# Forgejo Runner — CI executor for veilor-org repos
# Deploy path on nullstone: /opt/docker/forgejo-runner/
#
# act_runner is Forgejo's drop-in GH Actions runner. Reads workflow
# YAML, spawns container per job, reports results back to Forgejo.
#
# Design notes:
# - Privileged + host networking + Docker socket access. Required for the
#   veilor-os ISO build because livecd-creator needs loop devices and
#   --privileged. This is the same trust model as our existing GH Actions
#   workflow which uses `--privileged` inside `addnab/docker-run-action@v3`.
# - Single runner with label `nullstone` so workflows can opt in via
#   `runs-on: nullstone`. Existing `runs-on: ubuntu-24.04` will not be
#   picked up — that's intentional, lets us flip workflows one at a time.
# - Cache + workdir on host SSD, persistent across container restarts.
# - act_runner config gets generated on first start; registration token
#   must be set in `.env` (see deploy-runbook.md).

services:
  forgejo-runner:
    image: code.forgejo.org/forgejo/runner:6.4.0
    container_name: forgejo-runner
    restart: unless-stopped
    user: "0:0"                                    # runner needs root to dind
    privileged: true
    userns_mode: "host"                            # privileged ⊥ userns-remap default
    environment:
      # Internal hostname — runner reaches forgejo container directly on
      # the proxy net, bypasses traefik + no-guest@file ACL. Cleaner +
      # faster than going out the public path.
      - INSTANCE_URL=http://forgejo:3000
      - REGISTRATION_TOKEN=${RUNNER_TOKEN}
      - RUNNER_NAME=nullstone
      # Labels map `runs-on:` keys in workflow YAML to docker images.
      # ubuntu-24.04 → catthehacker/ubuntu (widely-used GH Actions image).
      # Add `nullstone` label resolving to privileged Fedora 43 so our
      # build-iso.yml can opt in selectively (`runs-on: nullstone`).
      - RUNNER_LABELS=ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:act-24.04,nullstone:docker://registry.fedoraproject.org/fedora:43
    entrypoint: ["/bin/sh", "-c"]
    command:
      - |
        set -e
        # Register only on first start; subsequent restarts read /data/.runner.
        # $$VAR escapes compose interpolation so vars resolve in the container.
        if [ ! -f /data/.runner ]; then
          /bin/forgejo-runner register \
            --no-interactive \
            --instance "$$INSTANCE_URL" \
            --token "$$REGISTRATION_TOKEN" \
            --name "$$RUNNER_NAME" \
            --labels "$$RUNNER_LABELS"
        fi
        exec /bin/forgejo-runner daemon
    volumes:
      - /home/docker/forgejo-runner/data:/data
      - /var/run/docker.sock:/var/run/docker.sock  # docker-out-of-docker
      - /home/docker/forgejo-runner/cache:/cache
    networks:
      - proxy

networks:
  proxy:
    external: true