# Class for forgeo action runner. class podmanrunner::runner ( Integer $replicas = 2, ) { $username='runneruser' package { 'podman': ensure => installed, provider => apt, } package { 'systemd-container': ensure => installed, provider => apt, } package { 'python3-dotenv': ensure => installed, provider => apt, } file { "/usr/local/bin/podman-compose": ensure => file, mode => '0555', source => 'puppet:///modules/podmanrunner/podman-compose-1.0.6', owner => "root", group => "root", } range(1,$replicas).each |$x| { user { "${username}${x}": ensure => present, home => "/opt/${username}${x}", shell => '/usr/sbin/nologin', uid => "${ $x + 1001}", managehome => true, } file { "/opt/${username}${x}/docker-compose.yaml": ensure => file, content => template('podmanrunner/docker-compose.yaml.erb'), owner => "${username}${x}", group => "${username}${x}", mode => '0400', } file { "/opt/${username}${x}/runnerimage": ensure => directory, mode => '0700', owner => "${username}${x}", group => "${username}${x}", } file { "/opt/${username}${x}/runnerimage/Containerfile": ensure => file, content => template('podmanrunner/runnerimage-Containerfile.erb'), owner => "${username}${x}", group => "${username}${x}", mode => '0400', } unless find_file("/opt/${username}${x}/runnerdata") { file { "/opt/${username}${x}/runnerdata": ensure => directory, mode => '0700', owner => "${username}${x}", group => "${username}${x}", } } file { "/opt/${username}${x}/runnerdata/config.yml": ensure => file, source => 'puppet:///modules/podmanrunner/forgejo-runner-config.yml', owner => "${username}${x}", group => "${username}${x}", mode => '0400', } # Make sure the podman user can read the /data dir exec { "make-${username}${x}-own-runnerdata": command => "systemd-run --wait --user --machine=${username}${x}@ /bin/bash -c 'podman unshare chown 1000:1000 /opt/${username}${x}/runnerdata'", path => '/usr/bin:/usr/sbin:/bin', provider => shell, logoutput => false, unless => "systemd-run --wait --user --machine=${username}${x}@ /bin/bash -c 'podman unshare stat --format %u /opt/${username}${x}/runnerdata | grep ^1000$ && podman unshare stat --format %g /opt/${username}${x}/runnerdata | grep ^1000$'", } exec { "enable-${username}${x}-linger": command => "loginctl enable-linger ${username}${x}", path => '/usr/bin:/usr/sbin:/bin', provider => shell, logoutput => false, unless => "test -f /var/lib/systemd/linger/${username}${x}", } } }