Private drone setup with Docker, haproxy and letsencrypt
First a persistent storage on my NAS:
-
Added NFS share "drone" on my ReadyNAS by clicketiclick.
-
sudo mkdir /var/lib/drone
-
add to /etc/fstab:
10.0.1.30:/raiden/drone /var/lib/drone nfs auto 0 0
-
sudo mount -a
Get and setup drone
sudo docker pull drone/drone
In /var/lib/drone/dronerc:
REMOTE_DRIVER=github
REMOTE_CONFIG=https://github.com?client_id=${client_id}&client_secret=${client_secret}
DATABASE_DRIVER=sqlite3
DATABASE_CONFIG=/var/lib/drone/drone.sqlite
Startup drone:
sudo docker run \
--volume /var/lib/drone:/var/lib/drone \
--volume /var/run/docker.sock:/var/run/docker.sock \
--env-file /var/lib/drone/dronerc \
--restart=always \
--publish=9000:8000 \
--detach=true \
--name=drone \
drone/drone
Setup proxy
In /etc/haproxy/haproxy.cfg:
acl host_drone hdr(host) -i drone.woodenstake.se
use_backend drone if host_drone
backend drone
mode http
option forwardfor
http-request set-header X-Forwarded-Port %[dst_port]
http-request add-header X-Forwarded-Proto https if { ssl_fc }
server drone 127.0.0.1:9000
SSL cert using letsencrypt
Add ssl cert to the list:
cd letsencrypt
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.woodenstake.se
Worked second time?
sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null
sudo service haproxy reload
Update:
Due to this limitation https://github.com/drone/drone/issues/1336#issuecomment-158459430 I had to create multiple drone instances, one for gitlab and one for private commercial stuff that I put under gitlab. So I basically had to redo all above with drone.gitlab.woodenstake.se and drone.github.woodenstake.se. I put config and db under /var/lib/drone/gitlab and …/github.
For gitlab the config is:
REMOTE_DRIVER=gitlab
REMOTE_CONFIG=https://gitlab.com?client_id=**&client_secret=**
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --renew-by-default --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se
sudo cat /etc/letsencrypt/live/repo.woodenstake.se/privkey.pem /etc/letsencrypt/live/repo.woodenstake.se/fullchain.pem | sudo tee /etc/letsencrypt/live/repo.woodenstake.se/haproxy.pem >/dev/null
sudo service haproxy reload
Start multiple:
sudo docker run \
--volume /var/lib/drone/github:/var/lib/drone \
--volume /var/run/docker.sock:/var/run/docker.sock \
--env-file /var/lib/drone/github/dronerc \
--restart=always \
--publish=9000:8000 \
--detach=true \
--name=drone-github \
drone/drone
sudo docker run \
--volume /var/lib/drone/gitlab:/var/lib/drone \
--volume /var/run/docker.sock:/var/run/docker.sock \
--env-file /var/lib/drone/gitlab/dronerc \
--restart=always \
--publish=9001:8000 \
--detach=true \
--name=drone-gitlab \
drone/drone
Run without --renew-by-default to not get it placed randomly:
https://github.com/letsencrypt/letsencrypt/issues/1946#issuecomment-169728539
sudo ./letsencrypt-auto certonly --text --webroot --webroot-path /var/lib/haproxy --agree-tos --email hedefalk@gmail.com -d woodenstake.se -d jenkins.woodenstake.se -d jenkins-nas.woodenstake.se -d repo.woodenstake.se -d blog.woodenstake.se -d transmission.woodenstake.se -d uniplybeta.woodenstake.se -d crm.woodenstake.se -d docker.woodenstake.se -d drone.github.woodenstake.se -d drone.gitlab.woodenstake.se
Unfortunately this fails since there's a rate limit of 5/week too… Gotta look into how to script this better…