diff --git a/.forgejo/workflows/example-docker-compose.yml b/.forgejo/workflows/example-docker-compose.yml index 6e017db..9ab3a6a 100644 --- a/.forgejo/workflows/example-docker-compose.yml +++ b/.forgejo/workflows/example-docker-compose.yml @@ -35,7 +35,7 @@ jobs: # # Launch Forgejo & the runner # - $cli up -d + $cli up -d --remove-orphans for delay in $(seq 60) ; do test -f /srv/runner-data/.runner && break ; sleep 30 ; done test -f /srv/runner-data/.runner # diff --git a/entrypoint.sh b/entrypoint.sh index 64ec4f7..82119a6 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -4,11 +4,11 @@ set -e # Technically not nessecary but it cleans up the logs from having token/secret values run_command() { - local cmd="$1" + local cmd="$@" # Replace any --token or --secret with [REDACTED] local safe_cmd=$(echo "$cmd" | sed -E 's/--(token|secret) [^ ]+/--\1 [REDACTED]/g') decho "Running command: $safe_cmd" - eval "$cmd" + eval $cmd } decho() { @@ -16,6 +16,7 @@ decho() { echo "[entrypoint] $@" fi } +decho $PWD # Check if the script is running as root if [[ $(id -u) -eq 0 ]]; then @@ -23,6 +24,12 @@ if [[ $(id -u) -eq 0 ]]; then decho "[WARNING] Running as root user" fi +# Handle if `command` is passed, as command appends arguments to the entrypoint +if [ "$#" -gt 0 ]; then + run_command $@ + exit +fi + # Handle and alter the config file if [[ -z "${CONFIG_FILE}" ]]; then echo "CONFIG_FILE is not set" @@ -49,6 +56,12 @@ if [[ ! -f "${CONFIG_FILE}" ]]; then sed -i "/^ labels:/c\ labels: [\"docker:docker://code.forgejo.org/oci/node:20-bookworm\", \"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04\"]" ${CONFIG_FILE} sed -i "/^ network:/c\ network: host" ${CONFIG_FILE} + if [[ "${DOCKER_PRIVILEGED}" == "true" ]]; then + sed -i "/^ privileged:/c\ privileged: true" ${CONFIG_FILE} + sed -i "/^ options:/c\ options: -v /certs/client:/certs/client" ${CONFIG_FILE} + sed -i "/^ valid_volumes:/c\ valid_volumes:\n - /certs/client" ${CONFIG_FILE} + fi + fi ENV_FILE=${ENV_FILE:-"/data/.env"} @@ -91,20 +104,20 @@ if [[ ! -s "${RUNNER_FILE}" ]]; then # this is more flexible. while [[ $success -eq 0 ]] && [[ $try -lt ${MAX_REG_ATTEMPTS:-10} ]]; do if [[ ! -z "${FORGEJO_SECRET}" ]]; then - run_command "forgejo-runner create-runner-file --connect \ - --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \ - --name \"${RUNNER_NAME:-$(hostname)}\" \ - --secret \"${FORGEJO_SECRET}\" \ + run_command forgejo-runner create-runner-file --connect \ + --instance "${FORGEJO_URL:-http://forgejo:3000}" \ + --name "${RUNNER_NAME:-$(hostname)}" \ + --secret "${FORGEJO_SECRET}" \ ${CONFIG_ARG}\ - ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log else - run_command "forgejo-runner register \ - --instance \"${FORGEJO_URL:-http://forgejo:3000}\" \ - --name \"${RUNNER_NAME:-$(hostname)}\" \ - --token \"${RUNNER_TOKEN}\" \ + run_command forgejo-runner register \ + --instance "${FORGEJO_URL:-http://forgejo:3000}" \ + --name "${RUNNER_NAME:-$(hostname)}" \ + --token "${RUNNER_TOKEN}" \ --no-interactive \ ${CONFIG_ARG}\ - ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log" + ${EXTRA_ARGS} 2>&1 | tee /tmp/reg.log fi cat /tmp/reg.log | grep -E 'connection successful|registered successfully' >/dev/null if [[ $? -eq 0 ]]; then @@ -122,4 +135,4 @@ fi unset RUNNER_TOKEN unset FORGEJO_SECRET -run_command "forgejo-runner daemon ${CONFIG_ARG}" +run_command forgejo-runner daemon ${CONFIG_ARG} diff --git a/examples/docker-compose/compose-forgejo-and-runner.yml b/examples/docker-compose/compose-forgejo-and-runner.yml index 6431893..018d956 100644 --- a/examples/docker-compose/compose-forgejo-and-runner.yml +++ b/examples/docker-compose/compose-forgejo-and-runner.yml @@ -13,11 +13,8 @@ # # Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface. # -# Replace ROOT_PASSWORD with a secure password. +# Replace {ROOT_PASSWORD} with a secure password. # -networks: - forgejo: - volumes: docker_certs: @@ -27,8 +24,6 @@ services: hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost restart: unless-stopped privileged: true - networks: - - forgejo environment: DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375 DOCKER_HOST: "docker" # remove aswell to disable TLS @@ -38,19 +33,22 @@ services: forgejo: image: codeberg.org/forgejo/forgejo:1.21 hostname: forgejo - networks: - - forgejo volumes: - /srv/forgejo-data:/data ports: - 8080:3000 environment: FORGEJO__security__INSTALL_LOCK: "true" # remove in production + FORGEJO__log__LEVEL: "debug" # remove in production + FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" # enables the ability to create a repo when pushing + FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" # defaults above to public + FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions" + # `command` is not neecessary, but can be used to create an admin user as shown below when combined with INSTALL_LOCK command: >- bash -c ' /bin/s6-svscan /etc/s6 & sleep 10 ; - su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ; + su -c "forgejo admin user create --admin --username root --password {ROOT_PASSWORD} --email root@example.com" git ; su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ; sleep infinity ' @@ -69,17 +67,19 @@ services: volumes: - /srv/runner-data:/data - docker_certs:/certs - networks: - - forgejo depends_on: - docker-in-docker - forgejo + links: + - forgejo + - docker-in-docker environment: CONFIG_FILE: config.yml # defaults to /data/config.yml DOCKER_HOST: "tcp://docker:2376" # defaults to tcp://docker:2376 DOCKER_CERT_PATH: "/certs/client" # defaults to /certs/client DOCKER_TLS_VERIFY: "1" # defaults to 1 + DOCKER_PRIVILEGED: "true" # defaults to false for security reasons FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000 FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN