Merge pull request #56 from beatz174-bit/codex/add-gitea-actions-runner-with-socket-proxy

Add Gitea Actions runner and configuration (compose, env, README)

apps/gitea/README.md

@@ -0,0 +1,55 @@
+# Gitea
+
+## Gitea Actions
+
+Gitea Actions is enabled by setting:
+
+- `GITEA__actions__ENABLED=true`
+
+## Runner service
+
+The repository includes a dedicated Gitea Actions runner service named:
+
+- `gitea-runner`
+
+The runner uses Docker through the existing Docker socket proxy:
+
+- `DOCKER_HOST=tcp://docker-socket-proxy:2375`
+
+The runner intentionally **does not** mount:
+
+- `/var/run/docker.sock`
+
+## Registration token
+
+Generate a runner registration token from the Gitea UI:
+
+- Site Administration → Actions → Runners
+- or Repo → Settings → Actions → Runners
+
+Put the token in your env/secrets file:
+
+- `GITEA_RUNNER_REGISTRATION_TOKEN=...`
+
+## Start the runner
+
+- `./services-up.sh --profile gitea up -d gitea-runner`
+- or `./services-up.sh --profile all up -d gitea-runner`
+
+## Logs
+
+- `docker logs -f gitea-runner`
+
+## Labels
+
+Common workflow label:
+
+- `runs-on: ubuntu-latest`
+
+This should match the configured labels, for example:
+
+- `GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm,...`
+
+## Security note
+
+The runner can control Docker through `docker-socket-proxy`. This is safer than mounting the raw Docker socket directly, but workflows still have meaningful control over Docker. Only trusted repositories/users should be allowed to run workflows on this runner.

apps/gitea/docker-compose.yml

@@ -9,6 +9,7 @@ services:
       - USER_GID=${GITEA_USER_GID}
       - GITEA__database__DB_TYPE=${GITEA_DB_TYPE}
       - GITEA__server__ROOT_URL=${GITEA_ROOT_URL}
+      - GITEA__actions__ENABLED=true
     volumes:
       - ${PROJECT_ROOT}/apps/gitea/data:/data
     networks:
@@ -31,6 +32,25 @@ services:
       retries: 6
       start_period: 120s
 
+  gitea-runner:
+    profiles: ["apps","all","gitea","ci"]
+    container_name: gitea-runner
+    image: gitea/act_runner:latest
+    restart: always
+    depends_on:
+      - gitea
+      - docker-socket-proxy
+    environment:
+      - GITEA_INSTANCE_URL=${GITEA_ROOT_URL}
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
+      - GITEA_RUNNER_NAME=${GITEA_RUNNER_NAME}
+      - GITEA_RUNNER_LABELS=${GITEA_RUNNER_LABELS}
+      - DOCKER_HOST=${DOCKER_SOCKET_PROXY_HOST}
+    volumes:
+      - ${PROJECT_ROOT}/apps/gitea/runner-data:/data
+    networks:
+      - traefik
+
 #volumes:
 #  gitea_data:
 

default-environment.env

@@ -13,6 +13,11 @@ GITEA_USER_UID=1000
 GITEA_USER_GID=1000
 GITEA_DB_TYPE=sqlite3
 GITEA_ROOT_URL=https://gitea.lan.ddnsgeek.com/
+# Generate a token in Gitea: Site Administration → Actions → Runners
+# or Repo → Settings → Actions → Runners
+GITEA_RUNNER_REGISTRATION_TOKEN=
+GITEA_RUNNER_NAME=docker-runner-01
+GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm,ubuntu-22.04:docker://node:20-bookworm,linux:docker://node:20-bookworm,docker:docker://docker:cli
 
 # Grafana
 GRAFANA_ROOT_URL=https://grafana.lan.ddnsgeek.com/