First a persistent storage on my NAS:

  • Added NFS share "drone" on my ReadyNAS by clicketiclick.
  • sudo mkdir /var/lib/drone
  • add to /etc/fstab:

    10.0.1.30:/raiden/drone   /var/lib/drone   nfs    auto  0  0
    
  • sudo mount -a

Get and setup drone

sudo docker pull drone/drone

In /var/lib/drone/dronerc:

REMOTE_DRIVER=github  
REMOTE_CONFIG=https://github.com?client_id=${client_id}&client_secret=${client_secret}

DATABASE_DRIVER=sqlite3  
DATABASE_CONFIG=/var/lib/drone/drone.sqlite  

Startup drone:

sudo docker run \  
    --volume /var/lib/drone:/var/lib/drone \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --env-file /var/lib/drone/dronerc \
    --restart=always \
    --publish=9000:8000 \
    --detach=true \
    --name=drone \
    drone/drone

Setup proxy

In /etc/haproxy/haproxy.cfg:

acl host_drone hdr(host) -i drone.woodenstake.se  
use_backend drone if host_drone

backend drone  
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server drone 127.0.0.1:9000    

SSL cert using letsencrypt

Add ssl cert to the list:

cd letsencrypt

sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.woodenstake.se  

Worked second time?

sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null

sudo service haproxy reload  

Update:

Due to this limitation https://github.com/drone/drone/issues/1336#issuecomment-158459430 I had to create multiple drone instances, one for gitlab and one for private commercial stuff that I put under gitlab. So I basically had to redo all above with drone.gitlab.woodenstake.se and drone.github.woodenstake.se. I put config and db under /var/lib/drone/gitlab and …/github.

For gitlab the config is:

REMOTE_DRIVER=gitlab  
REMOTE_CONFIG=https://gitlab.com?client_id=**&client_secret=**  
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se

sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null

sudo service haproxy reload  

Start multiple:

sudo docker run \  
    --volume /var/lib/drone/github:/var/lib/drone \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --env-file /var/lib/drone/github/dronerc \
    --restart=always \
    --publish=9000:8000 \
    --detach=true \
    --name=drone-github \
    drone/drone

sudo docker run \  
    --volume /var/lib/drone/gitlab:/var/lib/drone \
    --volume /var/run/docker.sock:/var/run/docker.sock \
    --env-file /var/lib/drone/gitlab/dronerc \
    --restart=always \
    --publish=9001:8000 \
    --detach=true \
    --name=drone-gitlab \
    drone/drone

Run without --renew-by-default to not get it placed randomly:
https://github.com/letsencrypt/letsencrypt/issues/1946#issuecomment-169728539

sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se  

Unfortunately this fails since there's a rate limit of 5/week too… Gotta look into how to script this better…

About the Author

Viktor Hedefalk

Functional programming devotee. DIY complex.