---
version: '3.9'

services:
  dind:
    image: docker:dind
    restart: unless-stopped
    privileged: true
    volumes:
      - /lib/modules:/lib/modules:ro
    environment:
      DOCKER_TLS_CERTDIR: ""
    command:
      - '--tls=false' # Do not force TLS; note that this service is NOT exposed to the internet
    networks:
      - backend
      - default

  drone_runner:
    image: drone/drone-runner-docker:1
    restart: always
    environment:
      - "DOCKER_HOST=tcp://dind:2375"
      - "DRONE_LIMIT_MEM=8192000000"
      - "DRONE_RPC_SECRET={{ gitea.drone.rpc_secret }}"
      - "DRONE_RPC_HOST=drone.tobiasmanske.de"
      - "DRONE_RPC_PROTO=https"
      - "DRONE_RUNNER_CAPACITY={{ gitea.drone.runner_capacity }}"
      - "DRONE_RUNNER_NAME={{ gitea.drone.runner_name }}"
{% if gitea.drone.runner_labels is defined %}
      - "DRONE_RUNNER_LABELS={{ gitea.drone.runner_labels | join(',') }}"
{% endif %}
      - "DRONE_RUNNER_CLONE_IMAGE=drone/git:linux-amd64"
      - "DRONE_RUNNER_VOLUMES=/etc/hosts:/etc/hosts"
    depends_on:
      - dind
    networks:
      - backend
      - default

networks:
  backend:
    internal: true
...