shithub Public

Watch 1 Fork 0 Star 0
YAML · 3919 bytes Raw Blame History
1 ---
2 # SPDX-License-Identifier: AGPL-3.0-or-later
3 #
4 # shithubd-runner role: installs the runner binary, config, default
5 # container image, and systemd unit. Docker itself is a host prerequisite.
6
7 - name: Runner token is configured
8 assert:
9 that:
10 - shithub_runner_token | length > 0
11 - shithub_runner_engine == "docker"
12 fail_msg: >-
13 shithub_runner_token is required and the Ansible role supports
14 shithub_runner_engine=docker. Generate a token with
15 `shithubd admin runner register`, store it in the inventory or
16 vault, and keep Docker installed on the runner host.
17 no_log: true
18
19 - name: Runner workspace is inside the systemd write path
20 assert:
21 that:
22 - (shithub_runner_workspace_root | string) is match("^/var/lib/shithubd-runner(/|$)")
23 fail_msg: >-
24 shithub_runner_workspace_root must stay under /var/lib/shithubd-runner
25 unless the shithubd-runner systemd unit's ReadWritePaths= hardening is
26 updated with the matching path.
27
28 - name: Docker group exists
29 getent:
30 database: group
31 key: docker
32 when: shithub_runner_engine == "docker"
33
34 - name: Runner group
35 group:
36 name: shithub-runner
37 system: yes
38
39 - name: Runner user
40 user:
41 name: shithub-runner
42 group: shithub-runner
43 groups: docker
44 append: yes
45 system: yes
46 create_home: no
47 home: /var/lib/shithubd-runner
48 shell: /usr/sbin/nologin
49
50 - name: Runner directories
51 file:
52 path: "{{ item.path }}"
53 state: directory
54 owner: "{{ item.owner }}"
55 group: "{{ item.group }}"
56 mode: "{{ item.mode }}"
57 loop:
58 - { path: /etc/shithubd-runner, owner: root, group: shithub-runner, mode: "0750" }
59 - { path: /var/lib/shithubd-runner, owner: shithub-runner, group: shithub-runner, mode: "0750" }
60 - { path: "{{ shithub_runner_workspace_root }}", owner: shithub-runner, group: shithub-runner, mode: "0750" }
61 - { path: /var/lib/shithubd-runner/binaries, owner: shithub-runner, group: shithub-runner, mode: "0750" }
62
63 - name: Upload shithubd-runner binary (built by `make build` locally)
64 copy:
65 src: "{{ playbook_dir }}/../../bin/shithubd-runner"
66 dest: /usr/local/bin/shithubd-runner
67 mode: "0755"
68 owner: root
69 group: root
70 notify: restart shithubd-runner
71
72 - name: Archive a versioned runner binary copy
73 shell: cp /usr/local/bin/shithubd-runner /var/lib/shithubd-runner/binaries/shithubd-runner-$(date +%Y%m%d-%H%M%S)
74 args:
75 creates: /var/lib/shithubd-runner/binaries/shithubd-runner-{{ ansible_date_time.iso8601_basic_short }}
76
77 - name: Runner config file
78 template:
79 src: config.toml.j2
80 dest: /etc/shithubd-runner/config.toml
81 owner: root
82 group: shithub-runner
83 mode: "0640"
84 notify: restart shithubd-runner
85
86 - name: Runner env file
87 template:
88 src: runner.env.j2
89 dest: /etc/shithubd-runner/runner.env
90 owner: shithub-runner
91 group: shithub-runner
92 mode: "0600"
93 no_log: true
94 notify: restart shithubd-runner
95
96 - name: Runner seccomp profile
97 copy:
98 src: "{{ playbook_dir }}/../runner-config/seccomp.json"
99 dest: "{{ shithub_runner_seccomp_profile }}"
100 owner: root
101 group: shithub-runner
102 mode: "0640"
103 notify: restart shithubd-runner
104
105 - name: Runner DNS allowlist template
106 template:
107 src: "{{ playbook_dir }}/../runner-config/dnsmasq.conf.j2"
108 dest: "{{ shithub_runner_dnsmasq_config }}"
109 owner: root
110 group: shithub-runner
111 mode: "0640"
112
113 - name: Runner systemd unit
114 copy:
115 src: "{{ playbook_dir }}/../systemd/shithubd-runner.service"
116 dest: /etc/systemd/system/shithubd-runner.service
117 mode: "0644"
118 notify: [daemon-reload, restart shithubd-runner]
119
120 - name: Pull default runner image
121 command: "{{ shithub_runner_engine }} pull {{ shithub_runner_default_image }}"
122 changed_when: false
123 when: not ansible_check_mode
124
125 - name: Enable + start shithubd-runner
126 systemd: { name: shithubd-runner, state: started, enabled: yes }
127