diff --git a/roles/drone/meta/main.yml b/roles/drone/meta/main.yml
new file mode 100644
index 0000000..c87c87b
--- /dev/null
+++ b/roles/drone/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+ - role: common
+ - role: docker
diff --git a/roles/drone/tasks/apache.yml b/roles/drone/tasks/apache.yml
new file mode 100644
index 0000000..5df6614
--- /dev/null
+++ b/roles/drone/tasks/apache.yml
@@ -0,0 +1,34 @@
+---
+- name: add drone http site
+ template:
+ src: etc/apache2/sites-available/ci_domain.conf.j2
+ dest: /etc/apache2/sites-available/{{ ci_domain}}.conf
+ owner: root
+ group: root
+ mode: 0644
+- name: disable default site and enable drone site
+ block:
+ - name: disable default site
+ command:
+ cmd: a2dissite 000-default.conf
+ - name: enable drone site
+ command:
+ cmd: a2ensite {{ ci_domain }}.conf
+- name: run certbot
+ command:
+ cmd: certbot --apache --non-interactive --keep-until-expiring --no-eff-mail --email {{ admin_mail }} --redirect --renew-with-new-domains --agree-tos -d {{ ci_domain }}
+ when: ansible_domain != 'dev'
+- include: ssl-dev.yml
+ when ansible_domain == 'dev'
+- name: add drone https site
+ template:
+ src: etc/apache2/sites-available/ci_domain-le-ssl.conf.j2
+ dest: /etc/apache2/sites-available/{{ ci_domain }}-le-ssl.conf
+ owner: root
+ group: root
+ mode: 0644
+- name: enable drone https site
+ command:
+ cmd: a2ensite {{ ci_domain }}-le-ssl.conf
+ notify: restart apache
+
diff --git a/roles/drone/tasks/main.yml b/roles/drone/tasks/main.yml
new file mode 100644
index 0000000..28bf10e
--- /dev/null
+++ b/roles/drone/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+-
diff --git a/roles/drone/tasks/ssl-dev.yml b/roles/drone/tasks/ssl-dev.yml
new file mode 100644
index 0000000..4cbecaf
--- /dev/null
+++ b/roles/drone/tasks/ssl-dev.yml
@@ -0,0 +1,27 @@
+---
+- name: Ensure python OpenSSL dependencies are installed.
+ pip:
+ name: pyOpenSSL
+ state: present
+
+- name: Ensure directory exists for local self-signed TLS certs.
+ file:
+ path: /etc/letsencrypt/live/{{ ci_domain }}
+ state: directory
+
+- name: Generate an OpenSSL private key.
+ openssl_privatekey:
+ path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: /etc/ssl/private/{{ ci_domain }}.csr
+ privatekey_path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+ common_name: "{{ ci_domain }}"
+
+- name: Generate a Self Signed OpenSSL certificate.
+ openssl_certificate:
+ path: /etc/letsencrypt/live/{{ ci_domain }}/fullchain.pem
+ privatekey_path: /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+ csr_path: /etc/ssl/private/{{ ci_domain }}.csr
+ provider: selfsigned
diff --git a/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2 b/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2
new file mode 100644
index 0000000..f51298c
--- /dev/null
+++ b/roles/drone/templates/etc/apache2/sites-available/ci-domain-le-ssl.conf.j2
@@ -0,0 +1,21 @@
+
+
+ ServerName {{ ci_domain }}
+ ServerAdmin {{ admin_mail }}
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ SSLCertificateFile /etc/letsencrypt/live/{{ ci_domain }}/fullchain.pem
+ SSLCertificateKeyFile /etc/letsencrypt/live/{{ ci_domain }}/privkey.pem
+ Include /etc/letsencrypt/options-ssl-apache.conf
+
+ # Encoded slashes need to be allowed
+ AllowEncodedSlashes NoDecode
+
+ # keep the host
+ ProxyPreserveHost On
+ ProxyPass / http://127.0.0.1:8000/
+ ProxyPassReverse / http://127.0.0.1:8000/
+
+
+
diff --git a/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2 b/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2
new file mode 100644
index 0000000..dfd6bb4
--- /dev/null
+++ b/roles/drone/templates/etc/apache2/sites-available/ci_domain.conf.j2
@@ -0,0 +1,6 @@
+
+ ServerName {{ ci_domain }}
+ ServerAdmin {{ admin_mail }}
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
diff --git a/roles/drone/templates/etc/drone/docker-compose.yml.j2 b/roles/drone/templates/etc/drone/docker-compose.yml.j2
new file mode 100644
index 0000000..d3e8e34
--- /dev/null
+++ b/roles/drone/templates/etc/drone/docker-compose.yml.j2
@@ -0,0 +1,22 @@
+version: '2'
+
+services:
+ drone-server:
+ image: drone/drone:1
+
+ ports:
+ - 8000:8000
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock
+ - /var/lib/drone:/data
+ restart: always
+ environment:
+ - DRONE_SERVER_HOST={{ ci_domain }}
+ - DRONE_SERVER_PROTO=http
+ - DRONE_RUNNER_CAPACITY=2
+ - DRONE_USER_CREATE=username:{{ gitea_user }},admin:true
+ - DRONE_GITEA_SERVER={{ gitea_url }}
+ - DRONE_GITEA_CLIENT_ID={{ gitea_client_id }}
+ - DRONE_GITEA_CLIENT_SECRET={{ gitea_client_secret }}
+ - LC_ALL=C.UTF-8
+ - LANG=C.UTF-8