forgejo-runner(host): configure forgejo-runner setup

docker(role): document gVisor issue with user-def. br. and provide help
Document issue with containers on user-defined bridges and using the gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.
2026-06-23 21:32:55 +02:00 · 2026-06-23 21:32:55 +02:00 · 2026-06-23 21:32:55 +02:00 · 2026-06-23 21:32:50 +02:00
7 changed files with 63 additions and 5 deletions
--- a/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.sops.yaml
@ -1,8 +1,8 @@
 ansible_pull__age_private_key: ENC[AES256_GCM,data:fEly3EIovZ4n5xMnD5Aqtbn1+DUszR0MvBHcM383G40qfHxrbF/lqc8iftshInoHSU77Vugignyb0dTSCTS1cWmEg8I/+ZFjgwc=,iv:Y1XunCfdIUC5nTu+vkr0Q0LUBWeIwP/bGNkbnDb1cpA=,tag:6UrkMx6yEGB46VVvtAkDMQ==,type:str]
 secret__forgejo_runner_ccchh_git_token: ENC[AES256_GCM,data:GuUA5vAPCYFmEWU3nJ3YFyE1O0FxwrWG2RCDGuOot9pg2e+jYVn4jg==,iv:ApV/fOOhIMl4I4/uVyxzPzBrx9wHkuOuc0M9S4ej/3s=,tag:9mBCgljYm6hFg73eQpp4bg==,type:str]
 sops:
  age:
-    - recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
+    - enc: |
      enc: |
        -----BEGIN AGE ENCRYPTED FILE-----
        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcFhwNmRXTnptOUMrN0dZ
        UnN0bFdCVjJQamNvTzZmMkxRdk0zL0E4bm4wCmRIVmVrVW1Jb3BKOVNnNnM5MXJm
@ -10,8 +10,9 @@ sops:
        VVI1TnN3UkcxUzdOWjJQTzZLOHNlaDQKx/HqW9sEYmNYIMYvLVF/9eJfcgRH/cJv
        YqcDNZc8L9Rap2TfwsiJZourqDTe/8sWgQ0yHC4mcKS1HJOTUMNwqQ==
        -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-05-20T02:12:09Z"
+      recipient: age1az0k6cadssk6r8qcqxfr8cyu5mndy59pwt8yqq6w065ew6au4ezsmg2vkf
-  mac: ENC[AES256_GCM,data:QgL5PSrG3yVeJQgDJ3/VQhGwF7WpDb0+w7oxeF0KeNt3m2YqUsS1qKwK4gJAbmyt/RPdRErTiPs6NdAouowjZg6zcd+Trags/GIBKcaIyJqQa4lw3J3Jod9GTkol70c0H/X76kQx+bWzuXnJy64Dm3t2h+/ytD45+yZJ/959FKI=,iv:JnR8ZRgCfsr7T7L0NLCncH/6q1EGErOCzYjZWrazDh8=,tag:HHH6MrP1bFU0j/Hb6crEZA==,type:str]
+  lastmodified: "2026-06-23T19:19:06Z"
  mac: ENC[AES256_GCM,data:f5YzwSyH+1aJKc5X6zVTVVQa2tuYJPJSALM8H5Tc61GidGZJfv8nYs7ocy1spEVGDse28St/Z3+jD7yZwDQWIw3Nco8dxdrMZC+Ay10O8OJbmTjq4q1SG6GGGyQYCY/pInBrPB+ADSyn1N+uyvRupHC6B3jH2QiCHGEiz1y3ec0=,iv:xZ8wSma3LwQagQVxRK1h3+8wCfzNdQ22X2E6Kuv0FI0=,tag:S6c/QEqDgl2lH9vj+SFb1Q==,type:str]
  pgp:
    - created_at: "2026-05-20T02:11:43Z"
      enc: |-
@ -184,4 +185,4 @@ sops:
        -----END PGP MESSAGE-----
      fp: 41FFAF3D519CF5C039FBD8414BCC213729AF0E49
  unencrypted_suffix: _unencrypted
-  version: 3.12.1
+  version: 3.13.1
--- a/inventories/chaosknoten/host_vars/forgejo-runner.yaml
+++ b/inventories/chaosknoten/host_vars/forgejo-runner.yaml
@ -0,0 +1 @@
 forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@ -282,3 +282,5 @@ renovate_hosts:
    renovate:
 secrets_hosts:
  hosts:
 forgejo_runner_hosts:
  hosts:
--- a/inventories/external/hosts.yaml
+++ b/inventories/external/hosts.yaml
@ -24,3 +24,5 @@ ansible_pull_hosts:
    status:
 secrets_hosts:
  hosts:
 forgejo_runner_hosts:
  hosts:
--- a/inventories/z9/hosts.yaml
+++ b/inventories/z9/hosts.yaml
@ -60,3 +60,5 @@ ansible_pull_hosts:
    yate:
 secrets_hosts:
  hosts:
 forgejo_runner_hosts:
  hosts:
--- a/playbooks/deploy.yaml
+++ b/playbooks/deploy.yaml
@ -150,6 +150,13 @@
  tags:
    - eh22_styleguide_dir
 - name: Ensure forgejo-runner is setup on forgejo_runner_hosts
  hosts: forgejo_runner_hosts
  roles:
    - forgejo_runner
  tags:
    - forgejo_runner
 - name: Setup authoritative dns servers
  hosts: auth-dns
  roles:
--- a/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
+++ b/resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2
@ -0,0 +1,43 @@
 log:
  level: info
  job_level: info
 runner:
  file: .runner
  capacity: 4
  timeout: 1h
  shutdown_timeout: 30m
  insecure: false
  fetch_timeout: 30s
  fetch_interval: 2s
  report_interval: 1s
  labels:
    # https://forgejo.org/docs/latest/admin/actions/configuration/#choosing-labels
    - docker:docker://docker.io/library/node:lts
 cache:
  enabled: false
 container:
  # Leave emtpy to create a network automatically.
  network: ""
  enable_ipv6: true
  privileged: false
  ## Something like this once gVisor can be used.
  ## options: "--runtime=runsc --mount type=bind,src=/etc/gvisor-helper-resolv.conf,dst=/etc/resolv.conf,ro=true"
  # Leave empty for default /workspace to be used.
  workdir_parent:
  ## Something like this once gVisor can be used.
  ## Add /etc/gvisor-helper-resolv.conf to valid_volumes to make the bind-mount in options work.
  ## valid_volumes: ["/etc/gvisor-helper-resolv.conf:ro"]
  # Leave "-", so no docker host will be mounted in the job container.
  docker_host: "-"
  force_pull: true
  force_rebuild: false
 server:
  connections:
    ccchh-git:
      url: https://git.hamburg.ccc.de/
      uuid: c672834d-3d63-4471-894e-80f6888eb4de
      token: {{ secret__forgejo_runner_ccchh_git_token }}
Author	SHA1	Message	Date
June	a4f1f9b9fe	forgejo-runner(host): configure forgejo-runner setup Some checks failed / Ansible Lint (push) Has been cancelled Details / build (pull_request) Has been cancelled Details / Ansible Lint (pull_request) Has been cancelled Details	2026-06-23 21:32:55 +02:00
June	e83b6ff318	docker(role): document gVisor issue with user-def. br. and provide help Document issue with containers on user-defined bridges and using the gVisor runsc runtime. Also provide a helper resolv.conf as a workaround.	2026-06-23 21:32:55 +02:00
June	d2ace350b0	docker(role): provide option to set up gVisor (runsc runtime)	2026-06-23 21:32:55 +02:00
June	0e82b7b34f	forgejo_runner(role): create role for setting up Forgejo Runner install	2026-06-23 21:32:50 +02:00
		`@ -0,0 +1 @@`
							`forgejo_runner__config: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/forgejo-runner/forgejo-runner/configuration.yaml.j2') }}"`