# Apply: kubectl apply -f manifests/gitea/gitea-runner.yaml
# Delete: kubectl delete -f manifests/gitea/gitea-runner.yaml
# Description: Gitea Actions runner deployment with host Docker socket and internal CA trust.
apiVersion: v1
kind: Namespace
metadata:
  name: gitea-runner
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: gitea-runner
  namespace: gitea-runner
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: gitea-runner
  namespace: gitea-runner
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea-runner
  template:
    metadata:
      labels:
        app: gitea-runner
    spec:
      serviceAccountName: gitea-runner
      nodeSelector:
        node-role: primary
      containers:
        - name: runner
          image: gitea/act_runner:latest
          env:
            - name: GITEA_INSTANCE_URL
              value: "https://gitea.home.arpa"
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-secret
                  key: token
            - name: GITEA_RUNNER_NAME
              value: "minisforum"
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:host,ubuntu-22.04:host"
            - name: CONFIG_FILE
              value: /config/config.yaml
            - name: NODE_EXTRA_CA_CERTS
              value: /certs/ca.crt
            - name: SSL_CERT_FILE
              value: /certs/ca.crt
          volumeMounts:
            - name: config
              mountPath: /config
            - name: containerd-sock
              mountPath: /var/run/docker.sock
            - name: runner-data
              mountPath: /data
            - name: internal-ca
              mountPath: /certs
            - name: usr-bin
              mountPath: /usr/local/bin/node
              subPath: node
      dnsConfig:
        nameservers:
          - 192.168.7.77
      volumes:
        - name: config
          configMap:
            name: gitea-runner-config
        - name: containerd-sock
          hostPath:
            path: /run/k3s/containerd/containerd.sock
        - name: runner-data
          emptyDir: {}
        - name: internal-ca
          secret:
            secretName: internal-ca-cert
        - name: usr-bin
          hostPath:
            path: /usr/bin/node
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-runner-config
  namespace: gitea-runner
data:
  config.yaml: |
    log:
      level: info
    runner:
      fetch_timeout: 5s
      fetch_interval: 2s
      env_vars:
        PATH: "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
        SSL_CERT_FILE: "/certs/ca.crt"
        GIT_SSL_CAINFO: "/certs/ca.crt"
    container:
      network: host
      privileged: true
      options: "--add-host=gitea.home.arpa:192.168.7.77"
      valid_volumes:
        - "**"