From 5e87ce3f5fdf64eea337fac3d1425d88d33a0992 Mon Sep 17 00:00:00 2001 From: Valerio Lomanto Date: Tue, 4 Feb 2025 16:23:49 +0100 Subject: [PATCH] add puppet class for action runner --- .../puppet/modules/soc/manifests/runner.pp | 40 +++++++++++++ .../templates/runner/docker-compose.yml.erb | 59 +++++++++++++++++++ 2 files changed, 99 insertions(+) create mode 100644 global/overlay/etc/puppet/modules/soc/manifests/runner.pp create mode 100644 global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb diff --git a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp new file mode 100644 index 0000000..2e93fb4 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp @@ -0,0 +1,40 @@ +# Configure a forgejo runner +# taken from cdn-ops +class cdn::runner( +) +{ + $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef }) + + if $runner_token { + + file { '/opt/forgejo-runner': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } + + # The owner/group matches 'user' in compose file for runner + file { '/opt/forgejo-runner/data': + ensure => directory, + owner => '1001', + group => '1001', + mode => '0750', + } + + file { '/opt/forgejo-runner/docker_certs': + ensure => directory, + owner => 'root', + group => '1001', + mode => '0750', + } + + sunet::docker_compose { 'soc-action-runner': + content => template('soc/runner/docker-compose.yml.erb'), + service_name => 'soc-runner', + compose_dir => '/opt/compose/runner', + compose_filename => 'docker-compose.yml', + description => 'SUNET SOC forgejo runner', + } + } +} diff --git a/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb new file mode 100644 index 0000000..d90dab1 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb @@ -0,0 +1,59 @@ +version: '3.8' + +# Taken from cdn-ops +# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and +# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml + +services: + docker-in-docker: + image: docker:dind + hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost + privileged: 'true' + environment: + DOCKER_TLS_CERTDIR: /certs + DOCKER_HOST: docker-in-docker + volumes: + - /opt/forgejo-runner/docker_certs:/certs + + runner-register: + image: 'code.forgejo.org/forgejo/runner:3.5.0' + depends_on: + docker-in-docker: + condition: service_started + # User without root privileges, but with access to `./data`. + user: 1001:1001 + volumes: + - /opt/forgejo-runner/data:/data + command: >- + bash -ec ' + while : ; do + if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi + forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels python:docker://python:3.12-bookworm && break; + sleep 1 ; + done ; + forgejo-runner generate-config > config.yml ; + sed -i -e "s|network: .*|network: host|" config.yml ; + sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ; + sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ; + ' + + runner-daemon: + image: code.forgejo.org/forgejo/runner:3.5.0 + user: 1001:1001 + links: + - docker-in-docker + depends_on: + runner-register: + condition: service_completed_successfully + environment: + DOCKER_HOST: tcp://docker:2376 + DOCKER_CERT_PATH: /certs/client + DOCKER_TLS_VERIFY: "1" + volumes: + - /opt/forgejo-runner/data:/data + - /opt/forgejo-runner/docker_certs:/certs + command: + - 'forgejo-runner' + - '--config' + - 'config.yml' + - 'daemon'