# Copyright 2024 The Forgejo Authors.
# SPDX-License-Identifier: MIT

#
# Create a secret with:
#
#   openssl rand -hex 20
#
# Replace all occurences of {SHARED_SECRET} below with the output.
#
# NOTE: a token obtained from the Forgejo web interface cannot be used
#       as a shared secret.
#
# Replace ${RUNNER_TOKEN} with the token obtained from the Forgejo web interface.
#
# Replace ROOT_PASSWORD with a secure password.
#
volumes:
  docker_certs:

services:
  docker-in-docker:
    image: code.forgejo.org/oci/docker:dind
    hostname: docker # Must set hostname for both internal DNS and TLS to work as certs are only valid for docker and localhost
    restart: unless-stopped
    privileged: true
    environment:
      DOCKER_TLS_CERTDIR: "/certs" # set to "" to disable the use of TLS, also manually update existing runner configs to use port 2375
      DOCKER_HOST: "docker" # remove aswell to disable TLS
    volumes:
      - docker_certs:/certs

  forgejo:
    image: codeberg.org/forgejo/forgejo:1.21
    hostname: forgejo
    volumes:
      - /srv/forgejo-data:/data
    ports:
      - 8080:3000
    environment:
      FORGEJO__security__INSTALL_LOCK: "true" # remove in production
      FORGEJO__log__LEVEL: "debug" # remove in production
      FORGEJO__repository__ENABLE_PUSH_CREATE_USER: "true" # enables the ability to create a repo when pushing
      FORGEJO__repository__DEFAULT_PUSH_CREATE_PRIVATE: "false" # defaults above to public
      FORGEJO__repository__DEFAULT_REPO_UNITS: "repo.code,repo.actions"
    # `command` is not neecessary, but can be used to create an admin user as shown below when combined with INSTALL_LOCK
    command: >-
      bash -c '
      /bin/s6-svscan /etc/s6 &
      sleep 10 ;
      su -c "forgejo admin user create --admin --username root --password ROOT_PASSWORD --email root@example.com" git ;
      su -c "forgejo forgejo-cli actions register --secret {SHARED_SECRET}" git ;
      sleep infinity
      '

  # all values that have defaults listed are optional
  # only FORGEJO_SECRET or RUNNER_TOKEN is required, the secret will be prioritized
  # FORGEJO_URL is required if forgejo is not in this compose file or docker network
  runner-daemon:
    ## TODO: Update image to the the release
    ## made from this PR: https://code.forgejo.org/forgejo/runner/pulls/283

    # image: code.forgejo.org/forgejo/runner:3.4.1
    build: ../../
    user: "1000" # defaults to 1000,
    restart: unless-stopped # needed for fixing file ownership on restart
    volumes:
      - /srv/runner-data:/data
      - docker_certs:/certs
    depends_on:
      - docker-in-docker
      - forgejo
    links:
      - docker-in-docker
      - forgejo
    environment:
      FORGEJO_URL: ${FORGEJO_URL} # defaults to http://forgejo:3000
      FORGEJO_SECRET: "{SHARED_SECRET}" # shared secret, must match Forgejo's, overrides RUNNER_TOKEN
      RUNNER_TOKEN: ${RUNNER_TOKEN} # token obtained from Forgejo web interface

      # Docker Daemon Configs, needed for docker-in-docker
      DOCKER_HOST: tcp://docker:2376
      DOCKER_TLS_VERIFY: 1
      DOCKER_CERT_PATH: /certs/client

      # Runner Configs
      RUNNER__log__LEVEL: "debug"
      RUNNER__container__PRIVILEGED: "true"
      RUNNER__runner__LABELS: |
        docker:docker://code.forgejo.org/oci/node:20-bookworm
        ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04
      DEBUG: "true"
      SKIP_WAIT: "false"