---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: gitea-act-runner
  namespace: gitea
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-act-runner-config
  namespace: gitea
data:
  config.yaml: |
    log:
      level: info
    cache:
      enabled: false
    container:
      valid_volumes:
        - /certs
      options: |
        --add-host=docker:host-gateway -v /certs:/certs
        -e "DOCKER_HOST=tcp://docker:2376/"
        -e "DOCKER_TLS_VERIFY=1"
        -e "DOCKER_CERT_PATH=/certs/client"

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: gitea-docker-daemon-config
  namespace: gitea
data:
  daemon.json: |
    { "insecure-registries": ["gitea-http.gitea.svc.cluster.local:3000"] }

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: gitea-act-runner-dind
  namespace: gitea
spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea-act-runner-dind
  serviceName: gitea-act-runner-dind
  template:
    metadata:
      labels:
        app: gitea-act-runner-dind
    spec:
      containers:
        - name: runner
          image: docker.io/gitea/act_runner:nightly
          env:
            - name: DOCKER_HOST
              value: "tcp://127.0.0.1:2376"
            - name: DOCKER_CERT_PATH
              value: /certs/client
            - name: DOCKER_TLS_VERIFY
              value: "1"
            - name: ZOMBIE_TASK_TIMEOUT
              value: "30m"
            - name: GITEA_RUNNER_REGISTRATION_TOKEN
              valueFrom:
                secretKeyRef:
                  name: gitea-runner-registration-token
                  key: token
            - name: CONFIG_FILE
              value: /config.yaml
            - name: GITEA_INSTANCE_URL
              value: http://gitea-http.gitea.svc.cluster.local:3000
            - name: CONFIG_FILE
              value: /actrunner/config.yaml

          volumeMounts:
            - name: gitea-act-runner-data
              mountPath: /data
            - name: docker-certs
              mountPath: /certs/client
            - name: gitea-act-runner-config
              mountPath: /actrunner

        - name: daemon
          image: docker:27.1.2-dind
          env:
            - name: DOCKER_TLS_CERTDIR
              value: /certs
            - name: DOCKER_HOST
              value: tcp://127.0.0.1:2376
            - name: DOCKER_TLS_VERIFY
              value: "1"
          securityContext:
            privileged: true
          volumeMounts:
            - name: docker-certs
              mountPath: /certs/client
            - name: gitea-docker-daemon-config
              mountPath: /etc/docker

      volumes:
        - name: docker-certs
          emptyDir: {}
        - name: gitea-act-runner-config
          configMap:
            name: gitea-act-runner-config
        - name: gitea-act-runner-data
          persistentVolumeClaim:
            claimName: gitea-act-runner
        - name: gitea-docker-daemon-config
          configMap:
            name: gitea-docker-daemon-config