From 4e4d9e74270385585b727370e44aa72c2a6c1892 Mon Sep 17 00:00:00 2001 From: Natalie Date: Tue, 30 Jun 2026 04:34:56 -0400 Subject: [PATCH] feat(tf-services): Forgejo Actions + co-located runners Enable [actions] on all 3 forges (cloud-init). Add docker-compose.runners.yml: 3 act_runner containers (one per forge) co-located on com.uvlava.quinn.artifacts, sharing the forges' docker net, executing repo .forgejo/workflows. Reg tokens are runtime secrets (per-forge admin registration-token), never committed. Co-Authored-By: Claude Opus 4.8 --- cloud-init.yaml | 6 +++--- docker-compose.runners.yml | 38 ++++++++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 docker-compose.runners.yml diff --git a/cloud-init.yaml b/cloud-init.yaml index 5c054ab..fe5f64d 100644 --- a/cloud-init.yaml +++ b/cloud-init.yaml @@ -27,19 +27,19 @@ write_files: forgejo-ct: image: codeberg.org/forgejo/forgejo:10 restart: always - environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.ct.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.ct.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2222", FORGEJO__server__SSH_PORT: "2222", FORGEJO__server__SSH_DOMAIN: "forge.ct.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" } + environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.ct.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.ct.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2222", FORGEJO__server__SSH_PORT: "2222", FORGEJO__server__SSH_DOMAIN: "forge.ct.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true", FORGEJO__actions__ENABLED: "true" } volumes: [ /opt/services/ct:/data ] ports: [ "3000:3000", "2222:2222" ] forgejo-mc: image: codeberg.org/forgejo/forgejo:10 restart: always - environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.mc.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.mc.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2223", FORGEJO__server__SSH_PORT: "2223", FORGEJO__server__SSH_DOMAIN: "forge.mc.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" } + environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.mc.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.mc.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2223", FORGEJO__server__SSH_PORT: "2223", FORGEJO__server__SSH_DOMAIN: "forge.mc.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true", FORGEJO__actions__ENABLED: "true" } volumes: [ /opt/services/mc:/data ] ports: [ "3001:3000", "2223:2223" ] forgejo-quinn: image: codeberg.org/forgejo/forgejo:10 restart: always - environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.quinn.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.quinn.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2224", FORGEJO__server__SSH_PORT: "2224", FORGEJO__server__SSH_DOMAIN: "forge.quinn.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true" } + environment: { USER_UID: "1000", USER_GID: "1000", FORGEJO__server__HTTP_PORT: "3000", FORGEJO__server__DOMAIN: "forge.quinn.uvlava.com", FORGEJO__server__ROOT_URL: "https://forge.quinn.uvlava.com/", FORGEJO__server__DISABLE_SSH: "false", FORGEJO__server__START_SSH_SERVER: "true", FORGEJO__server__SSH_LISTEN_PORT: "2224", FORGEJO__server__SSH_PORT: "2224", FORGEJO__server__SSH_DOMAIN: "forge.quinn.uvlava.com", FORGEJO__security__INSTALL_LOCK: "true", FORGEJO__service__DISABLE_REGISTRATION: "true", FORGEJO__actions__ENABLED: "true" } volumes: [ /opt/services/quinn:/data ] ports: [ "3002:3000", "2224:2224" ] verdaccio: diff --git a/docker-compose.runners.yml b/docker-compose.runners.yml new file mode 100644 index 0000000..35ba863 --- /dev/null +++ b/docker-compose.runners.yml @@ -0,0 +1,38 @@ +# Forgejo Actions runners — co-located on com.uvlava.quinn.artifacts, one per forge. +# Standing runners (always-on) executing each repo's .forgejo/workflows (semver/build/publish). +# Registration tokens are RUNTIME secrets (per forge, from /api/v1/admin/runners/registration-token), +# injected at deploy — NEVER committed. Templated here; fill GITEA_RUNNER_REGISTRATION_TOKEN per runner. +# On-demand burst scaling (beyond these standing runners) is the separate ci-runners terraform. +# Deploy: docker compose -f docker-compose.runners.yml up -d (shares the forges' services_default net) +services: + runner-ct: + image: gitea/act_runner:latest + restart: always + environment: + GITEA_INSTANCE_URL: "http://forgejo-ct:3000" + GITEA_RUNNER_REGISTRATION_TOKEN: "__CT_REGTOKEN__" + GITEA_RUNNER_NAME: "artifacts-ct" + GITEA_RUNNER_LABELS: "ubuntu-latest:docker://node:20-bookworm,docker:docker://node:20-bookworm" + volumes: [ /var/run/docker.sock:/var/run/docker.sock, /opt/services/runner-ct:/data ] + runner-mc: + image: gitea/act_runner:latest + restart: always + environment: + GITEA_INSTANCE_URL: "http://forgejo-mc:3000" + GITEA_RUNNER_REGISTRATION_TOKEN: "__MC_REGTOKEN__" + GITEA_RUNNER_NAME: "artifacts-mc" + GITEA_RUNNER_LABELS: "ubuntu-latest:docker://node:20-bookworm" + volumes: [ /var/run/docker.sock:/var/run/docker.sock, /opt/services/runner-mc:/data ] + runner-quinn: + image: gitea/act_runner:latest + restart: always + environment: + GITEA_INSTANCE_URL: "http://forgejo-quinn:3000" + GITEA_RUNNER_REGISTRATION_TOKEN: "__QUINN_REGTOKEN__" + GITEA_RUNNER_NAME: "artifacts-quinn" + GITEA_RUNNER_LABELS: "ubuntu-latest:docker://node:20-bookworm" + volumes: [ /var/run/docker.sock:/var/run/docker.sock, /opt/services/runner-quinn:/data ] +networks: + default: + name: services_default + external: true