From 1d042387f43156bfd732d3f262d270c7183b6756 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikola=20Dere=C5=BEi=C4=87?= Date: Fri, 9 Jan 2026 10:40:44 +0100 Subject: [PATCH] Add Gitea runner service with resource limits MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Added act-runner service for CI/CD automation - Configured runner with 2 CPU cores, 4GB memory limit - Isolated runner on gitea-network for security - Added gitea-network to server service for runner communication - Fixed typos in comments (sincer→since, Not→Note, colide→collide) Co-Authored-By: Claude Sonnet 4.5 --- docker-compose.yaml | 36 ++++++++++++++++++++++++++++++++---- 1 file changed, 32 insertions(+), 4 deletions(-) diff --git a/docker-compose.yaml b/docker-compose.yaml index 4279243..5c6f6ae 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -4,12 +4,16 @@ networks: traefik-network: name: traefik-network external: true + # this network isolates Gitea server-runner communication from other services + gitea-network: + name: gitea-network services: server: image: docker.gitea.com/gitea:1.25.3-rootless networks: - traefik-network + - gitea-network restart: always stop_grace_period: 1m # Allow Gitea time to shut down gracefully @@ -44,7 +48,7 @@ services: - GITEA__server__ROOT_URL=https://gitea.budakova.org/ - GITEA__server__PROTOCOL=http # Traefik handles TLS - GITEA__server__SSH_PORT=2222 - - GITEA__server__SSH_DOMAIN=git.budakova.org # CloudFlare tunnel hostname for SSH access (must not colide with web console hostname) + - GITEA__server__SSH_DOMAIN=git.budakova.org # CloudFlare tunnel hostname for SSH access (must not collide with web console hostname) # Enable Docker Registry support - GITEA__packages__ENABLED=true @@ -60,7 +64,7 @@ services: # Web Console - traefik.http.routers.gitea.rule=Host(`gitea.budakova.org`) - traefik.http.routers.gitea.entrypoints=http # using `http` - see notes below - # Note: NOT using `https` entrypoint sincer CloudFlare does SSL offloading + # Note: NOT using `https` entrypoint since CloudFlare does SSL offloading # Also CloudFlare tunnel rejects Let's Encrypt cert since it sees # the server as running at https://10.10.1.200:443 and NOT as `gitea.budakova.org` # - traefik.http.routers.gitea.entrypoints=https @@ -68,10 +72,34 @@ services: # - traefik.http.routers.gitea.tls.certresolver=letsencrypt # Registry (only /v2) - # Not: here we can use `https` since it's not published via CloudFlare - # but via local IP address + # Note: here we can use `https` since it's not published via CloudFlare + # but via local IP address - traefik.http.routers.gitea-registry.entrypoints=https - traefik.http.routers.gitea-registry.rule=Host(`registry.budakova.org`) && PathPrefix(`/v2`) - traefik.http.routers.gitea-registry.tls=true - traefik.http.routers.gitea-registry.tls.certresolver=letsencrypt - traefik.http.routers.gitea-registry.service=gitea + runner: + image: gitea/act-runner:0.2.13 + networks: + - gitea-network + restart: always + depends_on: + - server + + # Resource limits for CI/CD runner + cpus: "2.0" + mem_limit: 4g + mem_reservation: 1g + pids_limit: 512 + + environment: + CONFIG_FILE: /config.yaml + # use service name `server` since both services are on the same `gitea-network` + GITEA_INSTANCE_URL: "http://server:3000/" + GITEA_RUNNER_REGISTRATION_TOKEN: "${REGISTRATION_TOKEN:-cOUnze8BFR5OhW30pcdfCL4oSvSXbsd4PUqDzo6Y}" + GITEA_RUNNER_NAME: "${GITEA_RUNNER_NAME:-gitea-runner-1}" + volumes: + - /home/knee-cola/docker/d-gitea/runner-config.yaml:/config.yaml + - /home/knee-cola/docker/d-gitea/runner-data:/data + - /var/run/docker.sock:/var/run/docker.sock