dont use root-user by default

2024-09-27 10:38:59 -07:00 · 2024-09-27 10:38:59 -07:00 · 27bbc83fed
commit 27bbc83fed
parent b165aeab81
5 changed files with 26 additions and 89 deletions
--- a/examples/docker-compose/.gitignore
+++ b/examples/docker-compose/.gitignore
@ -1,2 +1 @@
-forgejo/
-forgejo-runner/
+srv
--- a/examples/docker-compose/compose-forgejo-and-runner.yml
+++ b/examples/docker-compose/compose-forgejo-and-runner.yml
@ -13,7 +13,8 @@
 #
 # Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
 #
-
+# Replace ROOT_PASSWORD with a secure password.
+#
 networks:
  forgejo:

@ -24,12 +25,13 @@ services:
  docker-in-docker:
    image: code.forgejo.org/oci/docker:dind
    hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
+    restart: unless-stopped
    privileged: true
    networks:
      - forgejo
    environment:
      DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
-      DOCKER_HOST: "docker"        # remove aswell to disable TLS
+      DOCKER_HOST: "docker" # remove aswell to disable TLS
    volumes:
      - docker_certs:/certs

@ -42,25 +44,27 @@ services:
      - /srv/forgejo-data:/data
    ports:
      - 8080:3000
+    environment:
+      FORGEJO__security__INSTALL_LOCK: "true" # remove in production
    command: >-
      bash -c '
      /bin/s6-svscan /etc/s6 &
      sleep 10 ;
-      su -c "forgejo admin user create --admin --username root --password examplepassword --email root@example.com" git ;
+      su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
      su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
      sleep infinity
      '

  # all values that have defaults listed are optional
-  # only FORGEJO_SECRET or RUNNER_TOKEN is required
-  # FORGEJO_URL is required if forgejo is in this compose file or docker network
+  # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
+  # FORGEJO_URL is required if forgejo is not in this compose file or docker network
  runner-daemon:
    ## TODO: Update image to the the release
    ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283

    # image: code.forgejo.org/forgejo/runner:3.4.1
    build: ../../
-    # user: "1000" # set to run rootless, overrides RUNNER_USER and disables automatic file ownership
+    user: "1000" # defaults to 1000,
    restart: unless-stopped # needed for fixing file ownership on restart
    volumes:
      - /srv/runner-data:/data
@ -75,7 +79,7 @@ services:

      DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376
      DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client
-      DOCKER_TLS_VERIFY: "1" # defaults to 0, set to 1 to enable TLS
+      DOCKER_TLS_VERIFY: "1" # defaults to 1

      FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
      FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
@ -83,7 +87,6 @@ services:
      RUNNER_FILE: .runner # defaults to /data/runner.json
      RUNNER_NAME: runner-daemon # defaults to forgejo-runner, used for registration
      RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface
-      RUNNER_USER: 1000 # defaults to 1000, allows for automatic file ownership

      DEBUG: "true" # defaults to false, set to true to enable debug logging
      SKIP_WAIT: "false" # defaults to false, set to true to skip the 10 second wait to allow for forgejo and docker-in-docker to start