93fcd753a6
Since Forgejo and the app share a swarm, the runner can: - Connect to Forgejo at http://forgejo:3000 (internal, no Traefik) - Call docker service update directly via mounted socket - Avoid SSH entirely — secrets drop from 6 to 3 infra/runner-swarm.yml: runner added to Forgejo stack, pinned to manager node (required for service API access), uses Docker Swarm Config object for act_runner config injection infra/act-runner-config.yml: runner config (bridge network for jobs, docker socket whitelisted) build.yml: deploy step replaced with docker service update --with-registry-auth --detach=false (waits for rollout, shows progress in Actions log) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
114 lines
4.5 KiB
YAML
114 lines
4.5 KiB
YAML
# Forgejo Actions runner — add these services to your existing Forgejo stack.
|
|
#
|
|
# Since the runner is in the same swarm as Forgejo it can:
|
|
# - Reach Forgejo at http://forgejo:3000 (no Traefik hop)
|
|
# - Use the host Docker socket (manager node) to build images and update services
|
|
# - Deploy the app via `docker service update` — no SSH needed
|
|
#
|
|
# The runner MUST run on a swarm manager node so it can call the Docker service API.
|
|
# On a single-node swarm this is automatic. On multi-node, the placement constraint
|
|
# below ensures it.
|
|
#
|
|
# One-time setup:
|
|
# 1. Get a registration token:
|
|
# https://git.fabledsword.com → Site Administration → Runners → Create Runner
|
|
#
|
|
# 2. Add RUNNER_TOKEN to your stack's env file (same .env Forgejo uses):
|
|
# echo 'RUNNER_TOKEN=your_token_here' >> /path/to/forgejo.env
|
|
#
|
|
# 3. Redeploy the Forgejo stack to pick up the new services:
|
|
# docker stack deploy -c forgejo-stack.yml --with-registry-auth forgejo
|
|
#
|
|
# Docker Swarm does not support bind-mounts of /var/run/docker.sock via
|
|
# `docker stack deploy`. Deploy using docker compose instead (still managed,
|
|
# just not as a formal stack):
|
|
# docker compose -f forgejo-stack.yml up -d
|
|
#
|
|
# Required secrets in Forgejo (repo → Settings → Secrets → Actions):
|
|
# REGISTRY_USER — your Forgejo username
|
|
# REGISTRY_TOKEN — Forgejo PAT with write:packages scope
|
|
# DEPLOY_SERVICE — full swarm service name for the app, e.g. fabledassistant_app
|
|
|
|
networks:
|
|
overlay_proxy:
|
|
external: true
|
|
fabled_backend:
|
|
external: true
|
|
|
|
configs:
|
|
act_runner_config:
|
|
# Swarm Config object — stored in the swarm, injected read-only into the container.
|
|
# To update this config you must remove and recreate it:
|
|
# docker config rm act_runner_config
|
|
# then redeploy the stack.
|
|
file: ./act-runner-config.yml
|
|
|
|
volumes:
|
|
act_runner_data:
|
|
|
|
services:
|
|
# ── Existing Forgejo service (unchanged, shown for context) ───────────────────
|
|
forgejo:
|
|
image: codeberg.org/forgejo/forgejo:14
|
|
environment:
|
|
- USER_UID=1000
|
|
- USER_GID=1000
|
|
- FORGEJO__database__DB_TYPE=postgres
|
|
- FORGEJO__database__HOST=postgres:5432
|
|
- FORGEJO__database__NAME=forgejo
|
|
- FORGEJO__database__USER=forgejo
|
|
- FORGEJO__database__PASSWD=${FORGEJO_DB_PW}
|
|
networks:
|
|
- overlay_proxy
|
|
- fabled_backend
|
|
volumes:
|
|
- /nfs/data/fabledsword/forgejo:/data
|
|
- /etc/timezone:/etc/timezone:ro
|
|
- /etc/localtime:/etc/localtime:ro
|
|
deploy:
|
|
replicas: 1
|
|
labels:
|
|
- traefik.http.routers.fabled-git.rule=Host(`git.${BASE_DN}`)
|
|
- traefik.http.routers.fabled-git.entrypoints=websecure
|
|
- traefik.http.routers.fabled-git.tls=true
|
|
- traefik.http.routers.fabled-git.tls.certresolver=letsEncrypt
|
|
- traefik.http.services.fabled-git.loadbalancer.server.port=3000
|
|
- traefik.http.routers.fabled-git.middlewares=chain-external-noauth@file
|
|
- traefik.enable=true
|
|
- traefik.http.services.fabled-git.loadbalancer.serversTransport=reg-xport@file
|
|
|
|
# ── New: Forgejo Actions runner ───────────────────────────────────────────────
|
|
act_runner:
|
|
image: gitea/act_runner:latest
|
|
environment:
|
|
# Use the internal service name — avoids Traefik and works even if TLS is down.
|
|
- GITEA_INSTANCE_URL=http://forgejo:3000
|
|
- GITEA_RUNNER_REGISTRATION_TOKEN=${RUNNER_TOKEN}
|
|
- GITEA_RUNNER_NAME=swarm-runner
|
|
# Maps the `runs-on: ubuntu-latest` label in workflows to a Docker image.
|
|
# node:20-bullseye is used as a general base; the language-specific setup-*
|
|
# actions install the correct toolchain on top.
|
|
- GITEA_RUNNER_LABELS=ubuntu-latest:docker://node:20-bullseye
|
|
- CONFIG_FILE=/config/config.yml
|
|
configs:
|
|
- source: act_runner_config
|
|
target: /config/config.yml
|
|
mode: 0444
|
|
volumes:
|
|
# The host Docker socket lets the runner build images and call `docker service update`.
|
|
# This REQUIRES the runner to be on a manager node (see placement below).
|
|
- /var/run/docker.sock:/var/run/docker.sock
|
|
- act_runner_data:/data
|
|
networks:
|
|
# fabled_backend lets the runner reach http://forgejo:3000
|
|
- fabled_backend
|
|
deploy:
|
|
replicas: 1
|
|
placement:
|
|
constraints:
|
|
# Must be a manager node to access the full Docker socket API (service updates).
|
|
- node.role == manager
|
|
restart_policy:
|
|
condition: on-failure
|
|
delay: 10s
|