core-services-01(services): add Drone Server CI/CD for initial experiments

machines/core-services-01/drone.nix

@@ -0,0 +1,25 @@
+{ config, lib, ... }:
+let
+  port = 3030;
+in
+{
+  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
+    "drone.io"
+  ];
+  services.drone-server = {
+    enable = true;
+    env = [
+      "DRONE_USER_CREATE=username:rz,admin:true"
+    ];
+    envFile = config.age.secrets.droneKeyFile.path;
+    inherit port;
+  };
+
+  services.nginx.virtualHosts."drone.rz.ens.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+}

machines/core-services-01/gitea.nix

@@ -5,6 +5,7 @@ let
   port = 3000;
 in
 {
+  imports = [ ./drone.nix ];
   services.gitea = {
     enable = true;
     domain = "git.${my.subZone}";

machines/core-services-01/nix/sources.json

@@ -14,7 +14,7 @@
     "klubrz-nur": {
         "branch": "main",
         "repo": "https://git.rz.ens.wtf/Klub-RZ/nur",
-        "rev": "48597e362c87365976ebc0168fb0e5678aa3865d",
+        "rev": "a567fa82ffcde61719c5409c472360eaee7b9611",
         "type": "git"
     },
     "niv": {

machines/core-services-01/secrets/default.nix

@@ -2,4 +2,5 @@
 {
   age.secrets.keycloakDatabasePasswordFile.file = ./keycloakDatabasePasswordFile.age;
   age.secrets.oauth2ProxyKeyFile.file = ./oauth2ProxyKeyFile.age;
+  age.secrets.droneKeyFile.file = ./droneKeyFile.age;
 }

machines/core-services-01/secrets/secrets.nix

@@ -9,5 +9,6 @@ in
   {
     "keycloakDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
     "oauth2ProxyKeyFile.age".publicKeys = superadmins ++ systems;
+    "droneKeyFile.age".publicKeys = superadmins ++ systems;
   }
 

machines/core-services-01/subZone.nix

@@ -24,6 +24,7 @@ with my.ipv6; # contains { standard, acme }
 
   subdomains = {
     git.AAAA = standard;
+    drone.AAAA = standard;
     wiki.AAAA = standard;
     monitoring.AAAA = standard;
     auth.AAAA = standard;