apiVersion: v1
stringData:
  token: {{ .Values.forge.secret }}
kind: Secret
metadata:
  name: runner-secret
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: forge
  labels:
    app: forge
spec:
  replicas: 1
  selector:
    matchLabels:
      app: forge
  template:
    metadata:
      labels:
        app: forge
    spec:
      containers:
        - name: forgejo
          image: codeberg.org/forgejo/forgejo:11
          ports:
            - name: http-port
              containerPort: 3000
            - name: ssh-port
              containerPort: 22222
          volumeMounts:
            - name: local-tz
              mountPath: /etc/timezone
              readOnly: true
            - name: local-lt
              mountPath: /etc/localtime
              readOnly: true
            - name: persistence
              mountPath: /data
          env:
            - name: USER_UID
              value: "1000"
            - name: USER_GID
              value: "1000"
            - name: FORGEJO__database__DB_TYPE
              value: "postgres"
            - name: FORGEJO__database__HOST
              value: "postgres:5432"
            - name: FORGEJO__database__NAME
              value: "forgejo"
            - name: FORGEJO__database__USER
              value: {{ .Values.pg.user }}
            - name: FORGEJO__database__PASSWD
              value: {{ .Values.pg.pass }}
      volumes:
        - name: local-tz
          persistentVolumeClaim:
            claimName: forge-tz-pvc
        - name: local-lt
          persistentVolumeClaim:
            claimName: forge-lt-pvc
        - name: persistence
          persistentVolumeClaim:
            claimName: forge-persistence-pvc
---
apiVersion: v1
kind: Service
metadata:
  name: forge
  labels:
    app: forge
spec:
  clusterIP: None
  ports:
    - name: http-port
      port: 3000
      targetPort: http-port
      protocol: TCP
    - name: ssh-port
      port: 22222
      targetPort: 22222
  selector:
    app: forge
---
apiVersion: v1
kind: PersistentVolume
metadata:
   name: forge-tz
   labels:
     pvc_type: forge-tz
spec:
  capacity:
    storage: 10Mi
  accessModes:
   - ReadOnlyMany
  persistentVolumeReclaimPolicy: Retain
  hostPath:
   path: /etc/timezone
---
apiVersion: v1
kind: PersistentVolume
metadata:
   name: forge-lt
   labels:
     pvc_type: forge-lt
spec:
  capacity:
    storage: 10Mi
  accessModes:
   - ReadOnlyMany
  persistentVolumeReclaimPolicy: Retain
  hostPath:
   path: /etc/localtime
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: forge-tz-pvc
spec:
  accessModes:
    - ReadOnlyMany
  volumeMode: Filesystem
  storageClassName: ""
  volumeName: forge-tz
  resources:
    requests:
      storage: 10Mi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: forge-lt-pvc
spec:
  accessModes:
    - ReadOnlyMany
  volumeMode: Filesystem
  storageClassName: ""
  volumeName: forge-lt
  resources:
    requests:
      storage: 10Mi
---
apiVersion: v1
kind: PersistentVolume
metadata:
   name: forge-persistence-pv
   labels:
     pvc_type: forge-persistence-pv
spec:
  capacity:
    storage: 1000Gi
  accessModes:
   - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  hostPath:
   path: {{ .Values.forge.path }}
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: forge-persistence-pvc
spec:
  accessModes:
    - ReadWriteOnce
  volumeMode: Filesystem
  storageClassName: ""
  volumeName: forge-persistence-pv
  resources:
    requests:
      storage: 1000Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: forgejo-runner
  labels:
    app: forgejo-runner
spec:
  replicas: 2
  selector:
    matchLabels:
      app: forgejo-runner
  template:
    metadata:
      name: forgejo-runner
      labels:
        app: forgejo-runner
    spec:
      automountServiceAccountToken: false
      restartPolicy: Always
      initContainers:
        - name: runner-register
          image: code.forgejo.org/forgejo/runner:6.4.0
          command:
            - /bin/bash
            - -c
          args:
            - |
              while : ; do
                forgejo-runner register --no-interactive --token $(RUNNER_SECRET) --name $(RUNNER_NAME) --instance $(FORGEJO_INSTANCE_URL) && break ;
                sleep 1 ;
              done ;
              forgejo-runner generate-config > /data/config.yml ;
              sed -i -e "s|network: .*|network: host|" config.yml ;
              sed -i -e "s|^  envs:$$|  envs:\n    DOCKER_HOST: tcp://localhost:2376\n    DOCKER_TLS_VERIFY: 1\n    DOCKER_CERT_PATH: /certs/client|" config.yml ;
              sed -i -e "s|^  options:|  options: -v /certs/client:/certs/client|" config.yml ;
              sed -i -e "s|  valid_volumes: \[\]$$|  valid_volumes:\n    - /certs/client|" config.yml
          env:
            - name: RUNNER_NAME
              valueFrom:
                fieldRef:
                  fieldPath: metadata.name
            - name: RUNNER_SECRET
              valueFrom:
                secretKeyRef:
                  name: runner-secret
                  key: token
            - name: FORGEJO_INSTANCE_URL
              value: http://forge:3000
          resources:
            limits:
              cpu: '0.5'
              ephemeral-storage: 100Mi
              memory: 64Mi
            requests:
              cpu: 100m
              ephemeral-storage: '0'
              memory: 64Mi
          volumeMounts:
            - name: runner-data
              mountPath: /data
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
      containers:
        - name: runner
          image: code.forgejo.org/forgejo/runner:6.4.0
          command:
            - /bin/bash
            - -c
          args:
            - |
              while ! nc -z localhost 2376 </dev/null ; do
                echo 'waiting for docker daemon...' ;
                sleep 5 ;
                done ;
              forgejo-runner --config config.yml daemon
          env:
            - name: DOCKER_HOST
              value: tcp://localhost:2376
            - name: DOCKER_CERT_PATH
              value: /certs/client
            - name: DOCKER_TLS_VERIFY
              value: '1'
          resources:
            limits:
              cpu: '4'
              ephemeral-storage: 5Gi
              memory: 8Gi
            requests:
              cpu: 100m
              ephemeral-storage: '0'
              memory: 64Mi
          volumeMounts:
            - name: docker-certs
              mountPath: /certs
            - name: runner-data
              mountPath: /data
            - name: tmp
              mountPath: /tmp
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - ALL
            privileged: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            seccompProfile:
              type: RuntimeDefault
        - name: daemon
          image: docker.io/docker:28.3.0-dind
          env:
            - name: DOCKER_TLS_CERTDIR
              value: /certs
          resources:
            limits:
              cpu: '1'
              ephemeral-storage: 3Gi
              memory: 4Gi
            requests:
              cpu: 100m
              ephemeral-storage: '0'
              memory: 64Mi
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-certs
              mountPath: /certs
      volumes:
        - name: docker-certs
          emptyDir: {}
        - name: runner-data
          emptyDir: {}
        - name: tmp
          emptyDir: {}