate.dev/privkey.pem;
return https://weblate.yerbamate.ml$request_uri;
}
server { server {
listen 80; listen 80;
server_name weblate.{{ domain }}; server_name weblate.{{ domain }};