forgejo: set up a runner #90

Closed
rouven.seifert wants to merge 0 commits from forgejo-runner into main

Inital runner configuration stacked together from docs and nix defaults.
Needs review whether it works this way:

Docker

  • Docker is installed on the host
  • We may need to add the user git to the docker group or run docker in rootless mode.

Native

  • Enables Nix actions and automatic building of the config on every push (actual deploy is still manually but could be automated too)
  • Security implications?
Inital runner configuration stacked together from docs and nix defaults. Needs review whether it works this way: ### Docker - Docker is installed on the host - We may need to add the user `git` to the `docker` group or run docker in rootless mode. ### Native - Enables Nix actions and automatic building of the config on every push (actual deploy is still manually but could be automated too) - Security implications?
rouven.seifert self-assigned this 2024-04-11 15:35:23 +02:00
fugi was assigned by rouven.seifert 2024-04-11 15:35:23 +02:00
rouven.seifert added 1 commit 2024-04-11 15:35:23 +02:00
rouven.seifert changed title from IP: forgejo: initial runner configuration to WIP: forgejo: initial runner configuration 2024-04-11 15:41:00 +02:00
rouven.seifert changed title from WIP: forgejo: initial runner configuration to WIP: forgejo: set up a runner 2024-04-11 15:49:29 +02:00
Owner
  • We may need to add the user git to the docker group or run docker in rootless mode.

Seems like the runner has its own user. I'm a bit torn about adding it to the docker group as that basically means root access, which could be bad if someone manages to exploit the runner itself.

Maybe it would be best to stick it in a (micro) VM?

> - We may need to add the user `git` to the `docker` group or run docker in rootless mode. Seems like the runner has its own user. I'm a bit torn about adding it to the `docker` group as that basically means root access, which could be bad if someone manages to exploit the runner itself. Maybe it would be best to stick it in a (micro) VM?
Author
Owner

Maybe it would be best to stick it in a (micro) VM?

It's worth a try. This would also allow the native mode in a nice sandbox.

Systemd containers probably aren't suitable as I'm not sure if they can even run docker containers.

> Maybe it would be best to stick it in a (micro) VM? It's worth a try. This would also allow the native mode in a nice sandbox. Systemd containers probably aren't suitable as I'm not sure if they can even run docker containers.
rouven.seifert force-pushed forgejo-runner from a94ec1eab8 to df66ad3870 2024-06-03 12:13:54 +02:00 Compare
rouven.seifert added 2 commits 2024-06-03 12:15:31 +02:00
rouven.seifert added 1 commit 2024-06-03 12:17:48 +02:00
rouven.seifert changed title from WIP: forgejo: set up a runner to forgejo: set up a runner 2024-06-03 12:17:54 +02:00
rouven.seifert requested review from fugi 2024-06-03 12:18:10 +02:00
Author
Owner

Setup without native. Don't have time to set up microvms currently

Setup without native. Don't have time to set up microvms currently
fugi approved these changes 2024-06-04 10:35:55 +02:00
jonas.gaffke force-pushed forgejo-runner from 4fdca3ba1a to f54d5fd867 2024-09-03 11:24:43 +02:00 Compare
Owner

merged

merged
jonas.gaffke closed this pull request 2024-09-03 11:28:54 +02:00
rouven.seifert deleted branch forgejo-runner 2024-09-04 09:29:59 +02:00

Pull request closed

Sign in to join this conversation.
No reviewers
No labels
No milestone
No project
3 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: wurzel/fruitbasket#90
No description provided.