Disable admin interface in Caddy

Enable Gitea actions

.drone.yml

@@ -1,36 +0,0 @@
----
-kind: pipeline
-type: docker
-name: Static Verification
-steps:
-  - name: ansible-lint
-    image: python:3.10.6
-    commands:
-      # Make sure to update the ansible version below as well
-      - pip --disable-pip-version-check install ansible==7.2.0 ansible-lint==6.16.1 > /dev/null 2> /dev/null
-      - ansible-lint -c .ansible-lint ansible
-
----
-kind: pipeline
-type: docker
-name: Check
-steps:
-  - name: ansible-playbook --check
-    image: python:3.10.6
-    environment:
-      SSH_KEY:
-        from_secret: ssh_key
-      VAULT_PASSWORD:
-        from_secret: vault_password
-    commands:
-      - pip install ansible==7.2.0 > /dev/null 2> /dev/null
-
-      - mkdir "$HOME/.ssh"
-      - echo "$SSH_KEY" > "$HOME/.ssh/id"
-      - chmod 0600 ~/.ssh/id
-      - ssh-keyscan -p 2309 vmd98928.contaboserver.net > "$HOME/.ssh/known_hosts"
-
-      - echo "$VAULT_PASSWORD" > "$HOME/vault_password"
-
-      - cd ansible
-      - ansible-playbook --private-key "$HOME/.ssh/id" --vault-password-file "$HOME/vault_password" --check playbooks/misc-all.yaml

.gitea/workflows/check.yaml

@@ -0,0 +1,15 @@
+name: Check
+on: [push]
+jobs:
+  "Lint Ansible Files":
+    runs-on: ubuntu-22.04
+    steps:
+      - run: apt-get update
+      - run: apt-get install -y python3 python3-pip python3-venv
+      - run: python3 --version
+      - name: Check out repo
+        uses: actions/checkout@v3
+      - run: python3 -m venv venv
+      - run: venv/bin/pip --disable-pip-version-check install ansible==7.2.0 ansible-lint==6.16.1 > /dev/null 2> /dev/null
+      - run: venv/bin/ansible-lint -c .ansible-lint ansible
+  # TODO: Reimplement ansible-play --check step from old drone config

TODO.md

@@ -14,3 +14,5 @@
 - [x] Make Gitea display graphs in Notebooks (see https://docs.gitea.io/en-us/external-renderers/).
 - [x] Factorio server
 - [ ] Add flag for Gitea backups (after which Gitea will be up but no contain the sites source code)
+- [x] Add Gitea actions
+- [ ] Remove drone

docker/docker/caddy/Caddyfile

@@ -1,3 +1,7 @@
+{
+    admin off
+}
+
 pbrinkmeier.de {
     file_server {
         root /srv/pbrinkmeier.de

docker/docker/drone/docker-compose.yaml

@@ -12,7 +12,7 @@ services:
       DRONE_SERVER_PROTO: https
     volumes:
       - /var/lib/pbri/docker/drone:/data
-    restart: always
+    restart: unless-stopped
 
   drone_runner:
     image: drone/drone-runner-docker:1
@@ -24,7 +24,7 @@ services:
       DRONE_RUNNER_NAME: shamash
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-    restart: always
+    restart: unless-stopped
 
 networks:
   default:

docker/docker/gitea/Dockerfile

@@ -1,5 +1,3 @@
-FROM gitea/gitea:1.20
+ FROM gitea/act_runner:0.2.5
 
-RUN apk --no-cache add gcc python3-dev py3-pip linux-headers musl-dev libffi-dev
-RUN pip3 install --upgrade pip
-RUN pip3 install jupyter
+ COPY runner-config.yaml /opt/runner-config.yaml

docker/docker/gitea/README.md

@@ -1,6 +1,17 @@
+# gitea
+
 Add a `.env` file like this:
 
 ```
 GITEA_DB_PASSWORD=...
 GITEA_SMTP_PASSWORD=...
+GITEA_RUNNER_REGISTRATION_TOKEN=...
 ```
+
+You should keep an eye on `GITEA_RUNNER_REGISTRATION_TOKEN`. I suspect
+it might change over time, e.g. when restarting or updating Gitea.
+
+## Files
+
+- `runner-config.yaml`: Configuration for `gitea/act_runner`. Generated using `act_runner generate-config` then adjusted
+- `Dockerfile`: Creates an image based on `gitea/act_runner` that comes with `runner-config.yaml` in `/opt` (to avoid the extra mount)

docker/docker/gitea/docker-compose.yaml

@@ -2,9 +2,8 @@ version: "3"
 
 services:
   gitea:
-    image: pbrinkmeier/gitea
-    build: .
-    restart: always
+    image: gitea/gitea:1.20.3
+    restart: unless-stopped
     environment:
       # Ref: https://docs.gitea.io/en-us/config-cheat-sheet
       # User is created by misc-docker.yaml
@@ -36,17 +35,17 @@ services:
       GITEA__service__DEFAULT_ENABLE_TIMETRACKING: "false"
       GITEA__service__DEFAULT_ALLOW_ONLY_CONTRIBUTORS_TO_TRACK_TIME: "false"
       GITEA__mailer__ENABLED: "true"
-      GITEA__mailer__HOST: smtp.mailbox.org:465
+      GITEA__mailer__PROTOCOL: smtps
+      GITEA__mailer__SMTP_ADDR: smtp.mailbox.org
+      GITEA__mailer__SMTP_HOST: 465
       GITEA__mailer__FROM: git@pbrinkmeier.de
       GITEA__mailer__USER: hallo@pbrinkmeier.de
       GITEA__mailer__PASSWD: "${GITEA_SMTP_PASSWORD}"
       GITEA__openid__ENABLE_OPENID_SIGNIN: "false"
       GITEA__openid__ENABLE_OPENID_SIGNUP: "false"
-      GITEA__markup_0x2E_jupyter__ENABLED: "true"
-      GITEA__markup_0x2E_jupyter__FILE_EXTENSIONS: ".ipynb"
-      GITEA__markup_0x2E_jupyter__RENDER_COMMAND: "jupyter nbconvert --stdin --stdout --to html --template basic"
-      GITEA__markup_0x2E_jupyter__IS_INPUT_FILE: "false"
-      GITEA__markup_0x2E_sanitizer_0x2E_jupyter_0x2E_img__ALLOW_DATA_URI_IMAGES: "true"
+      # Enable Gitea actions
+      # Ref: https://docs.gitea.com/usage/actions/quickstart
+      GITEA__actions__ENABLED: "true"
     volumes:
       - /var/lib/pbri/docker/gitea:/data
       - /etc/timezone:/etc/timezone:ro
@@ -58,7 +57,7 @@ services:
 
   gitea_db:
     image: postgres:14.5-alpine
-    restart: always
+    restart: unless-stopped
     environment:
       POSTGRES_DB: gitea
       POSTGRES_USER: gitea
@@ -66,6 +65,21 @@ services:
     volumes:
       - /var/lib/pbri/docker/gitea_db:/var/lib/postgresql/data
 
+  gitea_runner:
+    image: pbrinkmeier/act_runner:0.2.5
+    build: .
+    restart: unless-stopped
+    environment:
+      CONFIG_FILE: /opt/runner-config.yaml
+      GITEA_INSTANCE_URL: "https://git.pbrinkmeier.de"
+      GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}"
+      GITEA_RUNNER_NAME: "basic-bitchboy"
+    volumes:
+      - /var/lib/pbri/docker/gitea_runner_data:/data
+      - /var/run/docker.sock:/var/run/docker.sock
+    depends_on:
+      - gitea
+
 networks:
   default:
     name: caddy-network

docker/docker/gitea/runner-config.yaml

@@ -0,0 +1,85 @@
+log:
+  # The level of logging, can be trace, debug, info, warn, error, fatal
+  level: info
+
+runner:
+  # Where to store the registration result.
+  file: .runner
+  # Execute how many tasks concurrently at the same time.
+  capacity: 1
+  # Extra environment variables to run jobs.
+  # envs:
+  #   A_TEST_ENV_NAME_1: a_test_env_value_1
+  #   A_TEST_ENV_NAME_2: a_test_env_value_2
+  # Extra environment variables to run jobs from a file.
+  # It will be ignored if it's empty or the file doesn't exist.
+  # env_file: .env
+  # The timeout for a job to be finished.
+  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
+  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
+  timeout: 3h
+  # Whether skip verifying the TLS certificate of the Gitea instance.
+  insecure: false
+  # The timeout for fetching the job from the Gitea instance.
+  fetch_timeout: 5s
+  # The interval for fetching the job from the Gitea instance.
+  fetch_interval: 2s
+  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
+  # Like: ["macos-arm64:host", "ubuntu-latest:docker://node:16-bullseye", "ubuntu-22.04:docker://node:16-bullseye"]
+  # If it's empty when registering, it will ask for inputting labels.
+  # If it's empty when execute `deamon`, will use labels in `.runner` file.
+  # Some (most?) GitHub actions use node for scripting, so just using
+  # ubuntu:22.04 here is not enough.
+  labels:
+    - "ubuntu-22.04:docker://node:16-bullseye"
+
+cache:
+  # Enable cache server to use actions/cache.
+  enabled: false
+  # The directory to store the cache data.
+  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
+  dir: ""
+  # The host of the cache server.
+  # It's not for the address to listen, but the address to connect from job containers.
+  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
+  host: ""
+  # The port of the cache server.
+  # 0 means to use a random available port.
+  port: 0
+  # The external cache server URL. Valid only when enable is true.
+  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
+  # The URL should generally end with "/".
+  external_server: ""
+
+container:
+  # Specifies the network to which the container will connect.
+  # Could be host, bridge or the name of a custom network.
+  # If it's empty, act_runner will create a network automatically.
+  network: ""
+  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
+  privileged: false
+  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
+  options:
+  # The parent directory of a job's working directory.
+  # If it's empty, /workspace will be used.
+  workdir_parent:
+  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
+  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
+  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
+  # valid_volumes:
+  #   - data
+  #   - /src/*.json
+  # If you want to allow any volume, please use the following configuration:
+  # valid_volumes:
+  #   - '**'
+  valid_volumes: []
+  # overrides the docker client host with the specified one.
+  # If it's empty, act_runner will find an available docker host automatically.
+  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
+  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
+  docker_host: ""
+
+host:
+  # The parent directory of a job's working directory.
+  # If it's empty, $HOME/.cache/act/ will be used.
+  workdir_parent:

docker/envs/gitea/.env

@@ -1,11 +1,14 @@
 $ANSIBLE_VAULT;1.1;AES256
-32303131323835666635366533363238303766643063633934353139323837396336373734393263
-6334616639373630616437646437626666343161373338310a323234313330323839663165653038
-66386266373562363966643666653234656337373166626131383565313334333234373532633133
-6265656232613337380a393531323765373332613162346365373831373733623166363136326239
-66386262393836343634353061363131313936666665343634326430393939633336656666626530
-32633762306136356464386262633132646633373066316434343437356636313831313462366533
-37343864636265666166613761386639316534386365343439623634373039383237353839656130
-36353036623336653336663738636632326238326133663039633330656530376335343539646465
-61663436626235306462336636393332313562646633373637396664636661333131663864393138
-6161396237323233333961353231643236393232623635303465
+35623364633833623964623536646534373634663736613561333561343136333965306638396532
+6162393239383936386338666565306132646230383066630a336337613636383431623738343663
+61343262363631376665383035323139313863626331666439336134613035663439376231343863
+3032353139643138640a383365356630323835383538393734643134343133653033383663333464
+62386361633435633664306531623835353665326432393932336163316561653866343137323030
+63643262323436356166373533363235366238393633336631336266373837373932313134303563
+65633337393938623134636538653561356565333831356638373862376333336163363438626438
+39343436383732313561396236656530303064363961663636353538346264633532633866333162
+35303032303662646166333537373566316462633536333463323433353539623363323036643763
+34376365613932303133366236613235636238643139666663356436326532616437383432303437
+39376535656266383465373837643634383937656431323265386163373138336164383666383962
+64623762613332363731323739666238613634646237396331666463363663313461313966356233
+30653362353061333739303234336461373337346632646433623462623765353330