diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml index 0ca9d93..50bc138 100644 --- a/global/overlay/etc/puppet/cosmos-rules.yaml +++ b/global/overlay/etc/puppet/cosmos-rules.yaml @@ -37,6 +37,10 @@ entityID: 'https://test-sso-proxy.cert.sunet.se/idp' # soc::vuln_dashboard: +'^internal-sto3-dev-ci-1.cert.sunet.se$': + sunet::dockerhost2: + soc::runner: + test-sso-proxy1.cert.sunet.se: sunet::dockerhost2: sunet::certbot::acmed: diff --git a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp new file mode 100644 index 0000000..d851869 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp @@ -0,0 +1,40 @@ +# Configure a forgejo runner +# taken from cdn-ops +class soc::runner( +) +{ + $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef }) + + if $runner_token { + + file { '/opt/forgejo-runner': + ensure => directory, + owner => 'root', + group => 'root', + mode => '0750', + } + + # The owner/group matches 'user' in compose file for runner + file { '/opt/forgejo-runner/data': + ensure => directory, + owner => '1001', + group => '1001', + mode => '0750', + } + + file { '/opt/forgejo-runner/docker_certs': + ensure => directory, + owner => 'root', + group => '1001', + mode => '0750', + } + + sunet::docker_compose { 'soc-action-runner': + content => template('soc/runner/docker-compose.yml.erb'), + service_name => 'soc-runner', + compose_dir => '/opt/compose/runner', + compose_filename => 'docker-compose.yml', + description => 'SUNET SOC forgejo runner', + } + } +} diff --git a/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb new file mode 100644 index 0000000..d90dab1 --- /dev/null +++ b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb @@ -0,0 +1,59 @@ +version: '3.8' + +# Taken from cdn-ops +# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and +# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml + +services: + docker-in-docker: + image: docker:dind + hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost + privileged: 'true' + environment: + DOCKER_TLS_CERTDIR: /certs + DOCKER_HOST: docker-in-docker + volumes: + - /opt/forgejo-runner/docker_certs:/certs + + runner-register: + image: 'code.forgejo.org/forgejo/runner:3.5.0' + depends_on: + docker-in-docker: + condition: service_started + # User without root privileges, but with access to `./data`. + user: 1001:1001 + volumes: + - /opt/forgejo-runner/data:/data + command: >- + bash -ec ' + while : ; do + if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi + forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels python:docker://python:3.12-bookworm && break; + sleep 1 ; + done ; + forgejo-runner generate-config > config.yml ; + sed -i -e "s|network: .*|network: host|" config.yml ; + sed -i -e "s|^ envs:$$| envs:\n DOCKER_HOST: tcp://docker:2376\n DOCKER_TLS_VERIFY: 1\n DOCKER_CERT_PATH: /certs/client|" config.yml ; + sed -i -e "s| valid_volumes: \[\]$$| valid_volumes:\n - /certs/client|" config.yml ; + ' + + runner-daemon: + image: code.forgejo.org/forgejo/runner:3.5.0 + user: 1001:1001 + links: + - docker-in-docker + depends_on: + runner-register: + condition: service_completed_successfully + environment: + DOCKER_HOST: tcp://docker:2376 + DOCKER_CERT_PATH: /certs/client + DOCKER_TLS_VERIFY: "1" + volumes: + - /opt/forgejo-runner/data:/data + - /opt/forgejo-runner/docker_certs:/certs + command: + - 'forgejo-runner' + - '--config' + - 'config.yml' + - 'daemon' diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/README.md b/internal-sto3-dev-ci-1.cert.sunet.se/README.md new file mode 100644 index 0000000..4f4766b --- /dev/null +++ b/internal-sto3-dev-ci-1.cert.sunet.se/README.md @@ -0,0 +1,2 @@ +Forgejo action runner for platform.sunet.se +Used by soc projects diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml b/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml new file mode 100644 index 0000000..ddf8513 --- /dev/null +++ b/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml @@ -0,0 +1,3 @@ +--- +runner_token: + vuln_management_repo: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtZGV2LWNpLTEuY2VydC5zdW5ldC5zZQIUVVgphqarTmxaqEYcFm8NX4LTKEowDQYJKoZIhvcNAQEBBQAEggIAcbAHEbLSo2rwi64C4a1u2Li0/M/aNkKgujvBpCASUZKHb45RDvgU4BGktSilmtixD0tt8UCt9FkiWe/kKiAYV1n6YBIzETkn8KrhtDpujtJ1s+0mu3fzoAdCVaCFcg6h+rCEO+C5cPJfKWFeaL3kt9tz7A8YciCqq3PyVXA34Z3uoIDv2FMG8GbBOjijXJtVHiEopd0a7EZVCIAuVIP8XRJiEErPc/4cX7qMwjHS1skouL/Irx5WZ79nyFKQXDTnzcNjBSBw5FZ1RQRPIGa39/ozyQO5TPjlGFDEoGsudk4y2wgXTxqNgIdSQR7sIq64IHsA6wyNzib7VhsPrGS5onqhRsDs1qBLJgT2PSdJtrwYFWrCTl9oOlmFkrVrPdcWuOyDurhVoq7UFiuP1HvstK7HY0aMkw0QOwDIc9KQ/Q+kWPG2whVPkkoRDAAmA9hI3fTq2JeUMNIVZW3wYUUWc+u5NlghQzio4SYtaYrJ0AIBJiy+Kq7QqzLtTd7Uq/w4OkAqYVBRIhdQLu8KcVNOzYFQRLm4lzWHH8tMxWjXwSFB+nPoARdwk0Ykv+420VljzRAEWt9UzowM+eXYTXoQif4FvWOCCzvdf3hRsQPpMd5lfAMzimW6j+cZD+Ew6vgcOuEo5Bn+tszlHBaSo3lSR98XOIJn6QXSP1Ue0/GuxBIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQUFl1txCRbujqq03hb3FepIAwVLn2CkoqtAaME0KXLfKjO17/wWTr11tPFcenCXo969tHSPwt7zzZrleKO2wmahsx]