Merge pull request 'Setup Forgejo action runner' (#2) from verglasz/soc-ops:main into main

Reviewed-on: SUNET/soc-ops#2
Reviewed-by: Johan Björklund <bjorklund@sunet.se>

global/overlay/etc/puppet/cosmos-rules.yaml

@@ -37,6 +37,10 @@
     entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
 #  soc::vuln_dashboard:
 
+'^internal-sto3-dev-ci-1.cert.sunet.se$':
+  sunet::dockerhost2:
+  soc::runner:
+
 test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:
   sunet::certbot::acmed:

global/overlay/etc/puppet/modules/soc/manifests/runner.pp

@@ -0,0 +1,40 @@
+# Configure a forgejo runner
+# taken from cdn-ops
+class soc::runner(
+)
+{
+  $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })
+
+  if $runner_token {
+
+    file { '/opt/forgejo-runner':
+      ensure  => directory,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0750',
+    }
+
+    # The owner/group matches 'user' in compose file for runner
+    file { '/opt/forgejo-runner/data':
+      ensure  => directory,
+      owner   => '1001',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    file { '/opt/forgejo-runner/docker_certs':
+      ensure  => directory,
+      owner   => 'root',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    sunet::docker_compose { 'soc-action-runner':
+      content          => template('soc/runner/docker-compose.yml.erb'),
+      service_name     => 'soc-runner',
+      compose_dir      => '/opt/compose/runner',
+      compose_filename => 'docker-compose.yml',
+      description      => 'SUNET SOC forgejo runner',
+    }
+  }
+}

global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb

@@ -0,0 +1,59 @@
+version: '3.8'
+
+# Taken from cdn-ops
+# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and
+# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml
+
+services:
+  docker-in-docker:
+    image: docker:dind
+    hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
+    privileged: 'true'
+    environment:
+      DOCKER_TLS_CERTDIR: /certs
+      DOCKER_HOST: docker-in-docker
+    volumes:
+      - /opt/forgejo-runner/docker_certs:/certs
+
+  runner-register:
+    image: 'code.forgejo.org/forgejo/runner:3.5.0'
+    depends_on:
+      docker-in-docker:
+        condition: service_started
+    # User without root privileges, but with access to `./data`.
+    user: 1001:1001
+    volumes:
+      - /opt/forgejo-runner/data:/data
+    command: >-
+      bash -ec '
+      while : ; do
+        if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi
+      forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels python:docker://python:3.12-bookworm && break;
+        sleep 1 ;
+      done ;
+      forgejo-runner generate-config > config.yml ;
+      sed -i -e "s|network: .*|network: host|" config.yml ;
+      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+      '
+
+  runner-daemon:
+    image: code.forgejo.org/forgejo/runner:3.5.0
+    user: 1001:1001
+    links:
+      - docker-in-docker
+    depends_on:
+      runner-register:
+        condition: service_completed_successfully
+    environment:
+      DOCKER_HOST: tcp://docker:2376
+      DOCKER_CERT_PATH: /certs/client
+      DOCKER_TLS_VERIFY: "1"
+    volumes:
+      - /opt/forgejo-runner/data:/data
+      - /opt/forgejo-runner/docker_certs:/certs
+    command:
+      - 'forgejo-runner'
+      - '--config'
+      - 'config.yml'
+      - 'daemon'

internal-sto3-dev-ci-1.cert.sunet.se/README.md

@@ -0,0 +1,2 @@
+Forgejo action runner for platform.sunet.se
+Used by soc projects

internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml

@@ -0,0 +1,3 @@
+---
+runner_token:
+  vuln_management_repo: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtZGV2LWNpLTEuY2VydC5zdW5ldC5zZQIUVVgphqarTmxaqEYcFm8NX4LTKEowDQYJKoZIhvcNAQEBBQAEggIAcbAHEbLSo2rwi64C4a1u2Li0/M/aNkKgujvBpCASUZKHb45RDvgU4BGktSilmtixD0tt8UCt9FkiWe/kKiAYV1n6YBIzETkn8KrhtDpujtJ1s+0mu3fzoAdCVaCFcg6h+rCEO+C5cPJfKWFeaL3kt9tz7A8YciCqq3PyVXA34Z3uoIDv2FMG8GbBOjijXJtVHiEopd0a7EZVCIAuVIP8XRJiEErPc/4cX7qMwjHS1skouL/Irx5WZ79nyFKQXDTnzcNjBSBw5FZ1RQRPIGa39/ozyQO5TPjlGFDEoGsudk4y2wgXTxqNgIdSQR7sIq64IHsA6wyNzib7VhsPrGS5onqhRsDs1qBLJgT2PSdJtrwYFWrCTl9oOlmFkrVrPdcWuOyDurhVoq7UFiuP1HvstK7HY0aMkw0QOwDIc9KQ/Q+kWPG2whVPkkoRDAAmA9hI3fTq2JeUMNIVZW3wYUUWc+u5NlghQzio4SYtaYrJ0AIBJiy+Kq7QqzLtTd7Uq/w4OkAqYVBRIhdQLu8KcVNOzYFQRLm4lzWHH8tMxWjXwSFB+nPoARdwk0Ykv+420VljzRAEWt9UzowM+eXYTXoQif4FvWOCCzvdf3hRsQPpMd5lfAMzimW6j+cZD+Ew6vgcOuEo5Bn+tszlHBaSo3lSR98XOIJn6QXSP1Ue0/GuxBIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQUFl1txCRbujqq03hb3FepIAwVLn2CkoqtAaME0KXLfKjO17/wWTr11tPFcenCXo969tHSPwt7zzZrleKO2wmahsx]