227 lines
7.2 KiB
HCL
227 lines
7.2 KiB
HCL
resource "null_resource" "runner-config" {
|
|
triggers = {
|
|
version = var.forgejo_runner_version
|
|
}
|
|
}
|
|
|
|
resource "null_resource" "runner_generation" {
|
|
for_each = var.forgejo_runners
|
|
triggers = {
|
|
timestamp = "${each.value.generation}"
|
|
}
|
|
}
|
|
|
|
resource "hcloud_placement_group" "forgejo_runners" {
|
|
name = "forgejo-runners"
|
|
type = "spread"
|
|
labels = {
|
|
"cluster" = "forgejo.icb4dc0.de"
|
|
}
|
|
}
|
|
|
|
resource "hcloud_server" "forgejo_runner" {
|
|
for_each = var.forgejo_runners
|
|
name = each.key
|
|
server_type = each.value.server_type
|
|
location = each.value.location
|
|
image = "ubuntu-24.04"
|
|
placement_group_id = hcloud_placement_group.k3s_machines.id
|
|
|
|
backups = false
|
|
|
|
user_data = data.cloudinit_config.runner_config[each.key].rendered
|
|
|
|
lifecycle {
|
|
replace_triggered_by = [
|
|
null_resource.runner-config,
|
|
null_resource.runner_generation[each.key]
|
|
]
|
|
}
|
|
|
|
ssh_keys = [
|
|
hcloud_ssh_key.provisioning_key.id,
|
|
hcloud_ssh_key.yubikey.id,
|
|
hcloud_ssh_key.default.id
|
|
]
|
|
|
|
labels = {
|
|
"node_type" = "forgejo_runner"
|
|
"cluster" = "forgejo.icb4dc0.de"
|
|
}
|
|
|
|
network {
|
|
network_id = hcloud_network.k8s_net.id
|
|
ip = each.value.private_ip
|
|
}
|
|
|
|
public_net {
|
|
ipv4_enabled = true
|
|
ipv6_enabled = true
|
|
}
|
|
|
|
connection {
|
|
host = self.ipv4_address
|
|
agent = false
|
|
private_key = tls_private_key.provisioning.private_key_pem
|
|
timeout = "5m"
|
|
}
|
|
}
|
|
|
|
data "azurerm_key_vault_secret" "runner_secret" {
|
|
for_each = var.forgejo_runners
|
|
name = "${each.key}-runner-secret"
|
|
key_vault_id = azurerm_key_vault.forgejo_runners.id
|
|
}
|
|
|
|
data "azurerm_key_vault_secret" "harbor_minion_username" {
|
|
name = "harbor-minion-username"
|
|
key_vault_id = azurerm_key_vault.hetzner.id
|
|
}
|
|
|
|
data "azurerm_key_vault_secret" "harbor_minion_token" {
|
|
name = "harbor-minion-token"
|
|
key_vault_id = azurerm_key_vault.hetzner.id
|
|
}
|
|
|
|
data "cloudinit_config" "runner_config" {
|
|
for_each = var.forgejo_runners
|
|
gzip = true
|
|
base64_encode = true
|
|
|
|
part {
|
|
content_type = "text/cloud-config"
|
|
content = <<-EOF
|
|
groups:
|
|
- docker
|
|
users:
|
|
- name: runner
|
|
homedir: /var/lib/runner
|
|
groups: docker
|
|
package_update: true
|
|
package_upgrade: true
|
|
package_reboot_if_required: true
|
|
packages:
|
|
- git
|
|
- uidmap
|
|
- dbus-user-session
|
|
- ca-certificates
|
|
- curl
|
|
- gnupg
|
|
- lsb-release
|
|
- docker-ce
|
|
- docker-ce-cli
|
|
- docker-ce-rootless-extras
|
|
- containerd.io
|
|
- docker-compose-plugin
|
|
apt:
|
|
sources:
|
|
docker.list:
|
|
source: "deb [arch=${startswith(each.value.server_type, "cax") ? "arm64" : "amd64"} signed-by=$KEY_FILE] https://download.docker.com/linux/ubuntu $RELEASE stable"
|
|
keyid: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
|
EOF
|
|
}
|
|
|
|
part {
|
|
content_type = "text/cloud-config"
|
|
content = <<-EOF
|
|
write_files:
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/10-runcwd"))}
|
|
path: /etc/sudoers.d/10-runcwd
|
|
owner: root:root
|
|
permissions: "0644"
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/50unattended-upgrades"))}
|
|
path: /etc/apt/apt.conf.d/50unattended-upgrades
|
|
owner: root:root
|
|
permissions: "0644"
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/forgejo-runner.service"))}
|
|
path: /etc/systemd/user/forgejo-runner.service
|
|
owner: runner:runner
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/docker-buildx-cleanup.service"))}
|
|
path: /lib/systemd/system/docker-buildx-cleanup.service
|
|
owner: root:root
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/docker-buildx-cleanup.timer"))}
|
|
path: /lib/systemd/system/docker-buildx-cleanup.timer
|
|
owner: root:root
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(templatefile("configs/ci-runner/runner-config.yaml", {
|
|
arch = startswith(each.value.server_type, "cax") ? "arm64" : "amd64"
|
|
}))}
|
|
path: /etc/act/config.yaml
|
|
owner: runner:runner
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/daemon.json"))}
|
|
path: /etc/docker/daemon.json
|
|
owner: root:root
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(data.azurerm_key_vault_secret.runner_secret[each.key].value)}
|
|
path: /var/lib/runner/.runner
|
|
owner: runner:runner
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(file("configs/ci-runner/daemon.json"))}
|
|
path: /var/lib/runner/.config/docker/daemon.json
|
|
owner: runner:runner
|
|
permissions: "0640"
|
|
defer: true
|
|
|
|
- encoding: gzip+base64
|
|
content: ${base64gzip(templatefile("configs/ci-runner/docker-rootless-config.json", {
|
|
registry_auth: base64encode("${data.azurerm_key_vault_secret.harbor_minion_username.value}:${data.azurerm_key_vault_secret.harbor_minion_token.value}")
|
|
}))}
|
|
path: /var/lib/runner/.docker/config.json
|
|
owner: runner:runner
|
|
permissions: "0640"
|
|
defer: true
|
|
EOF
|
|
}
|
|
|
|
part {
|
|
content_type = "text/cloud-config"
|
|
content = <<-EOF
|
|
runcmd:
|
|
- |
|
|
set -e
|
|
loginctl enable-linger runner
|
|
|
|
docker run --privileged --rm tonistiigi/binfmt --install all
|
|
|
|
sleep 10
|
|
|
|
sudo -u runner DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 /usr/bin/dockerd-rootless-setuptool.sh install --force
|
|
|
|
curl -L -o /usr/local/bin/forgejo-runner https://data.forgejo.org/forgejo/runner/releases/download/v${var.forgejo_runner_version}/forgejo-runner-${var.forgejo_runner_version}-linux-${startswith(each.value.server_type, "cax") ? "arm64" : "amd64"}
|
|
curl -L -o /tmp/forgejo-runner.asc https://data.forgejo.org/forgejo/runner/releases/download/v${var.forgejo_runner_version}/forgejo-runner-${var.forgejo_runner_version}-linux-${startswith(each.value.server_type, "cax") ? "arm64" : "amd64"}.asc
|
|
gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
|
|
gpg --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner
|
|
chmod +x /usr/local/bin/forgejo-runner
|
|
|
|
sudo -u runner DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus XDG_RUNTIME_DIR=/run/user/1000 systemctl --user enable --now forgejo-runner.service
|
|
systemctl enable --now docker-buildx-cleanup.timer
|
|
systemctl restart unattended-upgrades.service
|
|
EOF
|
|
}
|
|
}
|