infrastructure/core-apps
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:11f881c24b3cb9066801ec540ad5754dd01d1730
Branches Tags
infrastructure:main
..
compare: infrastructure:101be3512a61713b40c21ed41136abb607ff11cb
Branches Tags
infrastructure:main

2 Commits
11f881c24b ... 101be3512a

Author SHA1 Message Date
William P
101be3512a attic: enable S3 support 2026-02-18 19:29:12 -05:00
William P
893f10a45c gitea-runner: secure with rootless 2026-02-18 19:28:58 -05:00
5 changed files with 81 additions and 30 deletions
Expand all files Collapse all files

10
attic/bucket.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
name: attic-bucket
namespace: attic
spec:
additionalConfig:
maxSize: 100Gi
bucketName: attic-bucket
storageClassName: weyma-s3-bucket

36
attic/config.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: attic-config
data:
server.toml: |
listen = "[::]:8080"
allowed-hosts = []
#api-endpoint = "https://nix-cache.dubyatp.xyz/"
[database]
url = "sqlite:///var/empty/.local/share/attic/server.db"
[storage]
path = "/data/.local/share/attic/storage"
type = "local"
#region = "us-east-1"
#bucket = "attic-bucket"
#endpoint = "https://weyma-s3.infra.dubyatp.xyz"
[chunking]
nar-size-threshold = 65536
min-size = 16384
avg-size = 65536
max-size = 262144
[compression]
type = "zstd"
[garbage-collection]
interval = "12 hours"
[jwt]
[jwt.signing]

10
attic/deployment.yaml
View File

@@ -3,6 +3,7 @@ kind: Deployment
metadata:
name: attic
spec:
replicas: 1
selector:
matchLabels:
app: attic
@@ -17,13 +18,20 @@ spec:
envFrom:
- secretRef:
name: attic-secret
- secretRef:
name: attic-bucket
volumeMounts:
- name: attic-pvc
mountPath: /var/empty
mountPath: /var/empty/
resources:
limits:
memory: "2Gi"
cpu: "500m"
- name: multitool
image: wbitt/network-multitool
volumeMounts:
- name: attic-pvc
mountPath: /var/empty/
volumes:
- name: attic-pvc
persistentVolumeClaim:

2
gitea-runner/config.yaml
View File

@@ -7,7 +7,7 @@ data:
log:
level: info
runner:
file: .runner
file: /data/.runner
capacity: 1
env_file: .env
timeout: 3h

53
gitea-runner/statefulset.yaml
View File

@@ -16,24 +16,35 @@ spec:
labels:
app: act-runner
spec:
containers:
- name: runner
initContainers:
- name: sysctl
image: busybox
securityContext:
privileged: true
command:
- sh
- -c
- while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...';
sleep 5; done; /sbin/tini -- run.sh
image: gitea/act_runner:nightly
- echo 28633 > /proc/sys/user/max_user_namespaces
- name: chown-data
image: busybox
securityContext:
runAsUser: 0
command:
- sh
- -c
- chown -R 1000:1000 /data
volumeMounts:
- name: runner-data
mountPath: /data
containers:
- name: runner
image: gitea/act_runner:nightly-dind-rootless
imagePullPolicy: Always
env:
- name: CONFIG_FILE
value: /config/config.yaml
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
value: unix:///run/user/1000/docker.sock
- name: GITEA_INSTANCE_URL
value: https://git.dubyatp.xyz
- name: GITEA_RUNNER_REGISTRATION_TOKEN
@@ -41,34 +52,20 @@ spec:
secretKeyRef:
key: registration-token
name: gitea-runner-token
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- name: runner-config
mountPath: /config
- name: docker-certs
mountPath: /certs
- name: runner-data
mountPath: /data
- name: daemon
env:
- name: DOCKER_TLS_CERTDIR
value: /certs
image: docker:23.0.6-dind
imagePullPolicy: IfNotPresent
securityContext:
privileged: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /certs
name: docker-certs
- name: runner-config
mountPath: /config
- name: runner-data
mountPath: /data
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
terminationGracePeriodSeconds: 30
volumes:
- name: docker-certs
- name: runner-config
configMap:
name: runner-config