Use DOCKER_SOCKET_PROXY_HOST for gitea-runner Docker host

2026-05-12 14:03:57 +10:00
parent 6a2639f931
commit f8091a5c76
3 changed files with 80 additions and 0 deletions
@@ -0,0 +1,55 @@
+# Gitea
+
+## Gitea Actions
+
+Gitea Actions is enabled by setting:
+
+- `GITEA__actions__ENABLED=true`
+
+## Runner service
+
+The repository includes a dedicated Gitea Actions runner service named:
+
+- `gitea-runner`
+
+The runner uses Docker through the existing Docker socket proxy:
+
+- `DOCKER_HOST=tcp://docker-socket-proxy:2375`
+
+The runner intentionally **does not** mount:
+
+- `/var/run/docker.sock`
+
+## Registration token
+
+Generate a runner registration token from the Gitea UI:
+
+- Site Administration → Actions → Runners
+- or Repo → Settings → Actions → Runners
+
+Put the token in your env/secrets file:
+
+- `GITEA_RUNNER_REGISTRATION_TOKEN=...`
+
+## Start the runner
+
+- `./services-up.sh --profile gitea up -d gitea-runner`
+- or `./services-up.sh --profile all up -d gitea-runner`
+
+## Logs
+
+- `docker logs -f gitea-runner`
+
+## Labels
+
+Common workflow label:
+
+- `runs-on: ubuntu-latest`
+
+This should match the configured labels, for example:
+
+- `GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bookworm,...`
+
+## Security note
+
+The runner can control Docker through `docker-socket-proxy`. This is safer than mounting the raw Docker socket directly, but workflows still have meaningful control over Docker. Only trusted repositories/users should be allowed to run workflows on this runner.
@@ -9,6 +9,7 @@ services:
      - USER_GID=${GITEA_USER_GID}
      - GITEA__database__DB_TYPE=${GITEA_DB_TYPE}
      - GITEA__server__ROOT_URL=${GITEA_ROOT_URL}
+      - GITEA__actions__ENABLED=true
    volumes:
      - ${PROJECT_ROOT}/apps/gitea/data:/data
    networks:
@@ -31,6 +32,25 @@ services:
      retries: 6
      start_period: 120s

+  gitea-runner:
+    profiles: ["apps","all","gitea","ci"]
+    container_name: gitea-runner
+    image: gitea/act_runner:latest
+    restart: always
+    depends_on:
+      - gitea
+      - docker-socket-proxy
+    environment:
+      - GITEA_INSTANCE_URL=${GITEA_ROOT_URL}
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN}
+      - GITEA_RUNNER_NAME=${GITEA_RUNNER_NAME}
+      - GITEA_RUNNER_LABELS=${GITEA_RUNNER_LABELS}
+      - DOCKER_HOST=${DOCKER_SOCKET_PROXY_HOST}
+    volumes:
+      - ${PROJECT_ROOT}/apps/gitea/runner-data:/data
+    networks:
+      - traefik
+
 #volumes:
 #  gitea_data: