From 3faa16b1e8db6448e9d0ca6f445ece6010018659 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Tue, 4 Feb 2025 13:04:20 +0100
Subject: [PATCH 1/6] internal-sto3-dev-ci-1.cert.sunet.se added

---
 internal-sto3-dev-ci-1.cert.sunet.se/README | 1 +
 1 file changed, 1 insertion(+)
 create mode 120000 internal-sto3-dev-ci-1.cert.sunet.se/README

diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/README b/internal-sto3-dev-ci-1.cert.sunet.se/README
new file mode 120000
index 0000000..59a23c4
--- /dev/null
+++ b/internal-sto3-dev-ci-1.cert.sunet.se/README
@@ -0,0 +1 @@
+../README
\ No newline at end of file

From 5e87ce3f5fdf64eea337fac3d1425d88d33a0992 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Tue, 4 Feb 2025 16:23:49 +0100
Subject: [PATCH 2/6] add puppet class for action runner

---
 .../puppet/modules/soc/manifests/runner.pp    | 40 +++++++++++++
 .../templates/runner/docker-compose.yml.erb   | 59 +++++++++++++++++++
 2 files changed, 99 insertions(+)
 create mode 100644 global/overlay/etc/puppet/modules/soc/manifests/runner.pp
 create mode 100644 global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb

diff --git a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
new file mode 100644
index 0000000..2e93fb4
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
@@ -0,0 +1,40 @@
+# Configure a forgejo runner
+# taken from cdn-ops
+class cdn::runner(
+)
+{
+  $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })
+
+  if $runner_token {
+
+    file { '/opt/forgejo-runner':
+      ensure  => directory,
+      owner   => 'root',
+      group   => 'root',
+      mode    => '0750',
+    }
+
+    # The owner/group matches 'user' in compose file for runner
+    file { '/opt/forgejo-runner/data':
+      ensure  => directory,
+      owner   => '1001',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    file { '/opt/forgejo-runner/docker_certs':
+      ensure  => directory,
+      owner   => 'root',
+      group   => '1001',
+      mode    => '0750',
+    }
+
+    sunet::docker_compose { 'soc-action-runner':
+      content          => template('soc/runner/docker-compose.yml.erb'),
+      service_name     => 'soc-runner',
+      compose_dir      => '/opt/compose/runner',
+      compose_filename => 'docker-compose.yml',
+      description      => 'SUNET SOC forgejo runner',
+    }
+  }
+}
diff --git a/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb
new file mode 100644
index 0000000..d90dab1
--- /dev/null
+++ b/global/overlay/etc/puppet/modules/soc/templates/runner/docker-compose.yml.erb
@@ -0,0 +1,59 @@
+version: '3.8'
+
+# Taken from cdn-ops
+# Based on combination of https://forgejo.org/docs/latest/admin/actions/ and
+# https://code.forgejo.org/forgejo/runner/src/branch/main/examples/docker-compose/compose-forgejo-and-runner.yml
+
+services:
+  docker-in-docker:
+    image: docker:dind
+    hostname: docker # Must set hostname as TLS certificates are only valid for docker or localhost
+    privileged: 'true'
+    environment:
+      DOCKER_TLS_CERTDIR: /certs
+      DOCKER_HOST: docker-in-docker
+    volumes:
+      - /opt/forgejo-runner/docker_certs:/certs
+
+  runner-register:
+    image: 'code.forgejo.org/forgejo/runner:3.5.0'
+    depends_on:
+      docker-in-docker:
+        condition: service_started
+    # User without root privileges, but with access to `./data`.
+    user: 1001:1001
+    volumes:
+      - /opt/forgejo-runner/data:/data
+    command: >-
+      bash -ec '
+      while : ; do
+        if [ -f .runner ]; then echo "runner already registered, exiting"; exit; fi
+      forgejo-runner register --no-interactive --name <%= @networking['fqdn'] %> --instance https://platform.sunet.se --token <%= @runner_token %> --labels python:docker://python:3.12-bookworm && break;
+        sleep 1 ;
+      done ;
+      forgejo-runner generate-config > config.yml ;
+      sed -i -e "s|network: .*|network: host|" config.yml ;
+      sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://docker:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
+      sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml ;
+      '
+
+  runner-daemon:
+    image: code.forgejo.org/forgejo/runner:3.5.0
+    user: 1001:1001
+    links:
+      - docker-in-docker
+    depends_on:
+      runner-register:
+        condition: service_completed_successfully
+    environment:
+      DOCKER_HOST: tcp://docker:2376
+      DOCKER_CERT_PATH: /certs/client
+      DOCKER_TLS_VERIFY: "1"
+    volumes:
+      - /opt/forgejo-runner/data:/data
+      - /opt/forgejo-runner/docker_certs:/certs
+    command:
+      - 'forgejo-runner'
+      - '--config'
+      - 'config.yml'
+      - 'daemon'

From 966de2f38c90ca50fdda1aea955b5dc9e9f7c458 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Tue, 4 Feb 2025 16:24:12 +0100
Subject: [PATCH 3/6] add runner token to host secrets

---
 internal-sto3-dev-ci-1.cert.sunet.se/README                    | 1 -
 internal-sto3-dev-ci-1.cert.sunet.se/README.md                 | 2 ++
 .../overlay/etc/hiera/data/local.eyaml                         | 3 +++
 3 files changed, 5 insertions(+), 1 deletion(-)
 delete mode 120000 internal-sto3-dev-ci-1.cert.sunet.se/README
 create mode 100644 internal-sto3-dev-ci-1.cert.sunet.se/README.md
 create mode 100644 internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml

diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/README b/internal-sto3-dev-ci-1.cert.sunet.se/README
deleted file mode 120000
index 59a23c4..0000000
--- a/internal-sto3-dev-ci-1.cert.sunet.se/README
+++ /dev/null
@@ -1 +0,0 @@
-../README
\ No newline at end of file
diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/README.md b/internal-sto3-dev-ci-1.cert.sunet.se/README.md
new file mode 100644
index 0000000..4f4766b
--- /dev/null
+++ b/internal-sto3-dev-ci-1.cert.sunet.se/README.md
@@ -0,0 +1,2 @@
+Forgejo action runner for platform.sunet.se
+Used by soc projects
diff --git a/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml b/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml
new file mode 100644
index 0000000..ddf8513
--- /dev/null
+++ b/internal-sto3-dev-ci-1.cert.sunet.se/overlay/etc/hiera/data/local.eyaml
@@ -0,0 +1,3 @@
+---
+runner_token:
+  vuln_management_repo: ENC[PKCS7,MIIDCAYJKoZIhvcNAQcDoIIC+TCCAvUCAQAxggKQMIICjAIBADB0MFwxCzAJBgNVBAYTAlNFMQ4wDAYDVQQKDAVTVU5FVDEOMAwGA1UECwwFRVlBTUwxLTArBgNVBAMMJGludGVybmFsLXN0bzMtZGV2LWNpLTEuY2VydC5zdW5ldC5zZQIUVVgphqarTmxaqEYcFm8NX4LTKEowDQYJKoZIhvcNAQEBBQAEggIAcbAHEbLSo2rwi64C4a1u2Li0/M/aNkKgujvBpCASUZKHb45RDvgU4BGktSilmtixD0tt8UCt9FkiWe/kKiAYV1n6YBIzETkn8KrhtDpujtJ1s+0mu3fzoAdCVaCFcg6h+rCEO+C5cPJfKWFeaL3kt9tz7A8YciCqq3PyVXA34Z3uoIDv2FMG8GbBOjijXJtVHiEopd0a7EZVCIAuVIP8XRJiEErPc/4cX7qMwjHS1skouL/Irx5WZ79nyFKQXDTnzcNjBSBw5FZ1RQRPIGa39/ozyQO5TPjlGFDEoGsudk4y2wgXTxqNgIdSQR7sIq64IHsA6wyNzib7VhsPrGS5onqhRsDs1qBLJgT2PSdJtrwYFWrCTl9oOlmFkrVrPdcWuOyDurhVoq7UFiuP1HvstK7HY0aMkw0QOwDIc9KQ/Q+kWPG2whVPkkoRDAAmA9hI3fTq2JeUMNIVZW3wYUUWc+u5NlghQzio4SYtaYrJ0AIBJiy+Kq7QqzLtTd7Uq/w4OkAqYVBRIhdQLu8KcVNOzYFQRLm4lzWHH8tMxWjXwSFB+nPoARdwk0Ykv+420VljzRAEWt9UzowM+eXYTXoQif4FvWOCCzvdf3hRsQPpMd5lfAMzimW6j+cZD+Ew6vgcOuEo5Bn+tszlHBaSo3lSR98XOIJn6QXSP1Ue0/GuxBIwXAYJKoZIhvcNAQcBMB0GCWCGSAFlAwQBKgQQUFl1txCRbujqq03hb3FepIAwVLn2CkoqtAaME0KXLfKjO17/wWTr11tPFcenCXo969tHSPwt7zzZrleKO2wmahsx]

From ce4547ba32400e7661a53f628f28ec699ec4c9c9 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Tue, 4 Feb 2025 16:29:12 +0100
Subject: [PATCH 4/6] configure runner host

---
 global/overlay/etc/puppet/cosmos-rules.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/global/overlay/etc/puppet/cosmos-rules.yaml b/global/overlay/etc/puppet/cosmos-rules.yaml
index 0ca9d93..50bc138 100644
--- a/global/overlay/etc/puppet/cosmos-rules.yaml
+++ b/global/overlay/etc/puppet/cosmos-rules.yaml
@@ -37,6 +37,10 @@
     entityID: 'https://test-sso-proxy.cert.sunet.se/idp'
 #  soc::vuln_dashboard:
 
+'^internal-sto3-dev-ci-1.cert.sunet.se$':
+  sunet::dockerhost2:
+  soc::runner:
+
 test-sso-proxy1.cert.sunet.se:
   sunet::dockerhost2:
   sunet::certbot::acmed:

From 7817928758e1b92553d458c956f9fd91b3a9d356 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Tue, 4 Feb 2025 16:57:12 +0100
Subject: [PATCH 5/6] fix leftover name

---
 global/overlay/etc/puppet/modules/soc/manifests/runner.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
index 2e93fb4..2991c0d 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
@@ -1,6 +1,6 @@
 # Configure a forgejo runner
 # taken from cdn-ops
-class cdn::runner(
+class ops::runner(
 )
 {
   $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })

From a2474309cb6e55c21f6af9e39144ed09df02eb39 Mon Sep 17 00:00:00 2001
From: Valerio Lomanto <valerio@sunet.se>
Date: Wed, 5 Feb 2025 00:50:28 +0100
Subject: [PATCH 6/6] actually fix name

---
 global/overlay/etc/puppet/modules/soc/manifests/runner.pp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
index 2991c0d..d851869 100644
--- a/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
+++ b/global/overlay/etc/puppet/modules/soc/manifests/runner.pp
@@ -1,6 +1,6 @@
 # Configure a forgejo runner
 # taken from cdn-ops
-class ops::runner(
+class soc::runner(
 )
 {
   $runner_token = lookup({ 'name' => 'runner_token.vuln_management_repo', 'default_value' => undef })