gitea: Add support for Gitea Actions CI/CD

This adds infrastructure and configuration required for running a host-local instance of Gitea Actions, with rootless Podman-in-Podman enabled for the dedicated `gitea-actions` user. By default, the rootless Podman instance is activated via systemd, and does not run when it is not used.
2024-04-05 16:53:12 +01:00 · 2024-04-05 16:53:12 +01:00 · 4da644b634
parent 45ebcab62e
commit 4da644b634
8 changed files with 136 additions and 5 deletions
--- a/service/gitea/Containerfile
+++ b/service/gitea/Containerfile
@ -1,9 +1,15 @@
-FROM docker.io/debian:bookworm-slim@sha256:ccb33c3ac5b02588fc1d9e4fc09b952e433d0c54d8618d0ee1afadf1f3cf2455 AS builder
+FROM docker.io/debian:bookworm-slim@sha256:ccb33c3ac5b02588fc1d9e4fc09b952e433d0c54d8618d0ee1afadf1f3cf2455 AS builder-gitea
 ARG VERSION=1.21.10 # renovate: datasource=github-releases depName=go-gitea/gitea extractVersion=^v(?<version>.*)$

 ADD https://dl.gitea.io/gitea/${VERSION}/gitea-${VERSION}-linux-amd64 /src/gitea
 RUN install -D --mode 0755 /src/gitea /build/usr/bin/gitea

+FROM docker.io/golang:1.22-bookworm@sha256:d996c645c9934e770e64f05fc2bc103755197b43fd999b3aa5419142e1ee6d78 AS builder-act-runner
+ARG VERSION=0.2.9 # renovate: datasource=gitea-releases depName=gitea/act_runner extractVersion=^v(?<version>.*)$
+
+ADD https://dl.gitea.com/act_runner/${VERSION}/act_runner-${VERSION}-linux-amd64 /src/act_runner
+RUN install -D --mode 0755 /src/act_runner /build/usr/bin/act_runner
+
 FROM docker.io/debian:bookworm-slim@sha256:ccb33c3ac5b02588fc1d9e4fc09b952e433d0c54d8618d0ee1afadf1f3cf2455
 RUN apt-get update -y && apt-get upgrade -y && apt-get install -y --no-install-recommends \
    ca-certificates gettext gosu
@ -13,9 +19,11 @@ RUN apt-get update -y && apt-get install -y --no-install-recommends \

 RUN adduser --system --group --uid 10000 --home /var/lib/gitea git

-COPY --from=builder /build /
+COPY --from=builder-gitea /build /
+COPY --from=builder-act-runner /build /
 COPY container/config /etc/gitea
 COPY container/run-gitea /run-gitea
+COPY container/run-gitea-actions /run-gitea-actions

 EXPOSE 8080 7920
 ENTRYPOINT ["/run-gitea"]
--- a/service/gitea/container/config/actions.yaml.template
+++ b/service/gitea/container/config/actions.yaml.template
@ -0,0 +1,37 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal.
+  level: info
+runner:
+  # Where to store the registration result.
+  file: /var/lib/gitea-actions/runner-global
+  # Execute how many tasks concurrently at the same time.
+  capacity: 3
+  # The timeout for a job to be finished.
+  timeout: 3h
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  labels:
+    - "debian-latest:docker://node:latest"
+    - "debian-bookworm:docker://node:bookworm"
+    - "ubuntu-latest:docker://node:latest"
+    - "ubuntu-22.04:docker://node:bullseye"
+    - "alpine-latest:docker://node:alpine"
+    - "alpine-3.19:docker://node:alpine3.19"
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: true
+  # The directory to store the cache data.
+  dir: /var/lib/gitea-actions/cache
+container:
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # Use default network in containers.
+  network: bridge
+  # Overrides the Docker client host with the specified one.
+  docker_host: unix:///run/podman-gitea-actions.sock
+host:
+  # The parent directory of a job's working directory.
+  workdir_parent: /var/lib/gitea-actions/jobs
--- a/service/gitea/container/config/config.ini.template
+++ b/service/gitea/container/config/config.ini.template
@ -1,7 +1,7 @@
-APP_NAME = ${GITEA_APP_NAME}
+APP_NAME  = ${GITEA_APP_NAME}
 WORK_PATH = /var/lib/gitea
-RUN_USER = git
-RUN_MODE = prod
+RUN_USER  = git
+RUN_MODE  = prod

 [repository]
 ROOT                    = /var/lib/gitea/repositories
@ -75,3 +75,6 @@ SMTP_ADDR = ${GITEA_MAILER_SMTP_ADDR}
 SMTP_PORT = ${GITEA_MAILER_SMTP_PORT}
 USER      = ${GITEA_MAILER_USER}
 PASSWD    = `${GITEA_MAILER_PASSWD}`
+
+[actions]
+ENABLED = true
--- a/service/gitea/container/run-gitea-actions
+++ b/service/gitea/container/run-gitea-actions
@ -0,0 +1,18 @@
+#!/bin/sh
+
+set -eu
+
+# Initialize configuration for Gitea Actions.
+envsubst < /etc/gitea/actions.yaml.template > /etc/gitea/actions.yaml
+
+# Initialize token for Gitea Actions in shared volume.
+if ! test -f /var/lib/gitea-actions/runner-global; then
+    /usr/bin/act_runner --config /etc/gitea/actions.yaml register \
+        --no-interactive \
+        --name "actions-global" \
+        --instance "https://${GITEA_DOMAIN}" \
+        --token "$(cat /etc/gitea/runner-token)"
+fi
+
+# Run entrypoint under specific user.
+exec /usr/bin/act_runner --config /etc/gitea/actions.yaml daemon "$@"
--- a/service/gitea/quadlet/gitea-actions.container
+++ b/service/gitea/quadlet/gitea-actions.container
@ -0,0 +1,22 @@
+[Unit]
+Description=Gitea Actions CI/CD
+[email protected] gitea.service podman-gitea-actions.socket
+[email protected] gitea.service podman-gitea-actions.socket
+
+[Container]
+AutoUpdate=local
+ContainerName=%N
+EnvironmentFile=%E/coreos-home-server/gitea/gitea.env
+Image=localhost/gitea:latest
+PodmanArgs=--security-opt label=disable --entrypoint /run-gitea-actions
+Volume=%N:/var/lib/%N:z
+Volume=/tmp/runner-token:/etc/gitea/runner-token
+Volume=%t/podman-gitea-actions.sock:/run/podman-gitea-actions.sock
+
+[Service]
+ExecStartPre=/bin/bash -c 'podman exec gitea gosu git /usr/bin/gitea -c /etc/gitea/config.ini actions generate-runner-token > /tmp/runner-token'
+PrivateTmp=true
+Restart=on-failure
+
+[Install]
+WantedBy=multi-user.target
--- a/service/gitea/spec.bu
+++ b/service/gitea/spec.bu
@ -4,5 +4,21 @@ storage:
  trees:
    - path: /etc/coreos-home-server/gitea
      local: service/gitea/
+    - path: /etc/systemd/system
+      local: service/gitea/systemd/
    - path: /etc/containers/systemd
      local: service/gitea/quadlet/
+  files:
+    - path: /etc/subuid
+      append:
+        - inline: |
+            gitea-actions:1000000:65536
+    - path: /etc/subgid
+      append:
+        - inline: |
+            gitea-actions:1000000:65536
+passwd:
+  users:
+    - name: gitea-actions
+      shell: /usr/sbin/nologin
+      system: true
--- a/service/gitea/systemd/podman-gitea-actions.service
+++ b/service/gitea/systemd/podman-gitea-actions.service
@ -0,0 +1,17 @@
+[Unit]
+Description=Podman API Service for Gitea Actions
+Requires=podman-gitea-actions.socket
+After=podman-gitea-actions.socket
+Documentation=man:podman-system-service(1)
+StartLimitIntervalSec=0
+
+[Service]
+Delegate=true
+Type=exec
+KillMode=process
+Environment=LOGGING="--log-level=info"
+User=gitea-actions
+ExecStart=/usr/bin/podman $LOGGING system service
+
+[Install]
+WantedBy=multi-user.target
--- a/service/gitea/systemd/podman-gitea-actions.socket
+++ b/service/gitea/systemd/podman-gitea-actions.socket
@ -0,0 +1,10 @@
+[Unit]
+Description=Podman API Socket for Gitea Actions
+Documentation=man:podman-system-service(1)
+
+[Socket]
+ListenStream=%t/podman-gitea-actions.sock
+SocketMode=0660
+
+[Install]
+WantedBy=sockets.target