runner

Ansible role that deployes services on my runner machine

4.4 KB•J2

forgejo-Dockerfile.ansible.j2

4.4 KB • 96 lines • plaintext

1FROM {{ forgejo_runner_base_image }}
2
3ARG RUNNER_VERSION={{ forgejo_ansible_runner_version }}
4ARG RUNNER_USER={{ forgejo_runner_user }}
5ARG RUNNER_UID={{ forgejo_runner_uid }}
6
7ENV DEBIAN_FRONTEND=noninteractive \
8    PATH="/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin"
9
10# Base tools + Ansible + SSH client + Docker CLI + GnuPG
11RUN apt-get update && apt-get install -y --no-install-recommends \
12      ca-certificates curl wget git git-lfs jq gnupg dirmngr bash coreutils xz-utils gosu \
13      python3 python3-pip python3-venv openssh-client sshpass rsync \
14 && install -m 0755 -d /etc/apt/keyrings \
15 && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \
16 && chmod a+r /etc/apt/keyrings/docker.asc \
17 && . /etc/os-release \
18 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $VERSION_CODENAME stable" \
19      > /etc/apt/sources.list.d/docker.list \
20 && apt-get update && apt-get install -y --no-install-recommends \
21      docker-ce-cli docker-buildx-plugin docker-compose-plugin \
22 && rm -rf /var/lib/apt/lists/*
23
24# Install Ansible and required collections in a venv
25RUN python3 -m venv /opt/ansible \
26 && /opt/ansible/bin/pip install --no-cache-dir \
27      ansible-core ansible-lint \
28 && /opt/ansible/bin/ansible-galaxy collection install \
29      community.docker \
30      community.general \
31      ansible.posix \
32 && ln -s /opt/ansible/bin/ansible /usr/local/bin/ansible \
33 && ln -s /opt/ansible/bin/ansible-playbook /usr/local/bin/ansible-playbook \
34 && ln -s /opt/ansible/bin/ansible-galaxy /usr/local/bin/ansible-galaxy \
35 && ln -s /opt/ansible/bin/ansible-vault /usr/local/bin/ansible-vault \
36 && ln -s /opt/ansible/bin/ansible-lint /usr/local/bin/ansible-lint
37
38RUN update-ca-certificates
39
40# Download forgejo-runner, verify with GPG, install
41RUN set -eux; \
42  arch="$(uname -m)"; \
43  case "$arch" in \
44    x86_64)  rel_arch=linux-amd64 ;; \
45    aarch64) rel_arch=linux-arm64 ;; \
46    armv7l)  rel_arch=linux-arm-7 ;; \
47    *) echo "Unsupported arch: $arch" >&2; exit 1 ;; \
48  esac; \
49  if [ "$RUNNER_VERSION" = "latest" ]; then \
50    RUNNER_VERSION="$(curl -fsSL https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq -r .name | sed 's/^v//')"; \
51  fi; \
52  echo "Using forgejo-runner version: $RUNNER_VERSION (${rel_arch})"; \
53  base="https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-${rel_arch}"; \
54  curl -fL "$base"     -o /usr/local/bin/forgejo-runner; \
55  curl -fL "$base.asc" -o /tmp/forgejo-runner.asc; \
56  export GNUPGHOME=/tmp/gnupg; mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"; \
57  curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710" \
58    -o /tmp/forgejo-release-key.asc; \
59  gpg --import /tmp/forgejo-release-key.asc; \
60  gpg --batch --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner; \
61  chmod +x /usr/local/bin/forgejo-runner; \
62  /usr/local/bin/forgejo-runner --version; \
63  rm -rf "$GNUPGHOME" /tmp/forgejo-runner.asc /tmp/forgejo-release-key.asc
64
65# Create non-root runner user + docker group
66RUN groupadd -g 2000 docker || true \
67 && useradd -m -u ${RUNNER_UID} -s /bin/bash ${RUNNER_USER} \
68 && usermod -aG docker ${RUNNER_USER}
69
70# SSH directory for runner user (for Ansible SSH connections)
71RUN mkdir -p /home/${RUNNER_USER}/.ssh \
72 && chmod 700 /home/${RUNNER_USER}/.ssh \
73 && chown -R ${RUNNER_USER}:${RUNNER_USER} /home/${RUNNER_USER}/.ssh
74
75# Entrypoint: align docker.sock group to host, then drop to runner user
76RUN printf '%s\n' \
77'#!/usr/bin/env bash' \
78'set -euo pipefail' \
79'mkdir -p /data && chown -R '"${RUNNER_USER}"':'"${RUNNER_USER}"' /data' \
80'if [ -S /var/run/docker.sock ]; then' \
81'  SOCK_GID=$(stat -c "%g" /var/run/docker.sock || echo 0)' \
82'  if [ "$SOCK_GID" != "0" ]; then' \
83'    if getent group docker >/dev/null; then groupmod -g "$SOCK_GID" docker || true; else groupadd -g "$SOCK_GID" docker || true; fi' \
84'    usermod -aG docker '"${RUNNER_USER}"' || true' \
85'  fi' \
86'fi' \
87'echo "Runner user: '"${RUNNER_USER}"' (uid=$(id -u '"${RUNNER_USER}"'), groups: $(id -nG '"${RUNNER_USER}"'))"' \
88'echo "Ansible: $(ansible --version 2>/dev/null | head -1 || echo missing)"' \
89'echo "Docker CLI: $(docker --version 2>/dev/null || echo missing)"' \
90'exec gosu '"${RUNNER_USER}"' "$@"' \
91> /usr/local/bin/runner-entry.sh \
92 && chmod +x /usr/local/bin/runner-entry.sh
93
94WORKDIR /data
95ENTRYPOINT ["/usr/local/bin/runner-entry.sh"]
96

1FROM {{ forgejo_runner_base_image }} 2 3ARG RUNNER_VERSION={{ forgejo_ansible_runner_version }} 4ARG RUNNER_USER={{ forgejo_runner_user }} 5ARG RUNNER_UID={{ forgejo_runner_uid }} 6 7ENV DEBIAN_FRONTEND=noninteractive \ 8 PATH="/usr/local/bin:/usr/local/sbin:/usr/sbin:/usr/bin:/sbin:/bin" 9 10# Base tools + Ansible + SSH client + Docker CLI + GnuPG 11RUN apt-get update && apt-get install -y --no-install-recommends \ 12 ca-certificates curl wget git git-lfs jq gnupg dirmngr bash coreutils xz-utils gosu \ 13 python3 python3-pip python3-venv openssh-client sshpass rsync \ 14 && install -m 0755 -d /etc/apt/keyrings \ 15 && curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc \ 16 && chmod a+r /etc/apt/keyrings/docker.asc \ 17 && . /etc/os-release \ 18 && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu $VERSION_CODENAME stable" \ 19 > /etc/apt/sources.list.d/docker.list \ 20 && apt-get update && apt-get install -y --no-install-recommends \ 21 docker-ce-cli docker-buildx-plugin docker-compose-plugin \ 22 && rm -rf /var/lib/apt/lists/* 23 24# Install Ansible and required collections in a venv 25RUN python3 -m venv /opt/ansible \ 26 && /opt/ansible/bin/pip install --no-cache-dir \ 27 ansible-core ansible-lint \ 28 && /opt/ansible/bin/ansible-galaxy collection install \ 29 community.docker \ 30 community.general \ 31 ansible.posix \ 32 && ln -s /opt/ansible/bin/ansible /usr/local/bin/ansible \ 33 && ln -s /opt/ansible/bin/ansible-playbook /usr/local/bin/ansible-playbook \ 34 && ln -s /opt/ansible/bin/ansible-galaxy /usr/local/bin/ansible-galaxy \ 35 && ln -s /opt/ansible/bin/ansible-vault /usr/local/bin/ansible-vault \ 36 && ln -s /opt/ansible/bin/ansible-lint /usr/local/bin/ansible-lint 37 38RUN update-ca-certificates 39 40# Download forgejo-runner, verify with GPG, install 41RUN set -eux; \ 42 arch="$(uname -m)"; \ 43 case "$arch" in \ 44 x86_64) rel_arch=linux-amd64 ;; \ 45 aarch64) rel_arch=linux-arm64 ;; \ 46 armv7l) rel_arch=linux-arm-7 ;; \ 47 *) echo "Unsupported arch: $arch" >&2; exit 1 ;; \ 48 esac; \ 49 if [ "$RUNNER_VERSION" = "latest" ]; then \ 50 RUNNER_VERSION="$(curl -fsSL https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest | jq -r .name | sed 's/^v//')"; \ 51 fi; \ 52 echo "Using forgejo-runner version: $RUNNER_VERSION (${rel_arch})"; \ 53 base="https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-${rel_arch}"; \ 54 curl -fL "$base" -o /usr/local/bin/forgejo-runner; \ 55 curl -fL "$base.asc" -o /tmp/forgejo-runner.asc; \ 56 export GNUPGHOME=/tmp/gnupg; mkdir -p "$GNUPGHOME"; chmod 700 "$GNUPGHOME"; \ 57 curl -fsSL "https://keys.openpgp.org/vks/v1/by-fingerprint/EB114F5E6C0DC2BCDD183550A4B61A2DC5923710" \ 58 -o /tmp/forgejo-release-key.asc; \ 59 gpg --import /tmp/forgejo-release-key.asc; \ 60 gpg --batch --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner; \ 61 chmod +x /usr/local/bin/forgejo-runner; \ 62 /usr/local/bin/forgejo-runner --version; \ 63 rm -rf "$GNUPGHOME" /tmp/forgejo-runner.asc /tmp/forgejo-release-key.asc 64 65# Create non-root runner user + docker group 66RUN groupadd -g 2000 docker || true \ 67 && useradd -m -u ${RUNNER_UID} -s /bin/bash ${RUNNER_USER} \ 68 && usermod -aG docker ${RUNNER_USER} 69 70# SSH directory for runner user (for Ansible SSH connections) 71RUN mkdir -p /home/${RUNNER_USER}/.ssh \ 72 && chmod 700 /home/${RUNNER_USER}/.ssh \ 73 && chown -R ${RUNNER_USER}:${RUNNER_USER} /home/${RUNNER_USER}/.ssh 74 75# Entrypoint: align docker.sock group to host, then drop to runner user 76RUN printf '%s\n' \ 77'#!/usr/bin/env bash' \ 78'set -euo pipefail' \ 79'mkdir -p /data && chown -R '"${RUNNER_USER}"':'"${RUNNER_USER}"' /data' \ 80'if [ -S /var/run/docker.sock ]; then' \ 81' SOCK_GID=$(stat -c "%g" /var/run/docker.sock || echo 0)' \ 82' if [ "$SOCK_GID" != "0" ]; then' \ 83' if getent group docker >/dev/null; then groupmod -g "$SOCK_GID" docker || true; else groupadd -g "$SOCK_GID" docker || true; fi' \ 84' usermod -aG docker '"${RUNNER_USER}"' || true' \ 85' fi' \ 86'fi' \ 87'echo "Runner user: '"${RUNNER_USER}"' (uid=$(id -u '"${RUNNER_USER}"'), groups: $(id -nG '"${RUNNER_USER}"'))"' \ 88'echo "Ansible: $(ansible --version 2>/dev/null | head -1 || echo missing)"' \ 89'echo "Docker CLI: $(docker --version 2>/dev/null || echo missing)"' \ 90'exec gosu '"${RUNNER_USER}"' "$@"' \ 91> /usr/local/bin/runner-entry.sh \ 92 && chmod +x /usr/local/bin/runner-entry.sh 93 94WORKDIR /data 95ENTRYPOINT ["/usr/local/bin/runner-entry.sh"] 96