web/git
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Gitea Actions runner (#6)

Browse Source 
## Summary
- Adds a private runner server on the Hetzner private network (no public IP)
- NAT through the gitea server for outbound internet access via `hcloud_network_route` and iptables forwarding rules
- Runner connects to gitea over HTTPS on the private network with TLS verification disabled
- Includes Taskfile commands for runner deployment and SSH access

## Test plan
- [x] Runner registers with gitea instance
- [x] Private network connectivity verified
- [ ] Run a test workflow to confirm end-to-end CI

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: #6
Co-authored-by: M.V. Hutz <git@maximhutz.me>
Co-committed-by: M.V. Hutz <git@maximhutz.me>
This commit was merged in pull request #6.
This commit is contained in:
Maxim Hutz
2026-03-16 01:40:44 +00:00
committed by Maxim Hutz
parent af5d40d84e
commit 04ca230bee
10 changed files with 312 additions and 73 deletions
Download Patch File Download Diff File Expand all files Collapse all files

131
playbooks/runner.yml Normal file
View File

@@ -0,0 +1,131 @@
- name: Set up runner host via jumphost.
gather_facts: false
hosts: localhost
vars_files:
- ../vault.yml
- ../dist/terraform_outputs.yml
tasks:
- name: Add gitea server as jumphost.
ansible.builtin.add_host:
name: server
ansible_ssh_host: "{{ server_ip.value }}"
ansible_user: root
ansible_port: 2222
ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
- name: Add runner host (via jumphost).
ansible.builtin.add_host:
name: runner
ansible_ssh_host: "{{ runner_ip.value }}"
ansible_user: root
ansible_private_key_file: "{{ secret.private_ssh_key_path }}"
ansible_ssh_common_args: >-
-o ProxyCommand="ssh -i {{ secret.private_ssh_key_path }} -p 2222 -W %h:%p root@{{ server_ip.value }}"
- name: Install Docker on runner.
gather_facts: true
hosts: runner
vars_files:
- ../vault.yml
- ../dist/terraform_outputs.yml
tasks:
- name: Set DNS resolver.
ansible.builtin.copy:
content: "nameserver 185.12.64.2\n"
dest: /etc/resolv.conf
mode: "0644"
- name: Install PIP.
ansible.builtin.apt:
state: present
update_cache: true
name:
- python3-pip
- name: Install needed packages.
ansible.builtin.pip:
name:
- packaging
state: present
break_system_packages: true
- name: Download Docker repository key.
ansible.builtin.apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
- name: Download Docker repository.
ansible.builtin.apt_repository:
repo: "deb https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable"
state: present
- name: Remove bad packages.
ansible.builtin.apt:
state: absent
package:
- docker.io
- docker-doc
- docker-compose
- podman-docker
- containerd
- runc
- name: Download Docker dependencies.
ansible.builtin.apt:
state: present
package:
- ca-certificates
- curl
- jq
- name: Download Docker packages.
ansible.builtin.apt:
state: present
update_cache: true
package:
- docker-ce
- docker-ce-cli
- containerd.io
- docker-buildx-plugin
- docker-compose-plugin
- name: Register and start Gitea runner.
hosts: runner
gather_facts: false
vars_files:
- ../vault.yml
- ../dist/terraform_outputs.yml
vars:
gitea_internal_url: "https://{{ server_fqdn.value }}"
tasks:
- name: Create runner data volume.
community.docker.docker_volume:
name: runner-data
state: present
- name: Generate runner config.
ansible.builtin.copy:
dest: /root/runner-config.yaml
mode: "0644"
content: |
runner:
insecure: true
- name: Start Gitea runner container.
community.docker.docker_container:
name: gitea-runner
image: gitea/act_runner:latest
state: started
recreate: true
restart_policy: unless-stopped
etc_hosts:
"{{ server_fqdn.value }}": "10.0.1.2"
volumes:
- runner-data:/data
- /var/run/docker.sock:/var/run/docker.sock
- /root/runner-config.yaml:/config.yaml:ro
env:
GITEA_INSTANCE_URL: "{{ gitea_internal_url }}"
GITEA_RUNNER_REGISTRATION_TOKEN: "{{ secret.runner_registration_token }}"
GITEA_RUNNER_NAME: "runner-01"
CONFIG_FILE: "/config.yaml"