infra/forgejo/runner-compose.yml

# Forgejo Runner — CI executor for veilor-org repos
# Deploy path on nullstone: /opt/docker/forgejo-runner/
#
# act_runner is Forgejo's drop-in GH Actions runner. Reads workflow
# YAML, spawns container per job, reports results back to Forgejo.
#
# Design notes:
# - Privileged + host networking + Docker socket access. Required for the
#   veilor-os ISO build because livecd-creator needs loop devices and
#   --privileged. This is the same trust model as our existing GH Actions
#   workflow which uses `--privileged` inside `addnab/docker-run-action@v3`.
# - Single runner with label `nullstone` so workflows can opt in via
#   `runs-on: nullstone`. Existing `runs-on: ubuntu-24.04` will not be
#   picked up — that's intentional, lets us flip workflows one at a time.
# - Cache + workdir on host SSD, persistent across container restarts.
# - act_runner config gets generated on first start; registration token
#   must be set in `.env` (see deploy-runbook.md).

services:
  forgejo-runner:
    image: code.forgejo.org/forgejo/runner:6.4.0
    container_name: forgejo-runner
    restart: unless-stopped
    user: "0:0"                                    # runner needs root to dind
    privileged: true
    userns_mode: "host"                            # privileged ⊥ userns-remap default
    environment:
      # Internal hostname — runner reaches forgejo container directly on
      # the proxy net, bypasses traefik + no-guest@file ACL. Cleaner +
      # faster than going out the public path.
      - INSTANCE_URL=http://forgejo:3000
      - REGISTRATION_TOKEN=${RUNNER_TOKEN}
      - RUNNER_NAME=nullstone
      # Labels map `runs-on:` keys in workflow YAML to docker images.
      # ubuntu-24.04 → catthehacker/ubuntu (widely-used GH Actions image).
      # Add `nullstone` label resolving to privileged Fedora 43 so our
      # build-iso.yml can opt in selectively (`runs-on: nullstone`).
      - RUNNER_LABELS=ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04,nullstone:docker://registry.fedoraproject.org/fedora:43
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        set -e
        # Register only on first start; subsequent restarts read /data/.runner.
        # $$VAR escapes compose interpolation so vars resolve in the container.
        if [ ! -f /data/.runner ]; then
          /bin/forgejo-runner register \
            --no-interactive \
            --instance "$$INSTANCE_URL" \
            --token "$$REGISTRATION_TOKEN" \
            --name "$$RUNNER_NAME" \
            --labels "$$RUNNER_LABELS"
        fi
        exec /bin/forgejo-runner daemon
    volumes:
      - /home/docker/forgejo-runner/data:/data
      - /var/run/docker.sock:/var/run/docker.sock  # docker-out-of-docker
      - /home/docker/forgejo-runner/cache:/cache
    networks:
      - proxy

networks:
  proxy:
    external: true
init: nullstone deploys + runbooks + audits Sourced from previous audits + agent-wave outputs (2026-05-05): AUDIT-2026-05-05.md — 5-agent stack synthesis forgejo/DEPLOY.md — git.s8n.ru deploy runbook forgejo/forgejo-compose.yml — production compose forgejo/runner-compose.yml — forgejo-runner forgejo/migration-report-... — GH→Forgejo migration audit (6/6 green) runbooks/MIGRATION-... — nullstone→cobblestone runbook runbooks/DE-DECISION-... — keep-vs-strip DE on cobblestone repos/REPO-AUDIT-2026-05-05.md — repo trees + ownership 2026-05-06 10:02:28 +01:00			`# Forgejo Runner — CI executor for veilor-org repos`
			`# Deploy path on nullstone: /opt/docker/forgejo-runner/`
			`#`
			`# act_runner is Forgejo's drop-in GH Actions runner. Reads workflow`
			`# YAML, spawns container per job, reports results back to Forgejo.`
			`#`
			`# Design notes:`
			`# - Privileged + host networking + Docker socket access. Required for the`
			`# veilor-os ISO build because livecd-creator needs loop devices and`
			`# --privileged. This is the same trust model as our existing GH Actions`
			# workflow which uses `--privileged` inside `addnab/docker-run-action@v3`.
			# - Single runner with label `nullstone` so workflows can opt in via
			# `runs-on: nullstone`. Existing `runs-on: ubuntu-24.04` will not be
			`# picked up — that's intentional, lets us flip workflows one at a time.`
			`# - Cache + workdir on host SSD, persistent across container restarts.`
			`# - act_runner config gets generated on first start; registration token`
			# must be set in `.env` (see deploy-runbook.md).

			`services:`
			`forgejo-runner:`
			`image: code.forgejo.org/forgejo/runner:6.4.0`
			`container_name: forgejo-runner`
			`restart: unless-stopped`
			`user: "0:0" # runner needs root to dind`
			`privileged: true`
			`userns_mode: "host" # privileged ⊥ userns-remap default`
			`environment:`
			`# Internal hostname — runner reaches forgejo container directly on`
			`# the proxy net, bypasses traefik + no-guest@file ACL. Cleaner +`
			`# faster than going out the public path.`
			`- INSTANCE_URL=http://forgejo:3000`
			`- REGISTRATION_TOKEN=${RUNNER_TOKEN}`
			`- RUNNER_NAME=nullstone`
			# Labels map `runs-on:` keys in workflow YAML to docker images.
			`# ubuntu-24.04 → catthehacker/ubuntu (widely-used GH Actions image).`
			# Add `nullstone` label resolving to privileged Fedora 43 so our
			# build-iso.yml can opt in selectively (`runs-on: nullstone`).
			`- RUNNER_LABELS=ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04,nullstone:docker://registry.fedoraproject.org/fedora:43`
			`entrypoint: ["/bin/sh", "-c"]`
			`command:`
			`- \|`
			`set -e`
			`# Register only on first start; subsequent restarts read /data/.runner.`
			`# $$VAR escapes compose interpolation so vars resolve in the container.`
			`if [ ! -f /data/.runner ]; then`
			`/bin/forgejo-runner register \`
			`--no-interactive \`
			`--instance "$$INSTANCE_URL" \`
			`--token "$$REGISTRATION_TOKEN" \`
			`--name "$$RUNNER_NAME" \`
			`--labels "$$RUNNER_LABELS"`
			`fi`
			`exec /bin/forgejo-runner daemon`
			`volumes:`
			`- /home/docker/forgejo-runner/data:/data`
			`- /var/run/docker.sock:/var/run/docker.sock # docker-out-of-docker`
			`- /home/docker/forgejo-runner/cache:/cache`
			`networks:`
			`- proxy`

			`networks:`
			`proxy:`
			`external: true`