From edd1984517032a80a7f249288d674e69dcdd118d Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Tue, 23 Jun 2026 21:33:17 +0200
Subject: [PATCH] forgejo-runner(host): configure forgejo-runner setup

---
 .../host_vars/forgejo-runner.sops.yaml        | 11 ++---
 .../chaosknoten/host_vars/forgejo-runner.yaml |  1 +
 inventories/chaosknoten/hosts.yaml            |  1 +
 .../forgejo-runner/configuration.yaml.j2      | 43 +++++++++++++++++++
 4 files changed, 51 insertions(+), 5 deletions(-)
 create mode 100644 inventories/chaosknoten/host_vars/forgejo-runner.yaml
 create mode 100644 resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2

diff --git a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
index c0e1b76..a36306f 100644
--- a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
@@ -1,8 +1,8 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:fEly3EIovZ4n5xMnD5Aqtbn1+DUszR0MvBHcM383G40qfHxrbF/lqc8iftshInoHSU77Vugignyb0dTSCTS1cWmEg8I/+ZFjgwc=,iv:Y1XunCfdIUC5nTu+vkr0Q0LUBWeIwP/bGNkbnDb1cpA=,tag:6UrkMx6yEGB46VVvtAkDMQ==,type:str]
+secret__forgejo_runner_ccchh_git_token: ENC[AES256_GCM,data:GuUA5vAPCYFmEWU3nJ3YFyE1O0FxwrWG2RCDGuOot9pg2e+jYVn4jg==,iv:ApV/fOOhIMl4I4/uVyxzPzBrx9wHkuOuc0M9S4ej/3s=,tag:9mBCgljYm6hFg73eQpp4bg==,type:str]
 sops:
   age:
-    - recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
-      enc: |
+    - enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
         YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcFhwNmRXTnptOUMrN0dZ
         UnN0bFdCVjJQamNvTzZmMkxRdk0zL0E4bm4wCmRIVmVrVW1Jb3BKOVNnNnM5MXJm
@@ -10,8 +10,9 @@ sops:
         VVI1TnN3UkcxUzdOWjJQTzZLOHNlaDQKx/HqW9sEYmNYIMYvLVF/9eJfcgRH/cJv
         YqcDNZc8L9Rap2TfwsiJZourqDTe/8sWgQ0yHC4mcKS1HJOTUMNwqQ==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-05-20T02:12:09Z"
-  mac: ENC[AES256_GCM,data:QgL5PSrG3yVeJQgDJ3/VQhGwF7WpDb0+w7oxeF0KeNt3m2YqUsS1qKwK4gJAbmyt/RPdRErTiPs6NdAouowjZg6zcd+Trags/GIBKcaIyJqQa4lw3J3Jod9GTkol70c0H/X76kQx+bWzuXnJy64Dm3t2h+/ytD45+yZJ/959FKI=,iv:JnR8ZRgCfsr7T7L0NLCncH/6q1EGErOCzYjZWrazDh8=,tag:HHH6MrP1bFU0j/Hb6crEZA==,type:str]
+      recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
+  lastmodified: "2026-06-23T19:19:06Z"
+  mac: ENC[AES256_GCM,data:f5YzwSyH+1aJKc5X6zVTVVQa2tuYJPJSALM8H5Tc61GidGZJfv8nYs7ocy1spEVGDse28St/Z3+jD7yZwDQWIw3Nco8dxdrMZC+Ay10O8OJbmTjq4q1SG6GGGyQYCY/pInBrPB+ADSyn1N+uyvRupHC6B3jH2QiCHGEiz1y3ec0=,iv:xZ8wSma3LwQagQVxRK1h3+8wCfzNdQ22X2E6Kuv0FI0=,tag:S6c/QEqDgl2lH9vj+SFb1Q==,type:str]
   pgp:
     - created_at: "2026-05-20T02:11:43Z"
       enc: |-
@@ -184,4 +185,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
   unencrypted_suffix: _unencrypted
-  version: 3.12.1
+  version: 3.13.1
diff --git a/inventories/chaosknoten/host_vars/forgejo-runner.yaml b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
new file mode 100644
index 0000000..28bc4ab
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
@@ -0,0 +1 @@
+forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"
diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index 4fbc03d..30072c8 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -284,3 +284,4 @@ secrets_hosts:
   hosts:
 forgejo_runner_hosts:
   hosts:
+    forgejo-runner:
diff --git a/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2 b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
new file mode 100644
index 0000000..88f0bfe
--- /dev/null
+++ b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
@@ -0,0 +1,43 @@
+log:
+  level: info
+  job_level: info
+
+runner:
+  file: .runner
+  capacity: 4
+  timeout: 1h
+  shutdown_timeout: 30m
+  insecure: false
+  fetch_timeout: 30s
+  fetch_interval: 2s
+  report_interval: 1s
+  labels:
+    # https://forgejo.org/docs/latest/admin/actions/configuration/#choosing-labels
+    - docker:docker://docker.io/library/node:lts
+
+cache:
+  enabled: false
+
+container:
+  # Leave emtpy to create a network automatically.
+  network: ""
+  enable_ipv6: true
+  privileged: false
+  ## Something like this once gVisor can be used.
+  ## options: "--runtime=runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true"
+  # Leave empty for default /workspace to be used.
+  workdir_parent:
+  ## Something like this once gVisor can be used.
+  ## Add /etc/gvisor-helper-resolv.conf to valid_volumes to make the bind-mount in options work.
+  ## valid_volumes: ["/etc/gvisor-helper-resolv.conf:ro"]
+  # Leave "-", so no docker host will be mounted in the job container.
+  docker_host: "-"
+  force_pull: true
+  force_rebuild: false
+
+server:
+  connections:
+    ccchh-git:
+      url: https://git.hamburg.ccc.de/
+      uuid: c672834d-3d63-4471-894e-80f6888eb4de
+      token: {{ secret__forgejo_runner_ccchh_git_token }}