From 39410c4baeb985e06906badf8f02b21a90902bae Mon Sep 17 00:00:00 2001
From: Pim Kunis <pim@kunis.nl>
Date: Wed, 17 Apr 2024 23:19:08 +0200
Subject: [PATCH] add forgejo runner

---
 kubenix-modules/forgejo.nix | 171 +++++++++++++++++++++++++++++-------
 secrets/sops.yaml           |   5 +-
 2 files changed, 142 insertions(+), 34 deletions(-)

diff --git a/kubenix-modules/forgejo.nix b/kubenix-modules/forgejo.nix
index 6375527..cea6e7b 100644
--- a/kubenix-modules/forgejo.nix
+++ b/kubenix-modules/forgejo.nix
@@ -1,5 +1,7 @@
 { myLib, ... }: {
   kubernetes.resources = {
+    secrets.runner-secret.stringData.token = "ref+sops://secrets/sops.yaml#/forgejo/runnerToken";
+
     configMaps = {
       forgejo-config.data = {
         # TODO: Generate from nix code?
@@ -117,41 +119,143 @@
       };
     };
 
-    deployments.forgejo = {
-      metadata.labels.app = "forgejo";
+    deployments = {
+      forgejo = {
+        metadata.labels = {
+          app = "forgejo";
+          component = "forgejo";
+        };
 
-      spec = {
-        selector.matchLabels.app = "forgejo";
+        spec = {
+          selector.matchLabels = {
+            app = "forgejo";
+            component = "forgejo";
+          };
 
-        template = {
-          metadata.labels.app = "forgejo";
-
-          spec = {
-            containers.forgejo = {
-              image = "codeberg.org/forgejo/forgejo:1.20";
-              envFrom = [{ configMapRef.name = "forgejo-env"; }];
-
-              ports = {
-                web.containerPort = 3000;
-                ssh.containerPort = 22;
-              };
-
-              volumeMounts = [
-                {
-                  name = "data";
-                  mountPath = "/data";
-                }
-                {
-                  name = "config";
-                  mountPath = "/data/gitea/conf/app.ini";
-                  subPath = "config";
-                }
-              ];
+          template = {
+            metadata.labels = {
+              app = "forgejo";
+              component = "forgejo";
             };
 
-            volumes = {
-              data.persistentVolumeClaim.claimName = "forgejo";
-              config.configMap.name = "forgejo-config";
+            spec = {
+              containers.forgejo = {
+                image = "codeberg.org/forgejo/forgejo:1.21";
+                envFrom = [{ configMapRef.name = "forgejo-env"; }];
+
+                ports = {
+                  web.containerPort = 3000;
+                  ssh.containerPort = 22;
+                };
+
+                volumeMounts = [
+                  {
+                    name = "data";
+                    mountPath = "/data";
+                  }
+                  {
+                    name = "config";
+                    mountPath = "/data/gitea/conf/app.ini";
+                    subPath = "config";
+                  }
+                ];
+              };
+
+              volumes = {
+                data.persistentVolumeClaim.claimName = "forgejo";
+                config.configMap.name = "forgejo-config";
+              };
+            };
+          };
+        };
+      };
+
+      # Forgejo-runner for docker in docker (dind) on Kubernetes:
+      # https://code.forgejo.org/forgejo/runner/src/branch/main/examples/kubernetes/dind-docker.yaml
+      forgejo-runner = {
+        metadata.labels = {
+          app = "forgejo";
+          component = "runner";
+        };
+
+        spec = {
+          selector.matchLabels = {
+            app = "forgejo";
+            component = "runner";
+          };
+
+          template = {
+            metadata.labels = {
+              app = "forgejo";
+              component = "runner";
+            };
+
+            spec = {
+              restartPolicy = "Always";
+
+              volumes = {
+                docker-certs.emptyDir = { };
+                runner-data.emptyDir = { };
+              };
+
+              initContainers.runner-register = {
+                image = "code.forgejo.org/forgejo/runner:3.2.0";
+                command = [ "forgejo-runner" "register" "--no-interactive" "--token" "$(RUNNER_SECRET)" "--name" "$(RUNNER_NAME)" "--instance" "$(FORGEJO_INSTANCE_URL)" ];
+
+                env = {
+                  RUNNER_NAME.value = "runner";
+                  FORGEJO_INSTANCE_URL.value = "https://git.kun.is";
+                  RUNNER_SECRET.valueFrom.secretKeyRef = {
+                    name = "runner-secret";
+                    key = "token";
+                  };
+                };
+
+                resources.limits = {
+                  cpu = "0.50";
+                  memory = "64Mi";
+                };
+
+                volumeMounts = [{
+                  name = "runner-data";
+                  mountPath = "/data";
+                }];
+              };
+
+              containers = {
+                runner = {
+                  image = "code.forgejo.org/forgejo/runner:3.0.0";
+                  command = [ "sh" "-c" "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon" ];
+
+                  env = {
+                    DOCKER_HOST.value = "tcp://localhost:2376";
+                    DOCKER_CERT_PATH.value = "/certs/client";
+                    DOCKER_TLS_VERIFY.value = "1";
+                  };
+
+                  volumeMounts = [
+                    {
+                      name = "docker-certs";
+                      mountPath = "/certs";
+                    }
+                    {
+                      name = "runner-data";
+                      mountPath = "/data";
+                    }
+                  ];
+                };
+
+                daemon = {
+                  image = "docker:23.0.6-dind";
+                  securityContext.privileged = true;
+                  env.DOCKER_TLS_CERTDIR.value = "/certs";
+
+                  volumeMounts = [{
+                    name = "docker-certs";
+                    mountPath = "/certs";
+                  }];
+                };
+              };
             };
           };
         };
@@ -160,7 +264,10 @@
 
     services = {
       forgejo-web.spec = {
-        selector.app = "forgejo";
+        selector = {
+          app = "forgejo";
+          component = "forgejo";
+        };
 
         ports.web = {
           port = 80;
diff --git a/secrets/sops.yaml b/secrets/sops.yaml
index cb61d98..af0c8bf 100644
--- a/secrets/sops.yaml
+++ b/secrets/sops.yaml
@@ -15,6 +15,7 @@ kitchenowl:
 forgejo:
     lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str]
     internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str]
+    runnerToken: ENC[AES256_GCM,data:F6PsbkhT1epKfi9MpLpMqDosloVkhIiq/olBi/bbt8k88qxfw0vwvg==,iv:I/LH8V0Um+PCpjSrcjiZAN71nXcqv1m84wBUPLWT33Q=,tag:Y3qhbt7OqkRbHOCXRKLUeg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -30,8 +31,8 @@ sops:
             dVBPbkRib1M1cmVKZzl4TWpoSml2WDQK45jJDXpPXIBoaANhjZSWYVZ8mI51LAin
             EqgBj7VKY+CQbw1gMd1Fdh8iDYraowwcLyd/ZhZ/M0kIdkCc5E1a5g==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-14T12:05:53Z"
-    mac: ENC[AES256_GCM,data:T4Uvkt28ACuLZv7FkJt9Nlhes1fVxasOnGgXpdhvMyf8DS4SFHBUQ0o6UsDcmjHixs/GFEkHNLa22V1PomNlPbpZ+ysNeYN0M/q8fguhpINMoJQlXQ6HXTEy7JQ9IBRfx010/1imjiNJ8QXkTYnDqDKk9sMhpJxubX8rBnGccJ4=,iv:rACUx2Nn8R8KgTF+OSP9MaW7yfNH8fOhlEEAynsdHsE=,tag:K2+iK/i0mDt7eNJlcE96NA==,type:str]
+    lastmodified: "2024-04-17T21:16:56Z"
+    mac: ENC[AES256_GCM,data:ICOsWZ7F7boyYhkFGgqJZOCY9aPXI5YvQfqcKkj4Pt/LoU9+PDi2iSDN47VTTloqIXap4PhEMEi7He6AV3r9DTHKT5PxQcWxESGffLlUlK7Q3a/H1V63Sdy9Ct1PycKupjEEWylYXWTWG5/dGe9qh6u1ZS7adz5fHxA3Y8MT6Dg=,iv:61IexBQQse6iShry10toUAjc3gLf588PKJFK+aJWCbY=,tag:wrSM4ipHBMXIEfLLLGe/Tw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1