Drone CI on an Offshore VPS

Drone targets a specific sweet spot - container-native pipelines with a clean YAML config file, simple OAuth integration with any major git provider, and an architecture that scales horizontally by adding runner hosts. There is no plugin ecosystem to maintain (which is both a strength and a limit), no agent JNLP weirdness like Jenkins, and no Ruby-based runner like GitLab. The whole server is a single Go binary plus a SQLite or Postgres database. The trade-off is that Drone does fewer things than Jenkins. You get a YAML-defined pipeline, container-based step isolation, secret management, and webhook-driven builds. You do not get a graphical pipeline editor, deep Active Directory integration, or the 1500+ Jenkins plugins. For most modern teams that build, test, push Docker images, and deploy to Kubernetes or VPSes, those missing features are not actually needed. Hosting Drone on a VPS pairs nicely with self-hosted Gitea or GitLab CE on a separate VPS. The whole dev pipeline - git, CI, registry, deployment - lives on your offshore infrastructure. Drone's OAuth integration with Gitea is one of the cleanest experiences in self-hosted CI. New repos get auto-discovered, webhooks set up themselves, and builds start running the moment a developer pushes.

Drone has two components - the server (handles OAuth, webhook receive, build orchestration, web UI) and one or more runners (executes pipeline steps in containers). For small teams a single VPS can run both - the server binary handles HTTP and orchestration with very low resource use, and the local Docker daemon hosts the runner that executes builds. A 2 vCPU / 4 GB RAM VPS is enough for a team of 5 to 10 active devs. For larger teams or heavier builds, separate the runner onto its own VPS. The server stays small (1 vCPU / 1 GB RAM is plenty) while the runner host gets 4 to 8 vCPU and 8 to 16 GB RAM. You can add multiple runner hosts and they will pick up jobs from the server in a fair-share manner. This horizontal scaling pattern lets you add capacity without reconfiguring the server. The Drone server needs to receive webhooks from your git provider, so it has to be reachable on a public DNS name with TLS. If your git provider is self-hosted on another offshore VPS, both can run on private IPs as long as they can reach each other - useful for sensitive setups where neither the git remote nor the CI server should be on the public internet.

Install Docker first: `curl -fsSL https://get.docker.com | sh`. Create a directory for Drone state: `mkdir -p /opt/drone`. Generate a shared secret: `openssl rand -hex 16` - keep this value handy. Run the Drone server. With Gitea as the git provider, the command looks like `docker run -d --restart=always --name=drone -v /opt/drone:/data -e DRONE_GITEA_SERVER=https://gitea.yourdomain.tld -e DRONE_GITEA_CLIENT_ID=oauth-client-id -e DRONE_GITEA_CLIENT_SECRET=oauth-client-secret -e DRONE_RPC_SECRET=YOUR_RANDOM_HEX -e DRONE_SERVER_HOST=drone.yourdomain.tld -e DRONE_SERVER_PROTO=https -p 8080:80 drone/drone:2`. Put Caddy or Nginx with TLS in front of port 8080. Run the Docker runner on the same VPS or a separate one: `docker run -d --restart=always --name=drone-runner -v /var/run/docker.sock:/var/run/docker.sock -e DRONE_RPC_PROTO=https -e DRONE_RPC_HOST=drone.yourdomain.tld -e DRONE_RPC_SECRET=YOUR_RANDOM_HEX -e DRONE_RUNNER_CAPACITY=2 -e DRONE_RUNNER_NAME=runner1 -p 3000:3000 drone/drone-runner-docker:1`. Open the Drone web UI, complete the OAuth handshake with Gitea, then activate a repository. Push a commit with a `.drone.yml` file and the build starts within seconds.