# Gitea Actions runner for the dezky monorepo, in-cluster on node1.
#
# Builds + pushes app images (platform-api / portal / booking) to the Gitea
# container registry on push. A privileged docker:dind sidecar provides the
# Docker daemon the runner's jobs use for `docker build`/`buildx` — k3s itself
# only has containerd, no Docker daemon.
#
# The registration token is NOT in git — create the 'gitea-runner-token' Secret
# out-of-band:
#   kubectl -n gitea-runner create secret generic gitea-runner-token \
#     --from-literal=token=<gitea registration token>
# act_runner auto-registers on first start (persisted on the runner-data PVC).
apiVersion: v1
kind: Namespace
metadata:
  name: gitea-runner
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: runner-data
  namespace: gitea-runner
spec:
  accessModes: [ReadWriteOnce]
  storageClassName: longhorn
  resources:
    requests:
      storage: 2Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: act-runner-config
  namespace: gitea-runner
data:
  config.yaml: |
    log:
      level: info
    runner:
      # Run several jobs at once (the 4-app typecheck matrix + image builds)
      # instead of one-at-a-time. The AX41 has headroom.
      capacity: 4
      timeout: 3h
      labels:
        - "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04"
        - "docker:docker://docker:27-cli"
    cache:
      # We don't use the Actions cache (setup-node cache was removed); disabling
      # avoids the cache server the DinD job containers can't reach anyway.
      enabled: false
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: act-runner
  namespace: gitea-runner
  labels:
    app: act-runner
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: act-runner
  template:
    metadata:
      labels:
        app: act-runner
    spec:
      containers:
        - name: runner
          image: gitea/act_runner:0.2.11
          env:
            - name: GITEA_INSTANCE_URL
              value: https://git.lastcloud.io
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-token
                  key: token
            - name: GITEA_RUNNER_NAME
              value: dezky-k3s
            # Map ubuntu-latest (used by .gitea/workflows/ci.yml) to a Docker
            # image with the usual build tooling; jobs run via the dind sidecar.
            - name: GITEA_RUNNER_LABELS
              value: "ubuntu-latest:docker://catthehacker/ubuntu:act-22.04,docker:docker://docker:27-cli"
            - name: DOCKER_HOST
              value: tcp://localhost:2376
            - name: DOCKER_CERT_PATH
              value: /certs/client
            - name: DOCKER_TLS_VERIFY
              value: "1"
            - name: CONFIG_FILE
              value: /config/config.yaml
          volumeMounts:
            - name: runner-data
              mountPath: /data
            - name: docker-certs
              mountPath: /certs
            - name: runner-config
              mountPath: /config
        - name: dind
          image: docker:27-dind
          securityContext:
            privileged: true
          env:
            - name: DOCKER_TLS_CERTDIR
              value: /certs
          volumeMounts:
            - name: docker-certs
              mountPath: /certs
            - name: dind-storage
              mountPath: /var/lib/docker
      volumes:
        - name: runner-data
          persistentVolumeClaim:
            claimName: runner-data
        - name: docker-certs
          emptyDir: {}
        - name: dind-storage
          emptyDir: {}
        - name: runner-config
          configMap:
            name: act-runner-config