From 880f16231983f39f5dba6c5a11399c7f385aaffe Mon Sep 17 00:00:00 2001
From: Kristian Klausen <kristian@klausen.dk>
Date: Mon, 7 Jun 2021 00:44:53 +0200
Subject: [PATCH] gitlab_runner: Check runner configuration into git

Fix #193
---
 .../misc}                                     |  0
 .../vault_gitlab_runner.yml                   |  8 ++++
 .../misc}                                     |  0
 .../vault_gitlab_runner.yml                   |  8 ++++
 .../misc}                                     |  0
 .../vault_gitlab_runner.yml                   |  8 ++++
 roles/gitlab_runner/tasks/main.yml            | 46 ++++++-------------
 roles/gitlab_runner/templates/config.toml.j2  | 25 ++++++++++
 8 files changed, 64 insertions(+), 31 deletions(-)
 rename host_vars/{runner1.archlinux.org => runner1.archlinux.org/misc} (100%)
 create mode 100644 host_vars/runner1.archlinux.org/vault_gitlab_runner.yml
 rename host_vars/{runner2.archlinux.org => runner2.archlinux.org/misc} (100%)
 create mode 100644 host_vars/runner2.archlinux.org/vault_gitlab_runner.yml
 rename host_vars/{secure-runner1.archlinux.org => secure-runner1.archlinux.org/misc} (100%)
 create mode 100644 host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml
 create mode 100644 roles/gitlab_runner/templates/config.toml.j2

diff --git a/host_vars/runner1.archlinux.org b/host_vars/runner1.archlinux.org/misc
similarity index 100%
rename from host_vars/runner1.archlinux.org
rename to host_vars/runner1.archlinux.org/misc
diff --git a/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml b/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 000000000..6fd5b8ef4
--- /dev/null
+++ b/host_vars/runner1.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+33613230393739666464663864633664666338396131346666303534373135613631356135393866
+6165346464343566343032313164353633356438623138620a306162643638633531386535333130
+65373661383734663531323234323263663138303731383464333132623730383638343064366234
+6264633765363861390a623434386134316264366665623130643536313038383463383032366638
+34306266373938663633626461373766383035376236653363346163326435396361313836666631
+31636139363737633336643664316538366133313262393434393234386636626434393430376636
+653137373335333937386137323535353938
diff --git a/host_vars/runner2.archlinux.org b/host_vars/runner2.archlinux.org/misc
similarity index 100%
rename from host_vars/runner2.archlinux.org
rename to host_vars/runner2.archlinux.org/misc
diff --git a/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml b/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 000000000..37971caab
--- /dev/null
+++ b/host_vars/runner2.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+62663133393864666235656235346435626566316537623765373666353161626666323732323062
+3065356564313737323736633138393863636638333131320a336365626666383636643966316330
+33303037366433336261336661656465383537653863646538643533666661353638633461346533
+3466356662356466660a396531316463626231643936643664346563613335663231346138616232
+39313162613963326130316135643463376534666133303661623264393736666131393937653863
+31386466353763393331326261356262643034383761613465383966373164616133323435373730
+613064313337666432313632346537636466
diff --git a/host_vars/secure-runner1.archlinux.org b/host_vars/secure-runner1.archlinux.org/misc
similarity index 100%
rename from host_vars/secure-runner1.archlinux.org
rename to host_vars/secure-runner1.archlinux.org/misc
diff --git a/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml b/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml
new file mode 100644
index 000000000..aad75d21f
--- /dev/null
+++ b/host_vars/secure-runner1.archlinux.org/vault_gitlab_runner.yml
@@ -0,0 +1,8 @@
+$ANSIBLE_VAULT;1.1;AES256
+31333936383066376136343839326334316462333865343863323264393338636631393235386633
+3561333634326331643032313733346464616666646330370a303832346662613335646365333039
+38336166306633396231363661306438353962333039623465313636633534383266613965373434
+6133343164623538610a363533303239373939316666653933323365303633663437666561623463
+30316663626536666334376361326630326565336137336336646263386637616132363039656234
+38616535646363336533616434386564333239333832383136653933663963333434353139616163
+353333323466636166613861386239313431
diff --git a/roles/gitlab_runner/tasks/main.yml b/roles/gitlab_runner/tasks/main.yml
index 88d9cc094..8bb1d5171 100644
--- a/roles/gitlab_runner/tasks/main.yml
+++ b/roles/gitlab_runner/tasks/main.yml
@@ -30,38 +30,22 @@
   tags:
     - firewall
 
-- name: register gitlab-runner
-  command: >
-    gitlab-runner register
-    --non-interactive
-    --url=https://gitlab.archlinux.org/
-    --docker-image=alpine:latest
-    --tag-list=docker
-    --registration-token="{{ vault_gitlab_runner_registration_token }}"
-    --executor=docker
-    --description="{{ inventory_hostname }}"
-    --run-untagged=false
-    --docker-tlsverify=true
-    --locked=false
-    --access-level=not_protected
-  args:
-    creates: /etc/gitlab-runner/config.toml
 
-- name: increase concurrency
-  lineinfile:
-    path: /etc/gitlab-runner/config.toml
-    owner: root
-    group: root
-    mode: 0600
-    regexp: '^concurrent = .*'
-    line: concurrent = 100
-  notify: restart gitlab-runner
-
-- name: enable prometheus exporter
-  lineinfile:
-    path: /etc/gitlab-runner/config.toml
-    insertbefore: '^concurrent'
-    line: listen_address = ":{{ gitlab_runner_exporter_port }}"
+# Please register the runner with this command and save the token as a host var:
+# gitlab-runner register \
+#   --non-interactive \
+#   --url=https://gitlab.archlinux.org/ \
+#   --docker-image=archlinux:latest \
+#   --tag-list=docker \ # Use docker,secure for secure runners
+#   --registration-token="{{ vault_gitlab_runner_registration_token }}" \
+#   --executor=docker \
+#   --description="{{ inventory_hostname }}" \
+#   --run-untagged=true \ # Use false for secure runners
+#   --locked=false \ # Use true for secure runners
+#   --access-level=not_protected # Use ref_protected for secure runners
+# Note: Secure runners must be added manually to the relevant projects
+- name: install runner configuration
+  template: src=config.toml.j2 dest=/etc/gitlab-runner/config.toml owner=root group=root mode=0600
   notify: restart gitlab-runner
 
 - name: install gitlab-runner-docker-cleanup.{service,timer}
diff --git a/roles/gitlab_runner/templates/config.toml.j2 b/roles/gitlab_runner/templates/config.toml.j2
new file mode 100644
index 000000000..4752005a3
--- /dev/null
+++ b/roles/gitlab_runner/templates/config.toml.j2
@@ -0,0 +1,25 @@
+concurrent = 100
+check_interval = 0
+listen_address = ":9252"
+
+[session_server]
+  session_timeout = 1800
+
+[[runners]]
+  name = "{{ inventory_hostname }}"
+  url = "https://gitlab.archlinux.org"
+  token = "{{ vault_gitlab_runner_token }}"
+  executor = "docker"
+  [runners.custom_build_dir]
+  [runners.cache]
+    [runners.cache.s3]
+    [runners.cache.gcs]
+  [runners.docker]
+    tls_verify = false
+    image = "archlinux:latest"
+    privileged = false
+    disable_entrypoint_overwrite = false
+    oom_kill_disable = false
+    disable_cache = false
+    volumes = ["/cache"]
+    shm_size = 0
-- 
GitLab