infrastructure/apps
1
0
Fork 0
Code Issues Pull requests10 Projects Releases Packages Wiki Activity Actions

feat(forgejo): prepare dump dir for backups

Browse source
This commit is contained in:
Peter 2025-02-18 21:58:37 +01:00
parent a7bcaba470
commit 6f252efbb6
Signed by: prskr
GPG key ID: F56BED6903BC5E37
12 changed files with 14 additions and 559 deletions

95
forgejo/config/runners/config-amd64.yaml
View file

@ -1,95 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 1
# Extra environment variables to run jobs.
envs:
DOCKER_HOST: tcp://localhost:2376
DOCKER_TLS_VERIFY: "1"
DOCKER_CERT_PATH : /certs/client
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 10m
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels:
- "docker:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64"
- "ubuntu-latest-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64"
- "ubuntu-22.04-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64"
- "ubuntu-20.04-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:20.04-amd64"
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: "http://act-runner-cache.forgejo.svc:8080/"
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: "host"
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: true
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options: "--volume=/certs/client/:/certs/client/:ro"
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes:
- /certs/client/
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

95
forgejo/config/runners/config-arm64.yaml
View file

@ -1,95 +0,0 @@
# Example configuration file, it's safe to copy this as the default config file without any modification.
# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.
log:
# The level of logging, can be trace, debug, info, warn, error, fatal
level: info
runner:
# Where to store the registration result.
file: .runner
# Execute how many tasks concurrently at the same time.
capacity: 1
# Extra environment variables to run jobs.
envs:
DOCKER_HOST: tcp://localhost:2376
DOCKER_TLS_VERIFY: "1"
DOCKER_CERT_PATH : /certs/client
# Extra environment variables to run jobs from a file.
# It will be ignored if it's empty or the file doesn't exist.
env_file: .env
# The timeout for a job to be finished.
# Please note that the Gitea instance also has a timeout (3h by default) for the job.
# So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
timeout: 10m
# Whether skip verifying the TLS certificate of the Gitea instance.
insecure: false
# The timeout for fetching the job from the Gitea instance.
fetch_timeout: 5s
# The interval for fetching the job from the Gitea instance.
fetch_interval: 2s
# The labels of a runner are used to determine which jobs the runner can run, and how to run them.
# Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
# If it's empty when registering, it will ask for inputting labels.
# If it's empty when execute `deamon`, will use labels in `.runner` file.
labels:
- "docker:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64"
- "ubuntu-latest:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64"
- "ubuntu-22.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64"
- "ubuntu-20.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:20.04-arm64"
cache:
# Enable cache server to use actions/cache.
enabled: true
# The directory to store the cache data.
# If it's empty, the cache data will be stored in $HOME/.cache/actcache.
dir: ""
# The host of the cache server.
# It's not for the address to listen, but the address to connect from job containers.
# So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
host: ""
# The port of the cache server.
# 0 means to use a random available port.
port: 0
# The external cache server URL. Valid only when enable is true.
# If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
# The URL should generally end with "/".
external_server: "http://act-runner-cache.forgejo.svc:8080/"
container:
# Specifies the network to which the container will connect.
# Could be host, bridge or the name of a custom network.
# If it's empty, act_runner will create a network automatically.
network: "host"
# Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
privileged: true
# And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
options: "--volume=/certs/client/:/certs/client/:ro"
# The parent directory of a job's working directory.
# If it's empty, /workspace will be used.
workdir_parent:
# Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
# You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
# For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
# valid_volumes:
# - data
# - /src/*.json
# If you want to allow any volume, please use the following configuration:
# valid_volumes:
# - '**'
valid_volumes:
- /certs/client/
# overrides the docker client host with the specified one.
# If it's empty, act_runner will find an available docker host automatically.
# If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
# If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
docker_host: ""
# Pull docker image(s) even if already present
force_pull: true
host:
# The parent directory of a job's working directory.
# If it's empty, $HOME/.cache/act/ will be used.
workdir_parent:

3
forgejo/config/runners/daemon.amd64.json
View file

@ -1,3 +0,0 @@
{
"max-concurrent-downloads": 1
}

3
forgejo/config/runners/daemon.arm64.json
View file

@ -1,3 +0,0 @@
{
"max-concurrent-downloads": 2
}

12
forgejo/config/values.meilisearch.yaml
View file

@ -1,5 +1,6 @@
environment: environment:
MEILI_ENV: production MEILI_ENV: production
MEILI_DUMP_DIR: /var/lib/meili/dumps
auth: auth:
existingMasterKeySecret: meili-credentials existingMasterKeySecret: meili-credentials
@ -19,4 +20,13 @@ resources:
serviceMonitor: serviceMonitor:
enabled: true enabled: true
additionalLabels: additionalLabels:
prometheus: default prometheus: default
volumes:
- name: dumps
persistentVolumeClaim:
claimName: meilisearch-dumps
volumeMounts:
- name: dumps
mountPath: /var/lib/meili/dumps

18
forgejo/kustomization.yaml
View file

@ -20,28 +20,12 @@ images:
resources: resources:
- resources/db/db.yaml - resources/db/db.yaml
- resources/db/user.yaml - resources/db/user.yaml
- resources/meilisearch/pvc.yaml
- resources/secrets/admin-credentials.yaml - resources/secrets/admin-credentials.yaml
- resources/secrets/infra-credentials.yaml - resources/secrets/infra-credentials.yaml
- resources/secrets/meili-credentials.yaml - resources/secrets/meili-credentials.yaml
- resources/routes.yaml - resources/routes.yaml
- resources/dragonfly.yml - resources/dragonfly.yml
# - resources/runners/secrets/runners.yaml
# - resources/runners/act-runner-arm64.yaml
# - resources/runners/act-runner-amd64.yaml
# - resources/runners/cache-pvc.yaml
# - resources/runners/act-cache.yaml
# - resources/runners/act-cache-svc.yaml
configMapGenerator:
- name: act-runner-config-arm64
files:
- config.yaml=config/runners/config-arm64.yaml
- daemon.json=config/runners/daemon.arm64.json
- name: act-runner-config-amd64
files:
- config.yaml=config/runners/config-amd64.yaml
- daemon.json=config/runners/daemon.amd64.json
helmCharts: helmCharts:
- name: forgejo - name: forgejo

4
forgejo/resources/runners/cache-pvc.yaml → forgejo/resources/meilisearch/pvc.yaml
View file

@ -2,12 +2,12 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: act-runner-cache name: meilisearch-dumps
spec: spec:
storageClassName: hcloud-blob storageClassName: hcloud-blob
resources: resources:
requests: requests:
storage: 50Gi storage: 2Gi
volumeMode: Filesystem volumeMode: Filesystem
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany

11
forgejo/resources/runners/act-cache-svc.yaml
View file

@ -1,11 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: act-runner-cache
spec:
selector:
app.kubernetes.io/name: act-runner-cache
ports:
- port: 8080
targetPort: 8080

46
forgejo/resources/runners/act-cache.yaml
View file

@ -1,46 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: act-runner-cache
labels:
app.kubernetes.io/name: act-runner-cache
spec:
replicas: 2
revisionHistoryLimit: 3
selector:
matchLabels:
app.kubernetes.io/name: act-runner-cache
template:
metadata:
labels:
app.kubernetes.io/name: act-runner-cache
spec:
containers:
- name: act-runner-cache
image: act_runner
command:
- /bin/forgejo-runner
args:
- cache-server
- --port=8080
- --dir=/data
resources:
limits:
memory: "384Mi"
cpu: "250m"
ports:
- containerPort: 8080
volumeMounts:
- name: cache-data
mountPath: /data
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumes:
- name: cache-data
persistentVolumeClaim:
claimName: act-runner-cache
securityContext:
runAsNonRoot: true
fsGroup: 1001

139
forgejo/resources/runners/act-runner-amd64.yaml
View file

@ -1,139 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: act-runner-amd64
spec:
selector:
matchLabels:
app.kubernetes.io/name: act-runner
app.kubernetes.io/instance: amd64
replicas: 1
revisionHistoryLimit: 3
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: act-runner
app.kubernetes.io/instance: amd64
spec:
restartPolicy: Always
# Initialise our configuration file using offline registration
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-register
image: act_runner
command: ["forgejo-runner"]
args:
- "register"
- "--no-interactive"
- "--token"
- $(RUNNER_SECRET)
- "--name"
- $(RUNNER_NAME)
- "--instance"
- $(FORGEJO_INSTANCE_URL)
- "--labels"
- "docker:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64,ubuntu-latest-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64,ubuntu-22.04-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:amd64,ubuntu-20.04-amd64:docker://code.icb4dc0.de/infrastructure/images/act_runtime:20.04-amd64"
env:
- name: RUNNER_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RUNNER_SECRET
valueFrom:
secretKeyRef:
name: forgejo-runner-secret
key: token
- name: FORGEJO_INSTANCE_URL
value: http://forgejo-http.forgejo.svc.cluster.local:3000
resources:
limits:
cpu: "0.50"
memory: "64Mi"
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
image: act_runner
imagePullPolicy: Always
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon --config /etc/act/config.yaml"]
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
volumeMounts:
- name: runner-data
mountPath: /data
- name: docker-certs
mountPath: /certs
- name: runner-config
mountPath: /etc/act
securityContext:
privileged: true
resources:
requests:
memory: "250Mi"
cpu: "250m"
limits:
memory: "384Mi"
cpu: "750m"
- name: daemon
image: dind
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
- name: docker-config
mountPath: /etc/docker
resources:
requests:
memory: "256Mi"
cpu: "100m"
limits:
memory: "512Mi"
cpu: "1200m"
securityContext:
fsGroup: 1000
nodeSelector:
kubernetes.io/arch: amd64
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- act-runner
volumes:
- name: runner-data
emptyDir:
sizeLimit: 500Mi
- name: docker-certs
emptyDir:
sizeLimit: 5Mi
- name: runner-config
configMap:
name: act-runner-config-amd64
items:
- key: config.yaml
path: config.yaml
- name: docker-config
configMap:
name: act-runner-config-amd64
items:
- key: daemon.json
path: daemon.json

140
forgejo/resources/runners/act-runner-arm64.yaml
View file

@ -1,140 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: act-runner-arm64
spec:
selector:
matchLabels:
app.kubernetes.io/name: act-runner
app.kubernetes.io/instance: arm64
replicas: 2
revisionHistoryLimit: 3
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: act-runner
app.kubernetes.io/instance: arm64
spec:
restartPolicy: Always
# Initialise our configuration file using offline registration
# https://forgejo.org/docs/v1.21/admin/actions/#offline-registration
initContainers:
- name: runner-register
image: act_runner
command: ["forgejo-runner"]
args:
- "register"
- "--no-interactive"
- "--token"
- $(RUNNER_SECRET)
- "--name"
- $(RUNNER_NAME)
- "--instance"
- $(FORGEJO_INSTANCE_URL)
- "--labels"
- "docker:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64,ubuntu-latest:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64,ubuntu-22.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:arm64,ubuntu-20.04:docker://code.icb4dc0.de/infrastructure/images/act_runtime:20.04-arm64"
env:
- name: RUNNER_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: RUNNER_SECRET
valueFrom:
secretKeyRef:
name: forgejo-runner-secret
key: token
- name: FORGEJO_INSTANCE_URL
value: http://forgejo-http.forgejo.svc.cluster.local:3000
resources:
limits:
cpu: "0.50"
memory: "64Mi"
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
image: act_runner
imagePullPolicy: Always
command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; forgejo-runner daemon --config /etc/act/config.yaml"]
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
volumeMounts:
- name: runner-data
mountPath: /data
- name: docker-certs
mountPath: /certs
- name: runner-config
mountPath: /etc/act
securityContext:
privileged: true
resources:
requests:
memory: "384Mi"
cpu: "500m"
limits:
memory: "768Mi"
cpu: "1500m"
- name: daemon
image: dind
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
securityContext:
privileged: true
volumeMounts:
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
- name: docker-config
mountPath: /etc/docker
resources:
requests:
memory: "256Mi"
cpu: "150m"
limits:
memory: "512Mi"
cpu: "1200m"
securityContext:
fsGroup: 1000
nodeSelector:
kubernetes.io/arch: arm64
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- act-runner
volumes:
- name: runner-data
emptyDir:
sizeLimit: 500Mi
- name: docker-certs
emptyDir:
sizeLimit: 5Mi
- name: runner-config
configMap:
name: act-runner-config-arm64
items:
- key: config.yaml
path: config.yaml
- name: docker-config
configMap:
name: act-runner-config-arm64
items:
- key: daemon.json
path: daemon.json

7
forgejo/resources/runners/secrets/runners.yaml
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> X25519 NWwk4o0AbqWd29Hg0lVXJ8B8BO+K/mnFRbfn80uCuEY
UUtPUdrE3Hxq7nDFVxCFyLDJX5OnQLLPep5P/V/msAc
-> X25519 GfdqgXpxpQM1cM+m7PeShOxcE6cxZNR110W6+gBqn2s
dTF7vtE+XUPF9bhuJwScX+kDm+hzkZpQ8eKrkSpOmJI
--- ecfszFc+10GM6HW+5vLaw9S33NRZEzChqBRvDlI3Ojo
g:Žž&I<><49>s§œ]†Ë´E_ôXHAÖãÁ¾ßŒˆ»ëK8´Æ?²<>ÿìç[Ôjõ'?lòhâwwmwÓ<77>£­¹¦Š§Å÷$)¢$ѳ±FS@ŧlåîEÁ‰D@ÆgCíf¡lRÛñ®úŽ)A\sê?tô,ã7ŸÐÔß8{æÀ9 ÌŠ;³a<C2B3>jv«]ÌG×Ä­9æ¬? õC\¶M{rðÑ©ðOc<4F>p