First a persistent storage on my NAS:

  • Added NFS share "drone" on my ReadyNAS by clicketiclick.

  • sudo mkdir /var/lib/drone

  • add to /etc/fstab:

      10.0.1.30:/raiden/drone   /var/lib/drone   nfs    auto  0  0
    
  • sudo mount -a

Get and setup drone

sudo docker pull drone/drone

In /var/lib/drone/dronerc:

REMOTE_DRIVER=github
REMOTE_CONFIG=https://github.com?client_id=${client_id}&client_secret=${client_secret}

DATABASE_DRIVER=sqlite3
DATABASE_CONFIG=/var/lib/drone/drone.sqlite

Startup drone:

sudo docker run \
	--volume /var/lib/drone:/var/lib/drone \
	--volume /var/run/docker.sock:/var/run/docker.sock \
	--env-file /var/lib/drone/dronerc \
	--restart=always \
	--publish=9000:8000 \
	--detach=true \
	--name=drone \
	drone/drone

Setup proxy

In /etc/haproxy/haproxy.cfg:

acl host_drone hdr(host) -i drone.woodenstake.se
use_backend drone if host_drone

backend drone
    mode http
    option forwardfor
    http-request set-header X-Forwarded-Port %[dst_port]
    http-request add-header X-Forwarded-Proto https if { ssl_fc }
    server drone 127.0.0.1:9000    

SSL cert using letsencrypt

Add ssl cert to the list:

cd letsencrypt

sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.woodenstake.se

Worked second time?

sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null

sudo service haproxy reload

Update:

Due to this limitation https://github.com/drone/drone/issues/1336#issuecomment-158459430 I had to create multiple drone instances, one for gitlab and one for private commercial stuff that I put under gitlab. So I basically had to redo all above with drone.gitlab.woodenstake.se and drone.github.woodenstake.se. I put config and db under /var/lib/drone/gitlab and …/github.

For gitlab the config is:

REMOTE_DRIVER=gitlab
REMOTE_CONFIG=https://gitlab.com?client_id=**&client_secret=**
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se

sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null

sudo service haproxy reload

Start multiple:

sudo docker run \
	--volume /var/lib/drone/github:/var/lib/drone \
	--volume /var/run/docker.sock:/var/run/docker.sock \
	--env-file /var/lib/drone/github/dronerc \
	--restart=always \
	--publish=9000:8000 \
	--detach=true \
	--name=drone-github \
	drone/drone
	
sudo docker run \
	--volume /var/lib/drone/gitlab:/var/lib/drone \
	--volume /var/run/docker.sock:/var/run/docker.sock \
	--env-file /var/lib/drone/gitlab/dronerc \
	--restart=always \
	--publish=9001:8000 \
	--detach=true \
	--name=drone-gitlab \
	drone/drone

Run without --renew-by-default to not get it placed randomly:
https://github.com/letsencrypt/letsencrypt/issues/1946#issuecomment-169728539

sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se

Unfortunately this fails since there's a rate limit of 5/week too… Gotta look into how to script this better…