From f8091a5c76377bd744ed6d3f8d5c3ab2465772e5 Mon Sep 17 00:00:00 2001 From: beatz174-bit Date: Tue, 12 May 2026 14:03:57 +1000 Subject: [PATCH] Use DOCKER_SOCKET_PROXY_HOST for gitea-runner Docker host --- apps/gitea/README.md | 55 +++++++++++++++++++++++++++++++++++ apps/gitea/docker-compose.yml | 20 +++++++++++++ default-environment.env | 5 ++++ 3 files changed, 80 insertions(+) create mode 100644 apps/gitea/README.md diff --git a/apps/gitea/README.md b/apps/gitea/README.md new file mode 100644 index 0000000..49b1663 --- /dev/null +++ b/apps/gitea/README.md @@ -0,0 +1,55 @@ +# Gitea + +## Gitea Actions + +Gitea Actions is enabled by setting: + +- `GITEA__actions__ENABLED=true` + +## Runner service + +The repository includes a dedicated Gitea Actions runner service named: + +- `gitea-runner` + +The runner uses Docker through the existing Docker socket proxy: + +- `DOCKER_HOST=tcp://docker-socket-proxy:2375` + +The runner intentionally **does not** mount: + +- `/var/run/docker.sock` + +## Registration token + +Generate a runner registration token from the Gitea UI: + +- Site Administration → Actions → Runners +- or Repo → Settings → Actions → Runners + +Put the token in your env/secrets file: + +- `GITEA_RUNNER_REGISTRATION_TOKEN=...` + +## Start the runner + +- `./services-up.sh --profile gitea up -d gitea-runner` +- or `./services-up.sh --profile all up -d gitea-runner` + +## Logs + +- `docker logs -f gitea-runner` + +## Labels + +Common workflow label: + +- `runs-on: ubuntu-latest` + +This should match the configured labels, for example: + +- `GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm,...` + +## Security note + +The runner can control Docker through `docker-socket-proxy`. This is safer than mounting the raw Docker socket directly, but workflows still have meaningful control over Docker. Only trusted repositories/users should be allowed to run workflows on this runner. diff --git a/apps/gitea/docker-compose.yml b/apps/gitea/docker-compose.yml index df09a2f..7185480 100644 --- a/apps/gitea/docker-compose.yml +++ b/apps/gitea/docker-compose.yml @@ -9,6 +9,7 @@ services: - USER_GID=${GITEA_USER_GID} - GITEA__database__DB_TYPE=${GITEA_DB_TYPE} - GITEA__server__ROOT_URL=${GITEA_ROOT_URL} + - GITEA__actions__ENABLED=true volumes: - ${PROJECT_ROOT}/apps/gitea/data:/data networks: @@ -31,6 +32,25 @@ services: retries: 6 start_period: 120s + gitea-runner: + profiles: ["apps","all","gitea","ci"] + container_name: gitea-runner + image: gitea/act_runner:latest + restart: always + depends_on: + - gitea + - docker-socket-proxy + environment: + - GITEA_INSTANCE_URL=${GITEA_ROOT_URL} + - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN} + - GITEA_RUNNER_NAME=${GITEA_RUNNER_NAME} + - GITEA_RUNNER_LABELS=${GITEA_RUNNER_LABELS} + - DOCKER_HOST=${DOCKER_SOCKET_PROXY_HOST} + volumes: + - ${PROJECT_ROOT}/apps/gitea/runner-data:/data + networks: + - traefik + #volumes: # gitea_data: diff --git a/default-environment.env b/default-environment.env index ab7e37f..0e8c9b8 100644 --- a/default-environment.env +++ b/default-environment.env @@ -13,6 +13,11 @@ GITEA_USER_UID=1000 GITEA_USER_GID=1000 GITEA_DB_TYPE=sqlite3 GITEA_ROOT_URL=https://gitea.lan.ddnsgeek.com/ +# Generate a token in Gitea: Site Administration → Actions → Runners +# or Repo → Settings → Actions → Runners +GITEA_RUNNER_REGISTRATION_TOKEN= +GITEA_RUNNER_NAME=docker-runner-01 +GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://node:20-bookworm,linux:docker://node:20-bookworm,docker:docker://docker:cli # Grafana GRAFANA_ROOT_URL=https://grafana.lan.ddnsgeek.com/