# values.yaml — Gitea Actions runner with DinD over shared Unix socket (no TCP, no TLS)

enabled: true

statefulset:
  replicas: 3
  annotations: {}
  labels: {}
  resources: {}
  nodeSelector: {}
  tolerations: []
  affinity: {}

  # Share only the docker.sock file between dind and act-runner
  extraVolumes:
    - name: docker-socket
      emptyDir: {}

  actRunner:
    repository: gitea/act_runner
    tag: 0.2.13
    pullPolicy: IfNotPresent

    # Runner talks to DinD via unix socket; ensure no TLS is used
    extraEnvs:
      - name: DOCKER_HOST
        value: unix:///var/run/docker.sock
      - name: DOCKER_BUILDKIT
        value: "1"
      - name: DOCKER_TLS_CERTDIR
        value: ""
      - name: DOCKER_TLS_VERIFY
        value: ""

    # Mount only the socket path, not the entire /var/run (prevents "is a directory" errors)
    extraVolumeMounts:
      - name: docker-socket
        mountPath: /var/run/docker.sock
        subPath: docker.sock

    # Act runner config
    config: |
      log:
        level: info
      cache:
        enabled: false
      runner:
        labels:
          - "artemis"
          - "ubuntu-latest:docker://docker.gitea.com/runner-images:ubuntu-latest"
          - "ubuntu-22.04:docker://docker.gitea.com/runner-images:ubuntu-22.04"
          - "ubuntu-20.04:docker://docker.gitea.com/runner-images:ubuntu-20.04"
      container:
        privileged: true         # required for DinD
        require_docker: true     # fail if docker is not reachable
        docker_timeout: 300s

  dind:
    repository: docker
    tag: 28.3.3-dind
    pullPolicy: IfNotPresent

    # Disable TLS and DO NOT advertise TCP; use only unix socket
    extraEnvs:
      - name: DOCKER_TLS_CERTDIR
        value: ""
      # If your nodes require legacy iptables:
      # - name: DOCKER_IPTABLES_LEGACY
      #   value: "1"

    # Share only the docker.sock file
    extraVolumeMounts:
      - name: docker-socket
        mountPath: /var/run/docker.sock
        subPath: docker.sock

    # Explicitly bind dockerd to the unix socket; do not bind tcp://0.0.0.0:2375
    command: ["dockerd"]
    args:
      - "--host=unix:///var/run/docker.sock"
      - "--storage-driver=overlay2"

  # Optional: persistence for DinD image layers (default will mount /var/lib/docker inside dind)
  persistence:
    size: 1Gi

init:
  image:
    repository: busybox
    tag: "1.37.0"

# Runner registration token
existingSecret: "gitea-runner-token"
existingSecretKey: "token"

# Root URL of your Gitea
giteaRootURL: "https://git.dgse.cloud"

global:
  imageRegistry: ""
  storageClass: ""