Set up Gitea Actions runners

2023-04-01 12:56:21 +02:00 · 2023-04-01 12:56:21 +02:00 · 059812524e
commit 059812524e
parent 702449acc1
5 changed files with 130 additions and 23 deletions
--- a/data_bags/credentials/gitea.json
+++ b/data_bags/credentials/gitea.json
@ -1,51 +1,58 @@
 {
  "id": "gitea",
  "jwt_secret": {
-    "encrypted_data": "suy7Vwlg7tyJFBSjlnNRv7qR4jp1o9F0TbwxGcwWqbCpQW2NHl9QS1SCXJml\n4UbKklppjp+7Axvvs7YiOX8=\n",
+    "encrypted_data": "HHKq1HcxV9uC0aBdkn2AAA9C3dn2o8DnL2uDtZBf+epGC8sOko6/BSvsm8wV\nuG7yVmeFajgyCePSv4M8Or8=\n",
-    "iv": "ojZAtLDxV6569XHN\n",
+    "iv": "raypiojdRL+DkiDa\n",
-    "auth_tag": "j15eLXjGMIIsXh5dHET/lw==\n",
+    "auth_tag": "JZmWJyLTHNHAHNufRizL+w==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "internal_token": {
-    "encrypted_data": "y7VG9w8Gz/jxgz86p/OtpVvJBYjD6yGOPhCM3SEPlbQF/gqI8VuTkJlUQLFB\nrsPiCcjjynuTPJPLvdkVUu1XjOfp5dtbPDc0hqp8KhvBx4DhnH7Mspp/kWfb\n9DWzJ6zeGBB/nrNay0jTV1MoqzKc3Nl0GSkzBLMbr15vVw==\n",
+    "encrypted_data": "VFez8gOv5hnpBkURlufdPHvfQsL+lFlL8M9vywgKEi4XrXcNlDvoKKqdtSMv\nxGuoKqF/4NFcl2X3JRwp1j5iut+Jdg5CpnVVQLWKHc022LjD7K9nRsdmiD9Q\nLsLnU1Trzqg8VZS2ryqdjI4elkgoc15lmXwJvTNgRUzDqw==\n",
-    "iv": "wcx+w1Ij5Dee/81s\n",
+    "iv": "q7H4q7kBfRt4floS\n",
-    "auth_tag": "C7QMXezMU+jcYZAjlm86rg==\n",
+    "auth_tag": "vyd4ZwVxeFTTfvjI4k5irQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "secret_key": {
-    "encrypted_data": "4DGRaIbqqa5oCzFwNUjRPcP+uauWidjWwmBZY0BNyI3c/XmQBEb8wGV9Leoc\n3avqM5jhS/Ov43SBMpCrR71x4eAPJ3vlSeQ3GnpkgFyWfolmbEg=\n",
+    "encrypted_data": "7tD4E/5AuxxmNdu4arWj/BBNTUv6JX+m2ITbcLfE+VE2WacsCZUEyi1d1v0B\nyujQ9bljJn3z0zV4PxKFJILKjQb35PSiA8b86X/75Y1B9Gl64ds=\n",
-    "iv": "SOTJFH8JkBNtPKyF\n",
+    "iv": "gE2O5aN+Nea6VXi7\n",
-    "auth_tag": "fYSfkMMvGnPdiBOP7NnP8Q==\n",
+    "auth_tag": "3+EmAUgBBDyChRBHsUtLig==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "postgresql_password": {
-    "encrypted_data": "tA/mMteX2aO7dozNe/YWB8S9sVDdUgzKDnAdgnsXF5qTVT0slHe3KRg7og==\n",
+    "encrypted_data": "mWN2sTOjZ1EPUH/KAJ8owoPM7v/+IfIHEPACN7gFDrqG8dWGjfiu+fvILw==\n",
-    "iv": "3/rdo8uCdhrFOWOf\n",
+    "iv": "ldm57dVSdiPnk5l3\n",
-    "auth_tag": "uNl4R3T5ylEBgAM8P6fdYA==\n",
+    "auth_tag": "D+r/0obCYWx53vIeUDPGMQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_key_id": {
-    "encrypted_data": "Pjaw1MM+GNZN68XDbM+PGJUwSSXwu1+ASgm4S0VZ3MvylVG3uBPdqdDUZ9g8\n",
+    "encrypted_data": "AvlsAInGyPMvHle5YZT3EHMTG89PggqmFaddvHSQLEkvI2EycktxJ/btjGOP\n",
-    "iv": "mPL4HvodGKMD+30N\n",
+    "iv": "qGkILPp5EWc21wwa\n",
-    "auth_tag": "nrej5vDLEzAI9HkKJxa/mQ==\n",
+    "auth_tag": "eIpCgZAnWZR7nlllj+IXMQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_secret_key": {
-    "encrypted_data": "yBWAUGyyoetZ8EDD+kVffGDQbFPVXxpiWCdWL5xn3ohlclrrcWBQP/cGj2Ts\nlSZ2l4ZIuHX6ZdAHe5O2C1h5nYVtWx+u5kVa9n6EoUbz/6iseHU=\n",
+    "encrypted_data": "TAo4ViF7cL+ibIuHM77irZW08ilD46S8N5BV91gc2wegvHpHqLHw5zrsDxfu\nDiJHGUfjge/NBOGN5VSKKC0nFfMJ4sLPxVSiKyON4RMBSuzSqmo=\n",
-    "iv": "jmIdQZVMCLLKs1pi\n",
+    "iv": "tjK8XdaCZOdLUHyo\n",
-    "auth_tag": "0Jvgjuvhv11/QNV43zm1LQ==\n",
+    "auth_tag": "Qu1z6e1/4gPIyaCwBjaWsw==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "s3_bucket": {
-    "encrypted_data": "MyR5WhJMGfu+StFPVt3wSzVSNsHnEiLfzKXm2xJeb/cEQVw=\n",
+    "encrypted_data": "NTp9+KyzlblporEwM7SEwoClXu5cI10SfVrJ/uywcf/x2l8=\n",
-    "iv": "CHmMCjdVzw+qKHIV\n",
+    "iv": "TFTeQ8yKUhblmrFK\n",
-    "auth_tag": "tiQegK0hQfCjcgRxg1G8Rg==\n",
+    "auth_tag": "L9nrXEeJhxcLO4YgGk4zpg==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  },
  "runners": {
    "encrypted_data": "yTCk4/hqw/4vEaXobdYU4vZRxErNp0GX4qDMuHwdr7UOQk2qQ8O8j44njPv2\ncKcIm6CQiip+GRuvl6+zETd8gctC0W14n5Rfep4zQbMp/BW3ypGambVk6z1m\nRnT4dMEl32rwcXG8c3w+vAFpx8smrK5iyy4ca0ZijC+eeysk4OAwn0XkvQuV\nB1Jy9CmVm9xiZ6sXaiU13tTry8A=\n",
    "iv": "+biM/42g5doJNOax\n",
    "auth_tag": "WwNgd6aqm26GcekYVOeBDQ==\n",
    "version": 3,
    "cipher": "aes-256-gcm"
  }
--- a/nodes/gitea-2.json
+++ b/nodes/gitea-2.json
@ -18,7 +18,8 @@
      "ldap_client",
      "garage_gateway",
      "gitea",
-      "postgresql_client"
+      "postgresql_client",
      "gitea_actions_runner"
    ],
    "recipes": [
      "kosmos-base",
@ -31,6 +32,7 @@
      "kosmos_postgresql::hostsfile",
      "kosmos_gitea",
      "kosmos_gitea::default",
      "kosmos_gitea::act_runner",
      "apt::default",
      "timezone_iii::default",
      "timezone_iii::debian",
@ -68,6 +70,7 @@
    "role[kvm_guest]",
    "role[ldap_client]",
    "role[garage_gateway]",
-    "role[gitea]"
+    "role[gitea]",
    "role[gitea_actions_runner]"
  ]
 }
--- a/roles/gitea_actions_runner.rb
+++ b/roles/gitea_actions_runner.rb
@ -0,0 +1,5 @@
 name "gitea_actions_runner"
 run_list %w(
  kosmos_gitea::act_runner
 )
--- a/site-cookbooks/kosmos_gitea/attributes/default.rb
+++ b/site-cookbooks/kosmos_gitea/attributes/default.rb
@ -15,3 +15,6 @@ node.default["gitea"]["config"] = {
    "allowed_host_list" => "external,127.0.1.1"
  }
 }
 node.default["gitea"]["act_runner"]["download_url"] = "https://dl.gitea.com/act_runner/main/act_runner-main-linux-amd64"
 node.default["gitea"]["act_runner"]["checksum"] = "577ec7c64e7458b1e97cbe61d02da1ba1f4ddf24281b175f24f65101e72c000c"
--- a/site-cookbooks/kosmos_gitea/recipes/act_runner.rb
+++ b/site-cookbooks/kosmos_gitea/recipes/act_runner.rb
@ -0,0 +1,89 @@
 #
 # Cookbook:: kosmos_gitea
 # Recipe:: act_runner
 #
 working_directory = node["gitea"]["working_directory"]
 gitea_credentials = data_bag_item("credentials", "gitea")
 runners           = gitea_credentials["runners"]
 begin
  gitea_host = search(:node, "role:gitea").first["knife_zero"]["host"]
 rescue
  Chef::Log.warn('No server with "gitea" role. Stopping here.')
  return
 end
 apt_repository 'docker' do
  uri 'https://download.docker.com/linux/ubuntu'
  key 'https://download.docker.com/linux/ubuntu/gpg'
  components ['stable']
 end
 %w[
  docker-ce
  docker-ce-cli
  containerd.io
  docker-buildx-plugin
 ].each do |apt_pkg|
  package apt_pkg
 end
 remote_file "/usr/local/bin/act_runner" do
  source node["gitea"]["act_runner"]["download_url"]
  checksum node["gitea"]["act_runner"]["checksum"]
  mode "0750"
 end
 directory "#{working_directory}/runners" do
  mode  "0700"
 end
 runners.each do |runner|
  runner_name = "gitea-runner-#{runner["org"]}"
  runner_dir = "#{working_directory}/runners/#{runner["org"]}"
  directory runner_dir do
    mode  "0700"
  end
  bash "register_#{runner["org"]}_runner" do
    cwd runner_dir
    code <<-EOF
 act_runner register \
  --no-interactive \
  --instance http://#{gitea_host}:#{node["gitea"]["port"]} \
  --name #{runner_name} \
  --token #{runner["token"]}
    EOF
    not_if { File.exist?("#{runner_dir}/.runner") }
  end
  systemd_unit "#{runner_name}.service" do
    content({
      Unit: {
        Description: "Gitea Actions Runner for '#{runner["org"]}' org",
        Documentation: ["https://gitea.com/gitea/act_runner"],
        Requires: "gitea.service",
        After: "syslog.target network.target"
      },
      Service: {
        Type: "simple",
        WorkingDirectory: runner_dir,
        Environment: "HOME=/root",
        ExecStart: "/usr/local/bin/act_runner daemon",
        Restart: "always",
      },
      Install: {
        WantedBy: "multi-user.target"
      }
    })
    verify false
    triggers_reload true
    action [:create]
  end
  service runner_name do
    action [:enable, :start]
  end
 end