Fix issues with Gitea Actions/Podman integration

Socket access and permissions thereof have been made clearer by use of a
specific group and mode.

service/gitea/container/config/actions.yaml.template

@@ -14,12 +14,8 @@ runner:
   fetch_interval: 2s
   # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
   labels:
-    - "debian-latest:docker://node:latest"
-    - "debian-bookworm:docker://node:bookworm"
-    - "ubuntu-latest:docker://node:latest"
-    - "ubuntu-22.04:docker://node:bullseye"
-    - "alpine-latest:docker://node:alpine"
-    - "alpine-3.19:docker://node:alpine3.19"
+    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
+    - "ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04"
 cache:
   # Enable cache server to use actions/cache.
   enabled: true
@@ -27,11 +23,11 @@ cache:
   dir: /var/lib/gitea-actions/cache
 container:
   # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
-  privileged: false
+  privileged: true
   # Use default network in containers.
   network: bridge
   # Overrides the Docker client host with the specified one.
-  docker_host: unix:///run/podman-gitea-actions.sock
+  docker_host: unix:///run/gitea-actions/podman.sock
 host:
   # The parent directory of a job's working directory.
   workdir_parent: /var/lib/gitea-actions/jobs

service/gitea/container/run-gitea-actions

@@ -7,7 +7,6 @@ envsubst < /etc/gitea/actions.yaml.template > /etc/gitea/actions.yaml
 
 # Create data directories and correct permissions for data files.
 chown -R git:git /var/lib/gitea-actions
-chown root:git /run/podman-gitea-actions.sock
 
 # Initialize token for Gitea Actions in shared volume.
 if ! test -f /var/lib/gitea-actions/runner-global; then

service/gitea/quadlet/gitea-actions.container

@@ -1,7 +1,7 @@
 [Unit]
 Description=Gitea Actions CI/CD
-[email protected] gitea.service podman-gitea-actions.socket
-[email protected] gitea.service podman-gitea-actions.socket
+[email protected] gitea.service gitea-actions-podman.socket
+[email protected] gitea.service gitea-actions-podman.socket
 
 [Container]
 AutoUpdate=local
@@ -11,7 +11,7 @@ Image=localhost/gitea:latest
 PodmanArgs=--security-opt label=disable --entrypoint /run-gitea-actions
 Volume=%N:/var/lib/%N:z
 Volume=/tmp/runner-token:/etc/gitea/runner-token
-Volume=%t/podman-gitea-actions.sock:/run/podman-gitea-actions.sock
+Volume=/run/gitea-actions/podman.sock:/run/gitea-actions/podman.sock
 
 [Service]
 ExecStartPre=/bin/bash -c 'podman exec gitea gosu git /usr/bin/gitea -c /etc/gitea/config.ini actions generate-runner-token > /tmp/runner-token'

service/gitea/systemd/gitea-actions-podman.service

@@ -1,7 +1,7 @@
 [Unit]
 Description=Podman API Service for Gitea Actions
-Requires=podman-gitea-actions.socket
-After=podman-gitea-actions.socket
+Requires=gitea-actions-podman.socket
+After=gitea-actions-podman.socket
 Documentation=man:podman-system-service(1)
 StartLimitIntervalSec=0
 
@@ -11,6 +11,7 @@ Type=exec
 KillMode=process
 Environment=LOGGING="--log-level=info"
 User=gitea-actions
+ExecStartPre=!chown root:gitea-actions /run/gitea-actions
 ExecStart=/usr/bin/podman $LOGGING system service
 
 [Install]

service/gitea/systemd/gitea-actions-podman.socket

@@ -3,8 +3,8 @@ Description=Podman API Socket for Gitea Actions
 Documentation=man:podman-system-service(1)
 
 [Socket]
-ListenStream=%t/podman-gitea-actions.sock
-SocketMode=0660
+ListenStream=/run/gitea-actions/podman.sock
+DirectoryMode=0770
 
 [Install]
 WantedBy=sockets.target