Implement Gitea Actions runner substrate

runner/README.md

@@ -0,0 +1,24 @@
+# Runner Templates
+
+This directory contains non-secret templates for the first forge-owned Gitea
+Actions runner.
+
+Use `docs/gitea-actions-runner-substrate.md` as the authoritative runbook. The
+templates here are intentionally examples because the final host paths,
+installer, and generated `act_runner` config must come from the attended runner
+host.
+
+Files:
+
+- `act-runner.env.example` documents the non-secret environment shape and the
+  approved token file reference.
+- `act-runner.service.example` is a systemd service skeleton for a binary
+  `act_runner` installation.
+- `act-runner.openrc.example` is an OpenRC service skeleton for Alpine-style
+  hosts such as haskelseed.
+- `act-runner-haskelseed.openrc.example` matches the current haskelseed
+  registration layout, where `/root/.runner` already exists and `act_runner`
+  runs from `/root`.
+
+Do not commit `.runner`, generated configs containing host-specific state, token
+files, logs with secret material, or downloaded runner binaries.

runner/act-runner-haskelseed.openrc.example

@@ -0,0 +1,17 @@
+#!/sbin/openrc-run
+
+name="Railiance haskelseed Gitea Actions runner"
+description="Forge-owned haskelseed Gitea act_runner service"
+command="/usr/local/bin/act_runner"
+command_args="daemon"
+command_user="root:root"
+directory="/root"
+pidfile="/run/act_runner.pid"
+command_background="yes"
+output_log="/var/log/act_runner.log"
+error_log="/var/log/act_runner.err"
+
+depend() {
+	need net nix-daemon
+	after firewall
+}

runner/act-runner.env.example

@@ -0,0 +1,7 @@
+# Copy to a host-local path such as /etc/act_runner/railiance.env.
+# Do not commit the copied file if it contains host-specific secret references.
+
+GITEA_INSTANCE_URL=https://gitea.coulomb.social/
+GITEA_RUNNER_NAME=railiance-haskelseed-build-01
+GITEA_RUNNER_LABELS=self-hosted:host,haskelseed:host,linux:host,linux_amd64:host,container-build:host,registry-publish:host
+GITEA_RUNNER_REGISTRATION_TOKEN_FILE=/run/secrets/railiance/gitea-act-runner-registration-token

runner/act-runner.openrc.example

@@ -0,0 +1,17 @@
+#!/sbin/openrc-run
+
+name="Railiance Gitea Actions runner"
+description="Forge-owned Gitea act_runner service"
+command="/usr/local/bin/act_runner"
+command_args="daemon --config /etc/act_runner/config.yaml"
+command_user="act_runner:act_runner"
+directory="/var/lib/act_runner"
+pidfile="/run/act_runner.pid"
+command_background="yes"
+output_log="/var/log/act_runner.log"
+error_log="/var/log/act_runner.err"
+
+depend() {
+	need net
+	after firewall
+}

runner/act-runner.service.example

@@ -0,0 +1,21 @@
+[Unit]
+Description=Railiance Gitea Actions runner
+Documentation=https://docs.gitea.com/usage/actions/act-runner
+After=network-online.target docker.service
+Wants=network-online.target
+
+[Service]
+Type=simple
+User=act_runner
+Group=act_runner
+WorkingDirectory=/var/lib/act_runner
+EnvironmentFile=-/etc/act_runner/railiance.env
+ExecStart=/usr/local/bin/act_runner daemon --config /etc/act_runner/config.yaml
+ExecReload=/bin/kill -s HUP $MAINPID
+TimeoutSec=0
+Restart=always
+RestartSec=10
+NoNewPrivileges=true
+
+[Install]
+WantedBy=multi-user.target