qvest-task/ansible/setup-runner.yml

---
- name: Setup Gitea Actions Runner
  hosts: gitea
  become: true
  vars:
    runner_version: "0.2.10"
    runner_binary: "/usr/local/bin/act_runner"
    runner_count: 2
    gitea_instance: "http://localhost:3000"
    secret_name: "qvest-task-db-credentials"
    aws_region: "eu-central-1"
    # Registration token must be provided via command line or AWS Secrets Manager
    # ansible-playbook setup-runner.yml -e "gitea_runner_token=YOUR_TOKEN"

  tasks:
    - name: Download act_runner binary
      ansible.builtin.get_url:
        url: "https://dl.gitea.com/act_runner/{{ runner_version }}/act_runner-{{ runner_version }}-linux-amd64"
        dest: "{{ runner_binary }}"
        mode: "0755"

    - name: Create runner config directories
      ansible.builtin.file:
        path: "/etc/act_runner-{{ item }}"
        state: directory
        mode: "0755"
      with_sequence: start=1 end={{ runner_count }}

    - name: Create runner data directories
      ansible.builtin.file:
        path: "/var/lib/act_runner-{{ item }}"
        state: directory
        mode: "0755"
      with_sequence: start=1 end={{ runner_count }}

    - name: Check if runners are already registered
      ansible.builtin.stat:
        path: "/etc/act_runner-{{ item }}/.runner"
      register: runner_configs
      with_sequence: start=1 end={{ runner_count }}

    - name: Fetch Gitea runner token from AWS Secrets Manager
      ansible.builtin.shell: |
        set -o pipefail
        aws secretsmanager get-secret-value \
          --secret-id "{{ secret_name }}" \
          --region "{{ aws_region }}" \
          --query SecretString \
          --output text | jq -r '.gitea_runner_token // empty'        
      args:
        executable: /bin/bash
      register: secrets_output
      when:
        - gitea_runner_token is not defined
        - runner_configs.results | selectattr('stat.exists', 'equalto', false) | list | length > 0
      changed_when: false
      failed_when: false

    - name: Set runner token from Secrets Manager
      ansible.builtin.set_fact:
        gitea_runner_token: "{{ secrets_output.stdout }}"
      when:
        - gitea_runner_token is not defined
        - secrets_output.stdout is defined
        - secrets_output.stdout | length > 0

    - name: Register runners with Gitea
      ansible.builtin.shell: |
        {{ runner_binary }} register \
          --instance {{ gitea_instance }} \
          --token {{ gitea_runner_token }} \
          --name {{ ansible_hostname }}-runner-{{ item }} \
          --no-interactive        
      args:
        chdir: "/etc/act_runner-{{ item }}"
      when:
        - gitea_runner_token is defined
        - gitea_runner_token | length > 0
        - not runner_configs.results[item | int - 1].stat.exists
      with_sequence: start=1 end={{ runner_count }}
      register: runner_registrations
      changed_when: runner_registrations.rc == 0

    - name: Create runner config files
      ansible.builtin.copy:
        dest: "/etc/act_runner-{{ item }}/config.yaml"
        content: |
          log:
            level: info
          runner:
            file: .runner
            capacity: 1
            timeout: 3h
          container:
            network: host
            privileged: false
            options: 
            workdir_parent:          
        mode: "0644"
      with_sequence: start=1 end={{ runner_count }}

    - name: Display registration warning if token not provided
      ansible.builtin.debug:
        msg: "Runner registration skipped - no token provided. Re-run with -e gitea_runner_token=TOKEN"
      when:
        - gitea_runner_token is not defined or gitea_runner_token | length == 0
        - runner_configs.results | selectattr('stat.exists', 'equalto', false) | list | length > 0

    - name: Create systemd services for runners
      ansible.builtin.copy:
        dest: "/etc/systemd/system/act_runner-{{ item }}.service"
        content: |
          [Unit]
          Description=Gitea Actions Runner {{ item }}
          After=network.target docker.service
          Requires=docker.service

          [Service]
          Type=simple
          ExecStart={{ runner_binary }} daemon --config config.yaml
          WorkingDirectory=/etc/act_runner-{{ item }}
          Restart=always
          RestartSec=10
          User=root

          [Install]
          WantedBy=multi-user.target          
        mode: "0644"
      with_sequence: start=1 end={{ runner_count }}
      register: runner_services
      notify: Reload systemd daemon

    - name: Enable and start runner services
      ansible.builtin.systemd:
        name: "act_runner-{{ item }}"
        enabled: true
        state: started
      with_sequence: start=1 end={{ runner_count }}
      when: >
        runner_configs.results[item | int - 1].stat.exists or
        (runner_registrations.results is defined and
         runner_registrations.results[item | int - 1].changed | default(false))        

    - name: Display runner status
      ansible.builtin.debug:
        msg: "Deployed {{ runner_count }} runners. Services: act_runner-1 to act_runner-{{ runner_count }}"

  handlers:
    - name: Reload systemd daemon
      ansible.builtin.systemd:
        daemon_reload: true