nathan/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Releases Wiki Activity
homelab/documentation/SOPs/SOP-003-Gitea-Actions-Runner-Setup.md
Nathan 92b7ffce74
Some checks failed
Auto-Deploy Changed Stacks / deploy (push) Failing after 4s
Details
feat: update auto-deploy workflow to use Komodo API and remove webhook dependency
2026-06-02 12:23:21 -04:00

201 lines
5.7 KiB
Markdown
Raw Blame History

# SOP-003: Gitea Actions Runner Setup (Heimdall)
**Status:** Active
**Created:** June 2, 2026
**Last Updated:** June 2, 2026
**Owner:** Nathan Castaldi
**Applies To:** Gitea Actions auto-deploy workflow
---
## Purpose
Install and register a Gitea Actions runner on Heimdall so that the
`.gitea/workflows/auto-deploy.yml` workflow can execute when PRs are merged
to `main`. The runner calls the Komodo REST API to redeploy any stack whose
folder changed in the push — no per-stack webhook URLs required.
---
## Prerequisites
- [ ] SSH access to Heimdall (`10.0.0.151`)
- [ ] Docker and Docker Compose running on Heimdall
- [ ] Gitea instance accessible at `https://git.castaldifamily.com`
- [ ] Admin or repo-owner access to the `nathan/homelab` Gitea repository
- [ ] Komodo service user created with Stack → Execute permissions (see [Step 4](#step-4--create-komodo-service-user-and-api-key))
- [ ] API key + secret copied and ready to add as Gitea secrets
---
## Step 1 — Retrieve a Runner Registration Token
1. In Gitea, go to **Repository**`nathan/homelab`**Settings****Actions****Runners**
2. Click **Create new Runner**
3. Copy the **registration token** — you will need it in Step 3
> **Note:** Tokens are single-use. If you lose it, generate a new one.
---
## Step 2 — Create the Runner Compose File on Heimdall
SSH into Heimdall and create the runner stack directory:
```bash
mkdir -p /opt/gitea-runner
```
Create `/opt/gitea-runner/compose.yaml`:
```yaml
name: gitea-runner
services:
runner:
image: gitea/act_runner:latest
container_name: gitea-runner
restart: unless-stopped
environment:
GITEA_INSTANCE_URL: "https://git.castaldifamily.com"
GITEA_RUNNER_REGISTRATION_TOKEN: "${GITEA_RUNNER_REGISTRATION_TOKEN}"
GITEA_RUNNER_NAME: "heimdall-runner"
GITEA_RUNNER_LABELS: "ubuntu-latest:docker://node:20-bullseye-slim"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- runner-data:/data
volumes:
runner-data:
```
Create `/opt/gitea-runner/.env`:
```env
GITEA_RUNNER_REGISTRATION_TOKEN=<paste token from Step 1>
```
> **Security:** The `.env` file contains a credential. Do not commit it to Git.
> The token is consumed on first registration; after that the runner stores its
> own credentials in the `runner-data` volume.
---
## Step 3 — Start the Runner
```bash
cd /opt/gitea-runner
docker compose up -d
```
Watch the startup logs to confirm registration:
```bash
docker compose logs -f runner
```
Expected output (within ~10 seconds):
```
INFO Registering runner ... runner=heimdall-runner
INFO Runner registered successfully.
INFO Starting runner ... name=heimdall-runner
```
Verify the runner appears in Gitea:
- Go to **Repository****Settings****Actions****Runners**
- `heimdall-runner` should show **Online**
---
## Step 4 — Create Komodo Service User and API Key
The workflow authenticates to Komodo using a dedicated service user with
minimal permissions. Do not use your personal admin account.
### 4a — Create the service user
1. Log into Komodo UI (`https://komodo.castaldifamily.com`)
2. Go to **Settings****Users****New User**
3. Set type to **Service**
4. Name it something like `gitea-ci`
5. Grant **Execute** permission on **Stacks** only — no write or delete access
6. Save the user
### 4b — Generate an API key
1. Open the `gitea-ci` user → **Api Keys****New Api Key**
2. Copy both the **key** and the **secret** immediately — the secret is not shown again
### 4c — Add secrets to Gitea
In Gitea: **Repository****Settings****Secrets and Variables****Actions****New secret**
Add all three:
| Secret name | Value |
|---|---|
| `KOMODO_URL` | `https://komodo.castaldifamily.com` |
| `KOMODO_API_KEY` | API key from step 4b |
| `KOMODO_API_SECRET` | API secret from step 4b |
> **Security:** Never commit these values to the repo. The workflow reads them
> from Gitea secrets at runtime.
---
## Step 5 — Verify End-to-End
1. Make a trivial change to any stack folder (e.g., add a blank line to
`nodes/heimdall/sonarr/compose.yaml`)
2. Commit and push directly to `main` (or merge a PR)
3. In Gitea, go to **Repository****Actions** — the `Auto-Deploy Changed Stacks` run should appear
4. Click the run → expand the **Detect changed stacks and trigger Komodo webhooks** step
5. Confirm output resembles:
```
=== Changed files ===
nodes/heimdall/sonarr/compose.yaml
Queued for deploy: sonarr (node: heimdall)
=== Triggering Komodo deployments ===
→ sonarr ... HTTP 200 OK
All deployments triggered successfully.
```
6. In Komodo UI, verify the `sonarr` stack shows a recent deployment event
---
## Troubleshooting
| Symptom | Check |
|---|---|
| Runner shows **Offline** in Gitea | `docker compose logs runner` on Heimdall; check `GITEA_INSTANCE_URL` reachability |
| Job never picks up | Runner label must match `runs-on` in the workflow (`ubuntu-latest`) |
| `HTTP 401` / `403` on DeployStack call | Check `KOMODO_API_KEY` / `KOMODO_API_SECRET` secrets are set correctly in Gitea |
| `HTTP 404` on DeployStack call | Stack name in repo folder does not match the name registered in Komodo UI |
| `HTTP 404` logged as WARNING, not failure | Expected — stack exists in repo but isn't registered in Komodo yet |
| Job shows `HEAD~1` diff error | Ensure `fetch-depth: 2` is set in the checkout step |
---
## Rollback
To stop the runner without removing its registration:
```bash
cd /opt/gitea-runner && docker compose stop runner
```
To fully deregister and remove:
```bash
cd /opt/gitea-runner && docker compose down -v
```
Then delete the runner from **Gitea → Repository → Settings → Actions → Runners**.
Reference in New Issue View Git Blame Copy Permalink