diff --git a/.forgejo/workflows/build.yml b/.forgejo/workflows/build.yml index acc442b..d5965b6 100644 --- a/.forgejo/workflows/build.yml +++ b/.forgejo/workflows/build.yml @@ -1,16 +1,12 @@ # Runs only on pushes to main. -# Builds the Docker image on the CI runner host (which has Docker socket access), -# pushes it to the Forgejo container registry, then SSHes to the app host to restart. # -# Runner requirement: act_runner with /var/run/docker.sock mounted (see infra/runner-swarm.yml). +# The runner runs in the same swarm as Forgejo with /var/run/docker.sock mounted, +# so it can build images and update swarm services directly — no SSH needed. # -# Required secrets (Forgejo repo → Settings → Secrets): -# REGISTRY_USER — your Forgejo username (bvandeusen) -# REGISTRY_TOKEN — Forgejo personal access token with write:packages scope -# DEPLOY_HOST — IP or hostname of the server running fabledassistant -# DEPLOY_USER — SSH user on that server -# DEPLOY_SSH_KEY — private SSH key (matching public key must be in authorized_keys on app host) -# DEPLOY_PATH — absolute path to the directory with docker-compose.yml on the app host +# Required secrets (repo → Settings → Secrets → Actions): +# REGISTRY_USER — your Forgejo username +# REGISTRY_TOKEN — Forgejo PAT with write:packages scope +# DEPLOY_SERVICE — full swarm service name, e.g. fabledassistant_app name: Build & Deploy on: @@ -46,9 +42,8 @@ jobs: tags: | ${{ env.IMAGE }}:latest ${{ env.IMAGE }}:${{ github.sha }} - # Registry-side layer cache lives in the Forgejo container registry. - # Unchanged layers (npm install, pip install) are reused across builds, - # cutting typical build time from ~4 min to ~45 sec after the first run. + # Registry-side layer cache — unchanged layers (npm install, pip install) + # are reused between builds. Cuts typical build time from ~4 min to ~45 sec. cache-from: type=registry,ref=${{ env.IMAGE }}:cache cache-to: type=registry,ref=${{ env.IMAGE }}:cache,mode=max @@ -57,19 +52,21 @@ jobs: needs: build runs-on: ubuntu-latest steps: - - name: Pull new image and restart app - uses: appleboy/ssh-action@v1 - with: - host: ${{ secrets.DEPLOY_HOST }} - username: ${{ secrets.DEPLOY_USER }} - key: ${{ secrets.DEPLOY_SSH_KEY }} - # Pulls only the app service image, restarts only the app container. - # Database and Ollama containers are left untouched (--no-deps). - script: | - set -e - echo "${{ secrets.REGISTRY_TOKEN }}" | \ - docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin - cd "${{ secrets.DEPLOY_PATH }}" - docker compose pull app - docker compose up -d --no-build --no-deps app - docker image prune -f + - name: Log in to registry + run: | + echo "${{ secrets.REGISTRY_TOKEN }}" | \ + docker login git.fabledsword.com -u "${{ secrets.REGISTRY_USER }}" --password-stdin + + - name: Update swarm service + # --with-registry-auth forwards the login credentials to all swarm nodes + # so they can pull the new image. --detach=false waits for the rollout to + # complete before the job finishes (shows progress in the Actions log). + run: | + docker service update \ + --image ${{ env.IMAGE }}:${{ github.sha }} \ + --with-registry-auth \ + --detach=false \ + ${{ secrets.DEPLOY_SERVICE }} + + - name: Clean up old images + run: docker image prune -f diff --git a/infra/act-runner-config.yml b/infra/act-runner-config.yml new file mode 100644 index 0000000..103577a --- /dev/null +++ b/infra/act-runner-config.yml @@ -0,0 +1,27 @@ +# act_runner configuration — stored as a Docker Swarm Config object. +# Referenced in runner-swarm.yml under configs.act_runner_config. +# +# After changing this file, update the swarm config: +# docker config rm act_runner_config +# docker stack deploy -c forgejo-stack.yml forgejo (or docker compose up -d) + +log: + level: info + +runner: + capacity: 2 # concurrent jobs + timeout: 30m + +cache: + enabled: true + dir: /data/.cache + +container: + # bridge: job containers get internet access via NAT but are isolated from + # each other and the swarm overlay. Sufficient for npm/pip/docker push. + network: bridge + + # Whitelist of host paths that workflow steps are allowed to bind-mount. + # The Docker socket is required for the build and deploy jobs. + valid_volumes: + - /var/run/docker.sock diff --git a/infra/runner-swarm.yml b/infra/runner-swarm.yml index 57fb3bd..74ad399 100644 --- a/infra/runner-swarm.yml +++ b/infra/runner-swarm.yml @@ -1,100 +1,113 @@ -# Forgejo Actions runner — deploy this on the FORGEJO HOST alongside the Forgejo stack. +# Forgejo Actions runner — add these services to your existing Forgejo stack. # -# The runner connects outbound to git.fabledsword.com to receive jobs. -# No inbound connections from Forgejo are needed. -# The host Docker socket is mounted so the build job can use Docker Buildx. +# Since the runner is in the same swarm as Forgejo it can: +# - Reach Forgejo at http://forgejo:3000 (no Traefik hop) +# - Use the host Docker socket (manager node) to build images and update services +# - Deploy the app via `docker service update` — no SSH needed # -# One-time setup on the Forgejo host: +# The runner MUST run on a swarm manager node so it can call the Docker service API. +# On a single-node swarm this is automatic. On multi-node, the placement constraint +# below ensures it. # +# One-time setup: # 1. Get a registration token: -# Forgejo → Site Administration → Runners → Create Runner -# (or per-repo: repo → Settings → Actions → Runners) +# https://git.fabledsword.com → Site Administration → Runners → Create Runner # -# 2. Create an env file (keep this off git): -# echo 'RUNNER_TOKEN=your_token_here' > /nfs/data/fabledsword/act_runner/.env +# 2. Add RUNNER_TOKEN to your stack's env file (same .env Forgejo uses): +# echo 'RUNNER_TOKEN=your_token_here' >> /path/to/forgejo.env # -# 3. Deploy: -# docker stack deploy -c runner-swarm.yml act-runner -# (or: docker compose -f runner-swarm.yml up -d if not using swarm mode for this) +# 3. Redeploy the Forgejo stack to pick up the new services: +# docker stack deploy -c forgejo-stack.yml --with-registry-auth forgejo # -# Note: docker stack deploy does not support `volumes.driver_opts` or bind mounts -# in the same way as compose. If you hit swarm limitations with the socket bind mount, -# run this with plain `docker compose` instead of `docker stack deploy` — the runner -# doesn't need swarm-specific features. +# Docker Swarm does not support bind-mounts of /var/run/docker.sock via +# `docker stack deploy`. Deploy using docker compose instead (still managed, +# just not as a formal stack): +# docker compose -f forgejo-stack.yml up -d +# +# Required secrets in Forgejo (repo → Settings → Secrets → Actions): +# REGISTRY_USER — your Forgejo username +# REGISTRY_TOKEN — Forgejo PAT with write:packages scope +# DEPLOY_SERVICE — full swarm service name for the app, e.g. fabledassistant_app networks: + overlay_proxy: + external: true fabled_backend: external: true +configs: + act_runner_config: + # Swarm Config object — stored in the swarm, injected read-only into the container. + # To update this config you must remove and recreate it: + # docker config rm act_runner_config + # then redeploy the stack. + file: ./act-runner-config.yml + volumes: act_runner_data: services: - act_runner: - image: gitea/act_runner:latest - restart: unless-stopped + # ── Existing Forgejo service (unchanged, shown for context) ─────────────────── + forgejo: + image: codeberg.org/forgejo/forgejo:14 environment: - - GITEA_INSTANCE_URL=https://git.fabledsword.com - - GITEA_RUNNER_REGISTRATION_TOKEN=${RUNNER_TOKEN} - - GITEA_RUNNER_NAME=forgejo-host-runner - # Labels control which `runs-on:` values this runner accepts. - # ubuntu-latest is the label used in all workflow files. - - GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bullseye,ubuntu-22.04:docker://node:20-bullseye - - CONFIG_FILE=/data/config.yml - volumes: - # Host Docker socket — required for the build job (docker buildx). - - /var/run/docker.sock:/var/run/docker.sock - - act_runner_data:/data - # act_runner creates job containers as siblings on the host docker daemon. - # The config file (written below by the init container) tells act_runner - # which host paths job containers are allowed to mount. - # See the init service below for how config.yml is created. + - USER_UID=1000 + - USER_GID=1000 + - FORGEJO__database__DB_TYPE=postgres + - FORGEJO__database__HOST=postgres:5432 + - FORGEJO__database__NAME=forgejo + - FORGEJO__database__USER=forgejo + - FORGEJO__database__PASSWD=${FORGEJO_DB_PW} networks: + - overlay_proxy - fabled_backend - depends_on: - - act_runner_init + volumes: + - /nfs/data/fabledsword/forgejo:/data + - /etc/timezone:/etc/timezone:ro + - /etc/localtime:/etc/localtime:ro deploy: replicas: 1 + labels: + - traefik.http.routers.fabled-git.rule=Host(`git.${BASE_DN}`) + - traefik.http.routers.fabled-git.entrypoints=websecure + - traefik.http.routers.fabled-git.tls=true + - traefik.http.routers.fabled-git.tls.certresolver=letsEncrypt + - traefik.http.services.fabled-git.loadbalancer.server.port=3000 + - traefik.http.routers.fabled-git.middlewares=chain-external-noauth@file + - traefik.enable=true + - traefik.http.services.fabled-git.loadbalancer.serversTransport=reg-xport@file + + # ── New: Forgejo Actions runner ─────────────────────────────────────────────── + act_runner: + image: gitea/act_runner:latest + environment: + # Use the internal service name — avoids Traefik and works even if TLS is down. + - GITEA_INSTANCE_URL=http://forgejo:3000 + - GITEA_RUNNER_REGISTRATION_TOKEN=${RUNNER_TOKEN} + - GITEA_RUNNER_NAME=swarm-runner + # Maps the `runs-on: ubuntu-latest` label in workflows to a Docker image. + # node:20-bullseye is used as a general base; the language-specific setup-* + # actions install the correct toolchain on top. + - GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bullseye + - CONFIG_FILE=/config/config.yml + configs: + - source: act_runner_config + target: /config/config.yml + mode: 0444 + volumes: + # The host Docker socket lets the runner build images and call `docker service update`. + # This REQUIRES the runner to be on a manager node (see placement below). + - /var/run/docker.sock:/var/run/docker.sock + - act_runner_data:/data + networks: + # fabled_backend lets the runner reach http://forgejo:3000 + - fabled_backend + deploy: + replicas: 1 + placement: + constraints: + # Must be a manager node to access the full Docker socket API (service updates). + - node.role == manager restart_policy: condition: on-failure - - # One-shot container that writes the act_runner config file before the runner starts. - # Runs once, exits, and the runner service picks up /data/config.yml. - act_runner_init: - image: busybox - volumes: - - act_runner_data:/data - command: > - sh -c " - if [ ! -f /data/config.yml ]; then - cat > /data/config.yml << 'EOF' -log: - level: info - -runner: - # How many jobs to run concurrently on this runner. - capacity: 2 - # Timeout for each job. - timeout: 30m - -cache: - enabled: true - dir: /data/.cache - -container: - # Job containers are created on the host Docker daemon (via mounted socket). - # They share the host network so they can reach Forgejo and the registry directly. - network: host - # Paths the runner is allowed to bind-mount into job containers. - # Add any paths here that workflow steps need to access on the host. - valid_volumes: - - /var/run/docker.sock -EOF - echo 'config.yml written' - else - echo 'config.yml already exists, skipping' - fi - " - deploy: - restart_policy: - condition: none + delay: 10s