gitea revert to dind runner

infrastructure/external/kustomization.yaml

@@ -9,4 +9,3 @@ resources:
   - omv-s3.ingress.yaml
   - openmediavault.ingress.yaml
   - proxmox.ingress.yaml
-  - wireguard.ingress.yaml

infrastructure/external/wireguard.ingress.yaml

@@ -1,38 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: wireguard-ingressroute
-  namespace: external
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`wireguard.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: wireguard
-      port: 443
-      scheme: https
-  tls:
-    certResolver: default-tls
----
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: wireguard
-  namespace: external
-subsets:
-  - addresses:
-      - ip: 192.168.2.1
-    ports:
-      - port: 443
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: wireguard
-  namespace: external
-spec:
-  ports:
-    - port: 443
-      targetPort: 443

infrastructure/gitea/actions.deployment.yaml

@@ -1,28 +1,24 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: actions-runner
+  labels:
+    app: act-runner
+  name: act-runner
 spec:
+  replicas: 1
   selector:
     matchLabels:
-      app: actions-runner
+      app: act-runner
   template:
     metadata:
       labels:
-        app: actions-runner
+        app: act-runner
     spec:
-      hostname: kube-runner
+      restartPolicy: Always
-      serviceAccountName: actions-runner
       containers:
-      - name: actions-runner
+      - name: runner
-        image: actions-runner
+        image: runner
-        resources:
+        command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
-          requests:
-            memory: "128Mi"
-            cpu: "500m"
-          limits:
-            memory: "2Gi"
-            cpu: "2"
         env:
         - name: DOCKER_HOST
           value: tcp://localhost:2376
@@ -37,30 +33,40 @@ spec:
             secretKeyRef:
               name: actions-runner-secret
               key: runner-token
-        # - name: GITEA_RUNNER_LABELS
-        #   value: ubuntu-latest:docker://node:16-bullseye,ubuntu-22.04:docker://node:16-bullseye
         - name: ACTIONS_RUNNER_POD_NAME
           valueFrom:
             fieldRef:
               fieldPath: metadata.name
-        - name: ACTIONS_RUNNER_REQUIRE_JOB_CONTAINER
-          value: "true"
-        - name: ACTIONS_RUNNER_CONTAINER_HOOKS
-          value: /home/runner/k8s/index.js
-        - name: ACTIONS_RUNNER_CLAIM_NAME
-          value: runner-workdir
-        - name: GITEA_RUNNER_LABELS
-          value: k8s
         volumeMounts:
-        - name: runner-workdir
+        - name: docker-certs
-          mountPath: /home/runner/_work
+          mountPath: /certs
         - name: runner-data
           mountPath: /data
+        resources:
+          limits:
+            memory: "1Gi"
+            cpu: "1"
 
+      - name: daemon
+        image: daemon
+        env:
+        - name: DOCKER_TLS_CERTDIR
+          value: /certs
+        securityContext:
+          privileged: true
+        volumeMounts:
+        - name: docker-certs
+          mountPath: /certs
+        resources:
+          requests:
+            memory: "128Mi"
+            cpu: "500m"
+          limits:
+            memory: "4Gi"
+            cpu: "4"    
       volumes:
-      - name: runner-workdir
+      - name: docker-certs
-        persistentVolumeClaim:
+        emptyDir: {}
-          claimName: runner-workdir
       - name: runner-data
         persistentVolumeClaim:
           claimName: runner-data
@@ -77,16 +83,3 @@ spec:
   volumeMode: Filesystem
   accessModes:
     - ReadWriteMany
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: runner-workdir
-spec:
-  resources:
-    requests:
-      storage: 5Gi
-  storageClassName: "nfs-client"
-  volumeMode: Filesystem
-  accessModes:
-    - ReadWriteMany

infrastructure/gitea/actions.rbac.yaml

@@ -1,38 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: actions-runner
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: actions-role
-rules:
-- apiGroups: [""]
-  resources: ["pods"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: [""]
-  resources: ["pods/exec"]
-  verbs: ["get", "create"]
-- apiGroups: [""]
-  resources: ["pods/log"]
-  verbs: ["get", "list", "watch",]
-- apiGroups: ["batch"]
-  resources: ["jobs"]
-  verbs: ["get", "list", "create", "delete"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get", "list", "create", "delete"]
----
-kind: RoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: actions-role-binding
-subjects:
-- kind: ServiceAccount
-  name: actions-runner
-  apiGroup: ""
-roleRef:
-  kind: Role
-  name: actions-role
-  apiGroup: rbac.authorization.k8s.io

infrastructure/gitea/actions.sealedsecret.yaml

@@ -7,7 +7,7 @@ metadata:
   namespace: gitea
 spec:
   encryptedData:
-    runner-token: AgBHwek/Aj/0oOnI/bnZ4FgtRoeJw4tIKvcDzBhaPdQ7bMVHyHUKYUNP7lkPgZrIN+7rhMY7C/j13iGWx4iTdhTgipLiJvyZ70pXKLSix4IpcypJTElggWkW0JW79x1HyJfBtn9iJiHnEZXPi7sEnyKhA0asAOR0ae8NS6mxxei0TIImaPaC2RHL6MOi40xsXpHz2ZaVhDQaTSRWjv0U6+WkCGcueqM2HLYfF1gqqkzGCjjhdOTK1CKvIvApZ5n8x6x94IiywCXJraDCwLz+acF2c2vA/Jb/3p7TwyyRZ5uIF5LZufhTJ6+5sFJSReHYxO4CpPA8KvM880vtiEjN7LxVo/Jruj2459OvjviKZS03ZwLHHrjanom1+HA9Sx2ffRLiR5ayGkfj/6kvpIRt5x1F7BbPp+a0LXuxJX+1nGDyEa1D1WzVKvZASav6/v7cXcom/nKGO91Zb8qHlOv7ZTs5guGQ9G9VCOHOG8szwpW3ZmQwWfFoWsShzqbDqszBYOGeIjIiDllLzTZ8A9dv9J2ELngZ1IPGIkfpQNEW8hsbNXTYhdVIrkh7BIFkRWfYDNWxqZd4iE6XllQcT1rqndusgiNEJX2r+P4nT8dPewATXQ79wzvZU3kB+VHzM8cLymlVGADi7v/qTY9RcrhuE0oMLzHRShr6JU05VfLGbMsttrYKmW7smvBp3lRJitO5A8+r8cRniS1+Xr8mIx87vCvnoWSH6BKkl9pCdDeCGylAWfkJN9UpkaKg
+    runner-token: AgCexZDTtbYOdG3XgvmOh9CwxzTT+dhPVCPYv/arp8cM9R45PFIfwDvFCThnTHQYZJIYpsaUvoxdXSYYdhLyBVhmuAdD0NeH47q7qRh4U6WYUF6RMqUV3Dpri00nrROx2MN8Q+uGN+wq2xloSbkDzLiS+0sD8m+ItIKhEjIMcn9PyA2OheUmbCVfyOVzCEEaOt98nweTlOXgQLJBLPhxUJFCMePfGHudAlu2lZO3dH+T8G9cC86akZnAODuI69iScuIVOtGJvj1EhPNg9d7QjmjWZOKlk0ryPdwEoR/+kD069Jp4STX7IsVqKxZcvnY8yUICbmvj2TzJWzUDMit3leBopO+8+ECSng4uANGwp3QyankmyWD8SXN3fTuASoeoWa5mYN/qCih9m5ih7FxsDNqAFumUzX1QtAN3LDmzgcomdC7D6FHc1PIaOjoEF96TaDgBc8ODMRBWDtjCzD5sTLQ3zGLRieFsOxkdb0d9E+E4pestmnbdtwNTpfgtyT0pr2847FyAmS0DhA6bb4i+JohNswo+83koJQWf1UNyKhQ14kPhPiBRp1cnYieswFjSuvBbWAjB+SYrFIns97qJon2UjwcnlJ6/KewKj5KTOWnTel1Sgxgn4y7qXFnLvReIEKc6SCz+aFFEa4qAqJVmS1STMEwcqkiM7gA+he/8mdEB0BmfwdnGK0pA1I+RD4hOhDqIQlGyTtWGQINqFulbNUS2PcLmf5nX/ERRRPLlwmZNwR27pP3iQg29
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/kustomization.yaml

@@ -10,15 +10,17 @@ resources:
   - drone-server.sealedsecret.yaml
   - actions.deployment.yaml
   - actions.sealedsecret.yaml
-  - actions.rbac.yaml
 
 
 namespace: gitea
 
 images:
-  - name: actions-runner
+  - name: runner
-    newName: ghcr.io/christopherhx/gitea-actions-runner
+    newName: gitea/act_runner
     newTag: nightly
+  - name: daemon
+    newName: docker
+    newTag: 23.0.6-dind
 
 
 helmCharts: