tenseleyflow/shithub / 7441984

+

+# Optional Actions runner on this host. Generate the token with:

+#   shithubd admin runner register --name prod-runner-1 --labels self-hosted,linux,ubuntu-latest --capacity 1

+# Store the real token in ansible-vault or your secret manager.

+# shithub_runner_enabled=true

+# shithub_runner_token=REPLACE_ME

+# shithub_runner_labels=self-hosted,linux,ubuntu-latest

+# shithub_runner_capacity=1

+# shithub_runner_default_image=ghcr.io/shithub/runner-nix:1.0

+

+# Optional Actions runner on this host.

+# shithub_runner_enabled=true

+# shithub_runner_token=REPLACE_ME

+# shithub_runner_labels=self-hosted,linux,ubuntu-latest

+# shithub_runner_capacity=1

+---

+# SPDX-License-Identifier: AGPL-3.0-or-later

+

+shithub_runner_enabled: false

+shithub_runner_server_url: "https://{{ shithub_domain }}"

+shithub_runner_token: ""

+shithub_runner_labels:

+  - self-hosted

+  - linux

+  - ubuntu-latest

+shithub_runner_capacity: 1

+shithub_runner_poll_interval: 5s

+shithub_runner_workspace_root: /var/lib/shithubd-runner/workspaces

+shithub_runner_workspace_ttl: 24h

+shithub_runner_engine: docker

+shithub_runner_default_image: ghcr.io/shithub/runner-nix:1.0

+shithub_runner_network: bridge

+shithub_runner_memory: 2g

+shithub_runner_cpus: "2"

+shithub_runner_log_level: info

+shithub_runner_log_format: text

+---

+# SPDX-License-Identifier: AGPL-3.0-or-later

+

+- name: daemon-reload

+  systemd: { daemon_reload: yes }

+

+- name: restart shithubd-runner

+  systemd: { name: shithubd-runner, state: restarted, enabled: yes }

+---

+# SPDX-License-Identifier: AGPL-3.0-or-later

+#

+# shithubd-runner role: installs the runner binary, config, default

+# container image, and systemd unit. Docker itself is a host prerequisite.

+

+- name: Runner token is configured

+  assert:

+    that:

+      - shithub_runner_token | length > 0

+      - shithub_runner_engine == "docker"

+    fail_msg: >-

+      shithub_runner_token is required and the Ansible role supports

+      shithub_runner_engine=docker. Generate a token with

+      `shithubd admin runner register`, store it in the inventory or

+      vault, and keep Docker installed on the runner host.

+  no_log: true

+

+- name: Runner workspace is inside the systemd write path

+  assert:

+    that:

+      - (shithub_runner_workspace_root | string) is match("^/var/lib/shithubd-runner(/|$)")

+    fail_msg: >-

+      shithub_runner_workspace_root must stay under /var/lib/shithubd-runner

+      unless the shithubd-runner systemd unit's ReadWritePaths= hardening is

+      updated with the matching path.

+

+- name: Docker group exists

+  getent:

+    database: group

+    key: docker

+  when: shithub_runner_engine == "docker"

+

+- name: Runner group

+  group:

+    name: shithub-runner

+    system: yes

+

+- name: Runner user

+  user:

+    name: shithub-runner

+    group: shithub-runner

+    groups: docker

+    append: yes

+    system: yes

+    create_home: no

+    home: /var/lib/shithubd-runner

+    shell: /usr/sbin/nologin

+

+- name: Runner directories

+  file:

+    path: "{{ item.path }}"

+    state: directory

+    owner: "{{ item.owner }}"

+    group: "{{ item.group }}"

+    mode: "{{ item.mode }}"

+  loop:

+    - { path: /etc/shithubd-runner, owner: root, group: shithub-runner, mode: "0750" }

+    - { path: /var/lib/shithubd-runner, owner: shithub-runner, group: shithub-runner, mode: "0750" }

+    - { path: "{{ shithub_runner_workspace_root }}", owner: shithub-runner, group: shithub-runner, mode: "0750" }

+    - { path: /var/lib/shithubd-runner/binaries, owner: shithub-runner, group: shithub-runner, mode: "0750" }

+

+- name: Upload shithubd-runner binary (built by `make build` locally)

+  copy:

+    src: "{{ playbook_dir }}/../../bin/shithubd-runner"

+    dest: /usr/local/bin/shithubd-runner

+    mode: "0755"

+    owner: root

+    group: root

+  notify: restart shithubd-runner

+

+- name: Archive a versioned runner binary copy

+  shell: cp /usr/local/bin/shithubd-runner /var/lib/shithubd-runner/binaries/shithubd-runner-$(date +%Y%m%d-%H%M%S)

+  args:

+    creates: /var/lib/shithubd-runner/binaries/shithubd-runner-{{ ansible_date_time.iso8601_basic_short }}

+

+- name: Runner config file

+  template:

+    src: config.toml.j2

+    dest: /etc/shithubd-runner/config.toml

+    owner: root

+    group: shithub-runner

+    mode: "0640"

+  notify: restart shithubd-runner

+

+- name: Runner env file

+  template:

+    src: runner.env.j2

+    dest: /etc/shithubd-runner/runner.env

+    owner: shithub-runner

+    group: shithub-runner

+    mode: "0600"

+  no_log: true

+  notify: restart shithubd-runner

+

+- name: Runner systemd unit

+  copy:

+    src: "{{ playbook_dir }}/../systemd/shithubd-runner.service"

+    dest: /etc/systemd/system/shithubd-runner.service

+    mode: "0644"

+  notify: [daemon-reload, restart shithubd-runner]

+

+- name: Pull default runner image

+  command: "{{ shithub_runner_engine }} pull {{ shithub_runner_default_image }}"

+  changed_when: false

+  when: not ansible_check_mode

+

+- name: Enable + start shithubd-runner

+  systemd: { name: shithubd-runner, state: started, enabled: yes }

+# Managed by Ansible. Secrets live in runner.env.

+

+[server]

+base_url = "{{ shithub_runner_server_url }}"

+

+[runner]

+{% if shithub_runner_labels is string %}

+labels = {{ shithub_runner_labels.split(",") | map("trim") | list | to_json }}

+{% else %}

+labels = {{ shithub_runner_labels | to_json }}

+{% endif %}

+capacity = {{ shithub_runner_capacity }}

+poll_interval = "{{ shithub_runner_poll_interval }}"

+workspace_root = "{{ shithub_runner_workspace_root }}"

+workspace_ttl = "{{ shithub_runner_workspace_ttl }}"

+

+[engine]

+kind = "{{ shithub_runner_engine }}"

+default_image = "{{ shithub_runner_default_image }}"

+network = "{{ shithub_runner_network }}"

+memory = "{{ shithub_runner_memory }}"

+cpus = "{{ shithub_runner_cpus }}"

+

+[log]

+level = "{{ shithub_runner_log_level }}"

+format = "{{ shithub_runner_log_format }}"

+# Managed by Ansible — 0600.

+# Sourced by shithubd-runner.service via EnvironmentFile=.

+

+SHITHUB_RUNNER_TOKEN={{ shithub_runner_token }}

+    - role: shithubd-runner

+      tags: [app, shithubd-runner, actions-runner]

+      when: shithub_runner_enabled | default(false) | bool

+[Unit]

+Description=shithub Actions runner

+After=network-online.target docker.service

+Wants=network-online.target docker.service

+

+[Service]

+Type=simple

+User=shithub-runner

+Group=shithub-runner

+SupplementaryGroups=docker

+EnvironmentFile=/etc/shithubd-runner/runner.env

+ExecStart=/usr/local/bin/shithubd-runner run --config /etc/shithubd-runner/config.toml

+Restart=on-failure

+RestartSec=2

+LimitNOFILE=65535

+

+# Docker access is intentionally broad in S41d. S41e narrows network and

+# secret exposure; until then this unit is only for trusted runner hosts.

+NoNewPrivileges=yes

+ProtectSystem=strict

+ProtectHome=yes

+PrivateTmp=yes

+ReadWritePaths=/var/lib/shithubd-runner

+ProtectKernelTunables=yes

+ProtectKernelModules=yes

+ProtectKernelLogs=yes

+ProtectControlGroups=yes

+RestrictNamespaces=yes

+RestrictRealtime=yes

+# Match shithubd-web's posture. Docker and git may need setgid semantics

+# inside their own managed trees; S41e revisits runner hardening in depth.

+RestrictSUIDSGID=no

+LockPersonality=yes

+SystemCallArchitectures=native

+

+[Install]

+WantedBy=multi-user.target