From 993fc0b1d085cf35ecb98818b33efe5b2ec6b117 Mon Sep 17 00:00:00 2001 From: cuqmbr Date: Tue, 1 Jul 2025 23:33:13 +0300 Subject: [PATCH] add forgejo-runner provisioning and installation --- README.md | 1 + ansible/23_forgejo_runner.yml | 17 +++ .../common/group_vars/monitoring.yml | 6 + .../dev/group_vars/forgejo_runner.yml | 75 ++++++++++ ansible/inventories/dev/hosts.yml | 3 + ansible/roles/docker/meta/main.yml | 10 ++ .../docker/molecule/default/converge.yml | 14 ++ .../docker/molecule/default/molecule.yml | 12 ++ ansible/roles/docker/tasks/main.yml | 36 +++++ .../roles/forgejo_runner/defaults/main.yml | 139 ++++++++++++++++++ .../files/forgejo-runner.service | 18 +++ .../roles/forgejo_runner/handlers/main.yml | 6 + ansible/roles/forgejo_runner/meta/main.yml | 10 ++ .../molecule/default/converge.yml | 19 +++ .../molecule/default/molecule.yml | 12 ++ ansible/roles/forgejo_runner/tasks/main.yml | 122 +++++++++++++++ .../forgejo_runner/templates/config.yml.j2 | 7 + terraform/common/firewall_ipsets.tf | 5 + terraform/dev/forgejo-runner.tf | 100 +++++++++++++ 19 files changed, 612 insertions(+) create mode 100644 ansible/23_forgejo_runner.yml create mode 100644 ansible/inventories/dev/group_vars/forgejo_runner.yml create mode 100644 ansible/roles/docker/meta/main.yml create mode 100644 ansible/roles/docker/molecule/default/converge.yml create mode 100644 ansible/roles/docker/molecule/default/molecule.yml create mode 100644 ansible/roles/docker/tasks/main.yml create mode 100644 ansible/roles/forgejo_runner/defaults/main.yml create mode 100644 ansible/roles/forgejo_runner/files/forgejo-runner.service create mode 100644 ansible/roles/forgejo_runner/handlers/main.yml create mode 100644 ansible/roles/forgejo_runner/meta/main.yml create mode 100644 ansible/roles/forgejo_runner/molecule/default/converge.yml create mode 100644 ansible/roles/forgejo_runner/molecule/default/molecule.yml create mode 100644 ansible/roles/forgejo_runner/tasks/main.yml create mode 100644 ansible/roles/forgejo_runner/templates/config.yml.j2 create mode 100644 terraform/dev/forgejo-runner.tf diff --git a/README.md b/README.md index 226ecbe..55f9ebf 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ ### Todo - Create role for installing and configuring Valkey +- Add docker role to forgejo_runner role dependency lis diff --git a/ansible/23_forgejo_runner.yml b/ansible/23_forgejo_runner.yml new file mode 100644 index 0000000..9b261e7 --- /dev/null +++ b/ansible/23_forgejo_runner.yml @@ -0,0 +1,17 @@ +--- + +- hosts: forgejo_runner + gather_facts: false + + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + + roles: + - role: roles/init + - role: roles/fluent_bit + - role: roles/prometheus_node_exporter + - role: roles/docker + - role: roles/forgejo_runner diff --git a/ansible/inventories/common/group_vars/monitoring.yml b/ansible/inventories/common/group_vars/monitoring.yml index 3a12364..151de9d 100644 --- a/ansible/inventories/common/group_vars/monitoring.yml +++ b/ansible/inventories/common/group_vars/monitoring.yml @@ -66,6 +66,12 @@ prometheus_options: labels: env: dev hostname: forgejo + - targets: + # forgejo + - 192.168.0.21:9100 + labels: + env: dev + hostname: forgejo-runner - targets: # bastion - 192.168.0.254:9100 diff --git a/ansible/inventories/dev/group_vars/forgejo_runner.yml b/ansible/inventories/dev/group_vars/forgejo_runner.yml new file mode 100644 index 0000000..ccf72b2 --- /dev/null +++ b/ansible/inventories/dev/group_vars/forgejo_runner.yml @@ -0,0 +1,75 @@ +--- + +users: + - name: admin + password_hash: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 30623138653735643561343061356531373430393662383764633038383238383837626636393432 + 3138653539356430306266663864343563616332656131310a343632323363653665646363366437 + 66643430626437333461656231303339656435346261336238313036306431396333643965666631 + 3665393163623266320a373838313538626438623330393533353931336331623464613664633430 + 32303734396634376431383936643431313561303864343930393363623130663236666636353637 + 63613237383666656263316661333031643032323266636464313839653065316138343035346161 + 64313037336666353136383462333832373031623637636630326330313832333265386632343139 + 30306638356434376635346637346134653064613236326333656566383137353166393063333563 + 32623638343263313463313062303465626439356461613235656661623364656138 + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + - "ssh-ed25519 \ + AAAAC3NzaC1lZDI1NTE5AAAAIJRnXU2My2iMXl1yCIEoASZYAUW0q1qn3P5tSUI0B0+4 \ + openpgp:0xAD2BFD7F" + opendoas_settings: "permit persist admin as root" + - name: ansible + password_hash: "" + ssh_public_keys: + - "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKNzJdo6/c7uXrg0lqVwyXOhcNxO/BnylyJeqoBe4rAO5fhjwWLsvMAeCEmYa/3i8ITSvurFEou7BELo25vM58dNfGQHig52LrA/GU/jwDAhHyTXP3AvqqgIFa0ysMaHasYny6oqXi+eb2w/KimtgOhe5/oUdNBe/KgqZ+hP3qlTchxBl5MEzZIKgXTXQeYJpYYrnFb0l/R8qSkFBJv2xzxVJxEamN71SG7OIsi9m14D6hd2pNDHDDqHgKBVbN5irxDuJAzHN5upzfziXiYCOusud23tX6/nNv8t03CbB7FW0OxaCGhAjbavTFAf164L9GM7j76BGsLwWSh2HhG9G9lKs2bEI3IQudllMc6p9N6j2FhMOCKK6YYekdAOVc3ozTFc73VLkXtN8pnTC8OCSavthSt5jOUd0qTsQGH91lWlEkVe0bWi+s9nggfeWFM7HMVmqsR1jYlOXoi5s7xYwKLUdeUjRk3/rkzIFoOxquE5sVVuNDRNCaqcpPVY4k0gE= openpgp:0x8880F3E0" + - "ssh-ed25519 \ + AAAAC3NzaC1lZDI1NTE5AAAAIJRnXU2My2iMXl1yCIEoASZYAUW0q1qn3P5tSUI0B0+4 \ + openpgp:0xAD2BFD7F" + opendoas_settings: "permit nopass ansible" + + +forgejo_runner_settings: + version: 6.4.0 + instance: http://git.dev.cuqmbr.home + token: !vault | + $ANSIBLE_VAULT;1.1;AES256 + 37363965303034663465373839646165323137363133653334333066303934316632666632323332 + 6236343531656331306363376366663436323934353263380a303434303364363938353263313031 + 34366663356361643865386363336632393932336334333632333933303839376432326665653630 + 3166633131353861650a346162333934373331386134663763646534396362303261643531363362 + 62616638383239653733383265663538613637303837633734383933363937383439666133373365 + 3231376635356132656636616662663266343837613364356232 + name: forgejo-runner + + +fluentbit_settings: + service: + flush: 1 + daemon: false + log_level: info + http_server: false + pipeline: + inputs: + - name: systemd + tag: systemd_input + filters: + - name: rewrite_tag + match: systemd_input + rule: $_SYSTEMD_UNIT ^(forgejo-runner.service)$ forgejo-runner false + - name: rewrite_tag + match: systemd_input + rule: $_SYSTEMD_UNIT ^(forgejo-runner.service.+|(?!forgejo-runner.service).*)$ systemd false + - name: record_modifier + match: forgejo-runner + allowlist_key: + - MESSAGE + outputs: + - name: loki + host: 192.168.0.252 + labels: "env=dev,hostname=forgejo-runner,service_name=forgejo-runner" + match: forgejo-runner + - name: loki + host: 192.168.0.252 + labels: "env=dev,hostname=forgejo-runner,service_name=systemd" + match: systemd diff --git a/ansible/inventories/dev/hosts.yml b/ansible/inventories/dev/hosts.yml index 2bfa258..3c90345 100644 --- a/ansible/inventories/dev/hosts.yml +++ b/ansible/inventories/dev/hosts.yml @@ -13,3 +13,6 @@ all: forgejo: hosts: 192.168.0.20: + forgejo_runner: + hosts: + 192.168.0.21: diff --git a/ansible/roles/docker/meta/main.yml b/ansible/roles/docker/meta/main.yml new file mode 100644 index 0000000..d40d401 --- /dev/null +++ b/ansible/roles/docker/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + role_name: docker + author: cuqmbr-homelab + description: Install Docker Container Engine. + # issue_tracker_url: http://example.com/issue/tracker + license: MIT + min_ansible_version: "2.1" + galaxy_tags: [] +dependencies: [] diff --git a/ansible/roles/docker/molecule/default/converge.yml b/ansible/roles/docker/molecule/default/converge.yml new file mode 100644 index 0000000..9202552 --- /dev/null +++ b/ansible/roles/docker/molecule/default/converge.yml @@ -0,0 +1,14 @@ +--- + +- name: Converge + hosts: all + gather_facts: false + + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + + roles: + - docker diff --git a/ansible/roles/docker/molecule/default/molecule.yml b/ansible/roles/docker/molecule/default/molecule.yml new file mode 100644 index 0000000..5f4996d --- /dev/null +++ b/ansible/roles/docker/molecule/default/molecule.yml @@ -0,0 +1,12 @@ +--- +driver: + name: docker +platforms: + - name: cuqmbr-homelab.docker_debian-12 + image: docker.io/geerlingguy/docker-debian12-ansible:latest + pre_build_image: true + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml new file mode 100644 index 0000000..52c5f76 --- /dev/null +++ b/ansible/roles/docker/tasks/main.yml @@ -0,0 +1,36 @@ +--- + +- name: Create apt keys installation directory. + ansible.builtin.file: + path: "/etc/apt/keyrings" + state: directory + mode: "0755" + +- name: Add docker apt key. + ansible.builtin.get_url: + url: "https://download.docker.com/linux/ubuntu/gpg" + dest: "/etc/apt/keyrings/docker.asc" + mode: "0444" + +- name: Add docker apt repository. + ansible.builtin.apt_repository: + repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] \ + https://download.docker.com/linux/debian bookworm stable" + filename: docker + state: present + update_cache: true + +- name: Install docker apt packages. + ansible.builtin.apt: + name: + - docker-ce + - docker-ce-cli + - containerd.io + - docker-compose-plugin + state: present + +- name: Start and enable docker service. + ansible.builtin.service: + name: docker + state: started + enabled: true diff --git a/ansible/roles/forgejo_runner/defaults/main.yml b/ansible/roles/forgejo_runner/defaults/main.yml new file mode 100644 index 0000000..a98bf72 --- /dev/null +++ b/ansible/roles/forgejo_runner/defaults/main.yml @@ -0,0 +1,139 @@ +--- + +forgejo_runner_default_settings: + clean_binaries: false + force_register: false + version: 6.4.0 + instance: http://git.dev.cuqmbr.home + token: eGzS4vae9XrtkInvrhywiD5oXtndgm4ES9Wl3rSv + name: forgejo-runner + config: + log: + # The level of logging, can be trace, debug, info, warn, error, fatal + level: info + # The level of logging for jobs, can be trace, + # debug, info, earn, error, fatal + job_level: info + runner: + # Where to store the registration result. + file: .runner + # Execute how many tasks concurrently at the same time. + capacity: 4 + # Extra environment variables to run jobs. + envs: + # Extra environment variables to run jobs from a file. + # It will be ignored if it's empty or the file doesn't exist. + env_file: .env + # The timeout for a job to be finished. + # Please note that the Forgejo instance also has a + # timeout (3h by default) for the job. + # So the job could be stopped by the Forgejo instance + # if it's timeout is shorter than this. + timeout: 3h + # The timeout for the runner to wait for running jobs to finish when + # shutting down because a TERM or INT signal has been received. Any + # running jobs that haven't finished after this timeout will be + # cancelled. + # If unset or zero the jobs will be cancelled immediately. + shutdown_timeout: 3h + # Whether skip verifying the TLS certificate of the instance. + insecure: false + # The timeout for fetching the job from the Forgejo instance. + fetch_timeout: 5s + # The interval for fetching the job from the Forgejo instance. + fetch_interval: 2s + # The interval for reporting the job status and + # logs to the Forgejo instance. + report_interval: 1s + # The labels of a runner are used to determine which + # jobs the runner can run, and how to run them. + # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:20-bookworm", + # "ubuntu-22.04:docker://node:20-bookworm"] + # If it's empty when registering, it will ask for inputting labels. + # If it's empty when executing the `daemon`, + # it will use labels in the `.runner` file. + labels: + - debian-slim-latest:docker://debian-slim:latest + - debian-slim-12:docker://debian-slim:12 + - debian-slim-11:docker://debian-slim:11 + - ubuntu-latest:docker://ubuntu:latest + - ubuntu-24.04:docker://ubuntu:24.04 + - ubuntu-22.04:docker://ubuntu:22.04 + cache: + # Enable cache server to use actions/cache. + enabled: true + # The directory to store the cache data. + # If it's empty, the cache data will be stored in $HOME/.cache/actcache. + dir: "" + # The host of the cache server. + # It's not for the address to listen, but the address + # to connect from job containers. + # So 0.0.0.0 is a bad choice, leave it empty to detect automatically. + host: "" + # The port of the cache server. + # 0 means to use a random available port. + port: 0 + # The port of the cache proxy. + # 0 means to use a random available port. + proxy_port: 0 + # The external cache server URL. Valid only when enable is true. + # If it's specified, it will be used to set the ACTIONS_CACHE_URL + # environment variable. The URL should generally end with "/". + # Otherwise it will be set to the the URL of the internal cache server. + external_server: "" + # The shared cache secret. When communicating with a cache server, + # the runner uses this secret to verify the + # authenticity of the cache requests. + # When using an external cache server it is required to + # set the same secret for the runner and the cache server. + secret: "" + # Overrides the ACTIONS_CACHE_URL passed to workflow containers. + # This should only be used if the runner host is not reachable from the + # workflow containers, and requires further setup. + actions_cache_url_override: "" + container: + # Specifies the network to which the container will connect. + # Could be host, bridge or the name of a custom network. + # If it's empty, create a network automatically. + network: "" + # Whether to create networks with IPv6 enabled. + # Requires the Docker daemon to be set up accordingly. + # Only takes effect if "network" is set to "". + enable_ipv6: false + # Whether to use privileged mode or not when launching task containers + # (privileged mode is required for Docker-in-Docker). + privileged: false + # And other options to be used when the container + # is started (eg, --add-host=my.forgejo.url:host-gateway). + options: + # The parent directory of a job's working directory. + # If it's empty, /workspace will be used. + workdir_parent: + # Volumes (including bind mounts) can be mounted to containers. + # Glob syntax is supported, see https://github.com/gobwas/glob + # You can specify multiple volumes. If the sequence is empty, + # no volumes can be mounted. + # For example, if you only allow containers to mount the `data` volume + # and all the json files in `/src`, you should change the config to: + # valid_volumes: + # - data + # - /src/*.json + # If you want to allow any volume, please use the following configuration: + # valid_volumes: + # - '**' + valid_volumes: [] + # overrides the docker client host with the specified one. + # If "-" or "", an available docker host will automatically be found. + # If "automount", an available docker host will automatically be + # found and mounted in the job container (e.g. /var/run/docker.sock). + # Otherwise the specified docker host will be used and an + # error will be returned if it doesn't work. + docker_host: "-" + # Pull docker image(s) even if already present + force_pull: false + # Rebuild local docker image(s) even if already present + force_rebuild: false + host: + # The parent directory of a job's working directory. + # If it's empty, $HOME/.cache/act/ will be used. + workdir_parent: diff --git a/ansible/roles/forgejo_runner/files/forgejo-runner.service b/ansible/roles/forgejo_runner/files/forgejo-runner.service new file mode 100644 index 0000000..58d75e7 --- /dev/null +++ b/ansible/roles/forgejo_runner/files/forgejo-runner.service @@ -0,0 +1,18 @@ +# Managed with Ansible + +[Unit] +Description=Forgejo Runner +Documentation=https://forgejo.org/docs/latest/admin/actions/ +After=docker.service + +[Service] +ExecStart=/usr/local/bin/forgejo-runner daemon +ExecReload=/bin/kill -s HUP $MAINPID +User=forgejo-runner +WorkingDirectory=/var/lib/forgejo-runner +Restart=on-failure +TimeoutSec=0 +RestartSec=10 + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/forgejo_runner/handlers/main.yml b/ansible/roles/forgejo_runner/handlers/main.yml new file mode 100644 index 0000000..5a82fca --- /dev/null +++ b/ansible/roles/forgejo_runner/handlers/main.yml @@ -0,0 +1,6 @@ +--- + +- name: Restart forgejo-runner service. + ansible.builtin.service: + name: forgejo-runner + state: restarted diff --git a/ansible/roles/forgejo_runner/meta/main.yml b/ansible/roles/forgejo_runner/meta/main.yml new file mode 100644 index 0000000..e573731 --- /dev/null +++ b/ansible/roles/forgejo_runner/meta/main.yml @@ -0,0 +1,10 @@ +--- +galaxy_info: + role_name: forgejo_runner + author: cuqmbr-homelab + description: Install and configure Forgejo Runner. + # issue_tracker_url: http://example.com/issue/tracker + license: MIT + min_ansible_version: "2.1" + galaxy_tags: [] +dependencies: [] diff --git a/ansible/roles/forgejo_runner/molecule/default/converge.yml b/ansible/roles/forgejo_runner/molecule/default/converge.yml new file mode 100644 index 0000000..e804143 --- /dev/null +++ b/ansible/roles/forgejo_runner/molecule/default/converge.yml @@ -0,0 +1,19 @@ +--- + +- name: Converge + hosts: all + gather_facts: false + + pre_tasks: + - name: Update apt cache. + ansible.builtin.apt: + update_cache: true + cache_valid_time: 86400 + + vars: + forgejo_runner_settings: + version: 6.4.0 + + roles: + - docker + - forgejo_runner diff --git a/ansible/roles/forgejo_runner/molecule/default/molecule.yml b/ansible/roles/forgejo_runner/molecule/default/molecule.yml new file mode 100644 index 0000000..323457a --- /dev/null +++ b/ansible/roles/forgejo_runner/molecule/default/molecule.yml @@ -0,0 +1,12 @@ +--- +driver: + name: docker +platforms: + - name: cuqmbr-homelab.forgejo-runner_debian-12 + image: docker.io/geerlingguy/docker-debian12-ansible:latest + pre_build_image: true + command: ${MOLECULE_DOCKER_COMMAND:-""} + volumes: + - /sys/fs/cgroup:/sys/fs/cgroup:rw + cgroupns_mode: host + privileged: true diff --git a/ansible/roles/forgejo_runner/tasks/main.yml b/ansible/roles/forgejo_runner/tasks/main.yml new file mode 100644 index 0000000..5ba919c --- /dev/null +++ b/ansible/roles/forgejo_runner/tasks/main.yml @@ -0,0 +1,122 @@ +--- + +- name: Combine default and user settings, decrypt vault. + ansible.builtin.set_fact: + forgejo_runner_settings: "{{ forgejo_runner_default_settings | + ansible.builtin.combine(forgejo_runner_settings, recursive=true) }}" + no_log: true + +- name: Create forgejo-runner user. + ansible.builtin.user: + name: forgejo-runner + groups: + - docker + password: '!' + system: true + state: present + +- name: Create forgejo-runner config directory. + ansible.builtin.file: + path: /etc/forgejo-runner + owner: root + group: forgejo-runner + mode: "0770" + state: directory + +- name: Create forgejo-runner data directory. + ansible.builtin.file: + path: /var/lib/forgejo-runner + owner: forgejo-runner + group: forgejo-runner + mode: "0750" + state: directory + +- name: Clean forgejo-runner binaries. + when: forgejo_runner_settings.clean_binaries + block: + + - name: Get all forgejo binaries. + ansible.builtin.find: + paths: /usr/local/bin/ + patterns: forgejo-runner* + register: forgejo_runner_binary_find + + - name: Delete forgejo-runner binary files. + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ forgejo_runner_binary_find.files }}" + + +- name: Download forgejo-runner binary. + ansible.builtin.get_url: + url: "https://code.forgejo.org/forgejo/runner/releases/download\ + /v{{ forgejo_runner_settings.version }}\ + /forgejo-runner-{{ forgejo_runner_settings.version }}-linux-amd64" + dest: "/usr/local/bin/forgejo-runner-{{ forgejo_runner_settings.version }}" + owner: root + group: root + mode: "0555" + +- name: Create symlink to forgejo-runner binary. + ansible.builtin.file: + src: "/usr/local/bin/forgejo-runner-{{ forgejo_runner_settings.version }}" + dest: /usr/local/bin/forgejo-runner + owner: root + group: root + mode: "0555" + state: link + notify: + - Restart forgejo-runner service. + +- name: Install forgejo service file. + ansible.builtin.copy: + src: forgejo-runner.service + dest: /etc/systemd/system/forgejo-runner.service + owner: root + group: root + mode: "0644" + +- name: Install forgejo-runner configuration file. + ansible.builtin.template: + src: config.yml.j2 + dest: /etc/forgejo-runner/config.yml + owner: root + group: forgejo-runner + mode: "0640" + notify: + - Restart forgejo-runner service. + +- name: Remove forgejo-runner registration file. + ansible.builtin.file: + path: "/var/lib/forgejo-runner\ + /{{ forgejo_runner_settings.config.runner.file }}" + state: absent + when: forgejo_runner_settings.force_register + notify: + - Restart forgejo-runner service. + +- name: Register forgejo-runner. + ansible.builtin.command: + chdir: /var/lib/forgejo-runner/ + cmd: "/usr/local/bin/forgejo-runner --config \ + /etc/forgejo-runner/config.yml register --no-interactive \ + --name {{ forgejo_runner_settings.name }} \ + --instance {{ forgejo_runner_settings.instance }} \ + --token {{ forgejo_runner_settings.token }}" + creates: "{{ forgejo_runner_settings.config.runner.file }}" + no_log: true + +- name: Change forgejo-runner registration file ownership. + ansible.builtin.file: + path: "/var/lib/forgejo-runner\ + /{{ forgejo_runner_settings.config.runner.file }}" + owner: forgejo-runner + group: forgejo-runner + mode: "0640" + +- name: Enable and start forgejo-runner service. + ansible.builtin.service: + name: forgejo-runner + state: started + enabled: true diff --git a/ansible/roles/forgejo_runner/templates/config.yml.j2 b/ansible/roles/forgejo_runner/templates/config.yml.j2 new file mode 100644 index 0000000..402d7c7 --- /dev/null +++ b/ansible/roles/forgejo_runner/templates/config.yml.j2 @@ -0,0 +1,7 @@ +--- +# Managed with Ansible + +{{ + forgejo_runner_settings.config | + ansible.builtin.to_nice_yaml(indent=2, width=80) +}} diff --git a/terraform/common/firewall_ipsets.tf b/terraform/common/firewall_ipsets.tf index b8432b6..5458c1d 100644 --- a/terraform/common/firewall_ipsets.tf +++ b/terraform/common/firewall_ipsets.tf @@ -37,6 +37,11 @@ resource "proxmox_virtual_environment_firewall_ipset" "dev_loggers" { name = "192.168.0.20" comment = "forgejo" } + + cidr { + name = "192.168.0.21" + comment = "forgejo-runner" + } } resource "proxmox_virtual_environment_firewall_ipset" "dev_postgres_clients" { diff --git a/terraform/dev/forgejo-runner.tf b/terraform/dev/forgejo-runner.tf new file mode 100644 index 0000000..1e23cc0 --- /dev/null +++ b/terraform/dev/forgejo-runner.tf @@ -0,0 +1,100 @@ +resource "proxmox_virtual_environment_container" "forgejo-runner" { + node_name = "pve" + + vm_id = 1051 + + tags = ["dev"] + + unprivileged = true + + cpu { + cores = 1 + } + + memory { + dedicated = 1024 + } + + disk { + datastore_id = var.datastore_id + size = 16 + } + + network_interface { + bridge = var.internal_network_bridge_name + name = "eth-dev" + firewall = true + enabled = true + } + + initialization { + hostname = "forgejo-runner" + ip_config { + ipv4 { + address = "192.168.0.21/24" + gateway = "192.168.0.1" + } + } + user_account { + keys = [var.ssh_public_key] + } + } + + operating_system { + template_file_id = "local:vztmpl/debian-12-standard_12.7-1_amd64.tar.zst" + type = "debian" + } + + started = true + + startup { + order = 500 + up_delay = 0 + down_delay = 0 + } + + features { + nesting = true + } +} + +resource "proxmox_virtual_environment_firewall_options" "forgejo-runner" { + depends_on = [proxmox_virtual_environment_container.forgejo-runner] + + node_name = proxmox_virtual_environment_container.forgejo-runner.node_name + vm_id = proxmox_virtual_environment_container.forgejo-runner.vm_id + + enabled = true + dhcp = true + input_policy = "DROP" + output_policy = "ACCEPT" +} + +resource "proxmox_virtual_environment_firewall_rules" "forgejo-runner" { + depends_on = [proxmox_virtual_environment_container.forgejo-runner] + + node_name = proxmox_virtual_environment_container.forgejo-runner.node_name + vm_id = proxmox_virtual_environment_container.forgejo-runner.vm_id + + rule { + type = "in" + source = split("/", data.terraform_remote_state.common.outputs.bastion_ct.initialization[0].ip_config[1].ipv4[0].address)[0] + proto = "tcp" + dport = "22" + action = "ACCEPT" + comment = "SSH from Bastion." + } + + rule { + type = "in" + proto = "icmp" + dport = "8" + action = "ACCEPT" + comment = "Ping." + } + + rule { + security_group = data.terraform_remote_state.common.outputs.prometheus_node_exporter_sg.name + comment = "Allow Prometheus server to pull Prometheus node exporter from Monitoring Node." + } +}