前言

• 之前搭建的esxi服务器用了半年后还是觉得Arch好用一点，esxi系统自身很难做扩展，可玩行不高，所以装完Arch后将之前的服务器迁移到了物理机，还配置了nginx代理和自签名证书。

自托管gitea服务

安装gitea

• 由于是Arch系统，gitea可以pacman直接安装，所以就不用docker启动服务了，本机配置还能简单点。

sudo pacman -Sy gitea
sudo systemctl enable gitea.service
sudo systemctl status gitea.service

• 安装完成后启动服务，查看服务日志就可以得到gitea的监听端口为本地的3000端口，浏览器打开后完成安装引导和创建管理员用户。

配置gitea

sudo vim /etc/gitea/app.ini

• 我不想gitea对外暴露端口，而是使用nginx统一代理服务，所以将协议改为了unix的socket文件，再配置nginx代理指向/run/gitea/gitea.socket就可以了。

[server]
PROTOCOL = unix
SSH_DOMAIN = git.kali-team.cn
DOMAIN = git.kali-team.cn
HTTP_ADDR = /run/gitea/gitea.socket
ROOT_URL = http://git.kali-team.cn/
APP_DATA_PATH = /var/lib/gitea/data
DISABLE_SSH = false
SSH_PORT = 2222
LFS_START_SERVER = true
OFFLINE_MODE = true

nginx配置

• 使用DigitalOcean的在线生成配置文件https://www.digitalocean.com/community/tools/nginx?global.app.lang=zhCN

sudo pacman -S nginx
sudo systemctl enable nginx.service
sudo systemctl start nginx.service
sudo vim /etc/nginx/nginx.conf
sudo openssl dhparam -out /etc/nginx/dhparam.pem 2048 

• 值得注意的是ssl配置这里需要填写我们的自签名证书信息

server {
    listen              443 ssl;
    listen              [::]:443 ssl;
    server_name         git.kali-team.cn;

    # SSL
    ssl_stapling               on;
    ssl_stapling_verify        on;
    ssl_certificate     /etc/nginx/ssl/git.kali-team.cn.crt;
    ssl_certificate_key /etc/nginx/ssl/git.kali-team.cn.key;
    ssl_trusted_certificate /home/kali-team/.local/share/mkcert/rootCA.pem;

    # security
    include             nginxconfig.io/security.conf;

    # logging
    access_log          /var/log/nginx/access.log combined buffer=512k flush=1m;
    error_log           /var/log/nginx/error.log warn;

    # reverse proxy
    location / {
        proxy_pass            http://unix:/run/gitea/gitea.socket:/;
        proxy_set_header Host $host;
        include               nginxconfig.io/proxy.conf;
    }

    # additional config
    include nginxconfig.io/general.conf;
}

# subdomains redirect
server {
    listen              443 ssl;
    listen              [::]:443 ssl;
    server_name         *.git.kali-team.cn;

    # SSL
    ssl_certificate     /etc/nginx/ssl/git.kali-team.cn.crt;
    ssl_certificate_key /etc/nginx/ssl/git.kali-team.cn.key;
    # ssl_trusted_certificate /home/kali-team/.local/share/mkcert/rootCA.pem
    return              301 https://git.kali-team.cn$request_uri;
}

# HTTP redirect
server {
    listen      80;
    listen      [::]:80;
    server_name .git.kali-team.cn;
    return      301 https://git.kali-team.cn$request_uri;
}

自签名证书

• 这里使用mkcert快速生产本地测试的自签名证书，生成证书的时候不用root权限，但是将根证书加入系统需要root权限，如果提示需要root密码需要输入一下。

sudo pacman -S mkcert nss
mkcert -install
mkcert -CAROOT

• 安装后可以查看当前用户的CAROOT文件夹有你生成的根证书，也就是上面nginx配置的ssl_trusted_certificate路径。

@arch ➜ ~  mkcert -CAROOT
/home/kali-team/.local/share/mkcert
@arch ➜ ~  ls /home/kali-team/.local/share/mkcert
󰌆 rootCA-key.pem  󰌆 rootCA.pem
@arch ➜ ~  

• 使用下面命令生成指定域名的测试证书，要是你创建根证书这个用户执行，再将证书移动到nginx证书配置文件夹。

mkcert -cert-file git.kali-team.cn.crt -key-file git.kali-team.cn.key git.kali-team.cn 127.0.0.1
sudo mv git.kali-team.cn.* /etc/nginx/ssl

• 重启nginx服务后可以发现curl和浏览器都信任了当前的证书。

Action Runner

• 平时写点rust项目,经常用到ci自动编译和发布docker，之前都习惯使用github的action编译，发现gitea的大部分workflow其实是兼容github的，所以也将一部分自己代码迁移回gitea编译。
• 当然要想使用action runner，必须在上面提到的配置文件开启runner，在配置文件中找到并修改为

[actions]
ENABLED = true

安装act runner

• 我不希望弄乱本地环境,所以更偏向使用docker部署安装

docker pull gitea/act_runner:latest

• 如果你的gitea也是最新的可以直接执行上面命令，不然需要安装对应支持的版本，最新版的act可能有些新特性旧版的gitea不支持。

生成配置文件

docker run --entrypoint="" --rm -it gitea/act_runner:latest act_runner generate-config > config.yaml

• 将生成的配置文件模板,根据文档简单修改

# Example configuration file, it's safe to copy this as the default config file without any modification.

# You don't have to copy this file to your instance,
# just run `./act_runner generate-config > config.yaml` to generate a config file.

log:
  # The level of logging, can be trace, debug, info, warn, error, fatal
  level: info

runner:
  # Where to store the registration result.
  file: .runner
  # Execute how many tasks concurrently at the same time.
  capacity: 1
  # Extra environment variables to run jobs.
  envs: 
   # 设置代理
    RUNNER_TOOL_CACHE: /toolcache
    #HTTP_PROXY: http://127.0.0.1:7890/
    #HTTPS_PROXY: http://127.0.0.1:7890/
    NO_PROXY: 127.0.0.1,localhost,172.17.0.1,192.168.222.11
  # Extra environment variables to run jobs from a file.
  # It will be ignored if it's empty or the file doesn't exist.
  env_file: .env
  # The timeout for a job to be finished.
  # Please note that the Gitea instance also has a timeout (3h by default) for the job.
  # So the job could be stopped by the Gitea instance if it's timeout is shorter than this.
  timeout: 3h
  # The timeout for the runner to wait for running jobs to finish when shutting down.
  # Any running jobs that haven't finished after this timeout will be cancelled.
  shutdown_timeout: 0s
  # Whether skip verifying the TLS certificate of the Gitea instance.
  insecure: false
  # The timeout for fetching the job from the Gitea instance.
  fetch_timeout: 5s
  # The interval for fetching the job from the Gitea instance.
  fetch_interval: 2s
  # The labels of a runner are used to determine which jobs the runner can run, and how to run them.
  # Like: "macos-arm64:host" or "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"
  # Find more images provided by Gitea at https://gitea.com/gitea/runner-images .
  # If it's empty when registering, it will ask for inputting labels.
  # If it's empty when execute `daemon`, will use labels in `.runner` file.
  labels:
    - "ubuntu-latest:docker://gitea/runner-images:ubuntu-latest"

cache:
  # Enable cache server to use actions/cache.
  enabled: true
  # The directory to store the cache data.
  # If it's empty, the cache data will be stored in $HOME/.cache/actcache.
  dir: ""
  # The host of the cache server.
  # It's not for the address to listen, but the address to connect from job containers.
  # So 0.0.0.0 is a bad choice, leave it empty to detect automatically.
  host: "172.17.0.1"
  # The port of the cache server.
  # 0 means to use a random available port.
  port: 8088
  # The external cache server URL. Valid only when enable is true.
  # If it's specified, act_runner will use this URL as the ACTIONS_CACHE_URL rather than start a server by itself.
  # The URL should generally end with "/".
  external_server: ""

container:
  # Specifies the network to which the container will connect.
  # Could be host, bridge or the name of a custom network.
  # If it's empty, act_runner will create a network automatically.
  network: ""
  # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
  privileged: false
  # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
  options:
  # The parent directory of a job's working directory.
  # NOTE: There is no need to add the first '/' of the path as act_runner will add it automatically. 
  # If the path starts with '/', the '/' will be trimmed.
  # For example, if the parent directory is /path/to/my/dir, workdir_parent should be path/to/my/dir
  # If it's empty, /workspace will be used.
  workdir_parent:
  # Volumes (including bind mounts) can be mounted to containers. Glob syntax is supported, see https://github.com/gobwas/glob
  # You can specify multiple volumes. If the sequence is empty, no volumes can be mounted.
  # For example, if you only allow containers to mount the `data` volume and all the json files in `/src`, you should change the config to:
  # valid_volumes:
  #   - data
  #   - /src/*.json
  # If you want to allow any volume, please use the following configuration:
  # valid_volumes:
  #   - '**'
  valid_volumes: []
  # overrides the docker client host with the specified one.
  # If it's empty, act_runner will find an available docker host automatically.
  # If it's "-", act_runner will find an available docker host automatically, but the docker host won't be mounted to the job containers and service containers.
  # If it's not empty or "-", the specified docker host will be used. An error will be returned if it doesn't work.
  docker_host: ""
  # Pull docker image(s) even if already present
  force_pull: false
  # Rebuild docker image(s) even if already present
  force_rebuild: false

host:
  # The parent directory of a job's working directory.
  # If it's empty, $HOME/.cache/act/ will be used.
  workdir_parent:

• 这里有一个labels标签参数，开始不理解在docker环境这浪费了很多时间，这里的host宿主机其实就是你运行act_runner程序的环境，如果你的act_runner运行在物理机，使用host标签运行action就会在你的物理机上运行,这是非常不安全的，如果你的act_runner运行在docker，使用host标签action就会在当前的docker运行，没错就是gitea/act_runner这个docker，host后面不要接任何docker
• 例如:"ubuntu-latest:host://my-images:ubuntu-latest"，这个是无效的，它根本就不会调用my-images:ubuntu-latest
• 不要改动默认的labels，乖乖用官方的镜像或者自己在runner-images找,不然还要自己安装nodejs等等这些action运行环境
• 如果想在action中调用你自己的docker镜像，正确的做法应该在工作流中的yaml填写container字段

    runs-on: ubuntu-latest
    container:             
        image: rust-base:dev 

• 由于rust编译过程非常缓慢，我开启了缓存，也就是添加了cache下面的172.17.0.1docker网络地址和8088端口参数,同时也设置了缓存文件夹
• 为了方便启动docker，编写一个docker-compose.yml文件保存启动参数

version: "3"
services:
  act-runner-rust:
    image: gitea/act_runner:latest
    environment:
      - GITEA_INSTANCE_URL=你的Gitea服务器地址
      - GITEA_RUNNER_REGISTRATION_TOKEN=你的Token
      - GITEA_RUNNER_NAME=act_runner_rust
      - CONFIG_FILE=/config.yaml
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./act_data:/data
      - ./act_cache:/root/.cache
      - ./config.yaml:/config.yaml
    ports:
      - "8088:8088"

• 这里需要一个注册Token，可以看一下获取注册令牌
• 映射端口和上面设置缓存的那个端口一样

运行

• 运行后刷新action列表就可以看到激活的action runner了，如果看不见可以检查一下action runner docker的日志

docker compose up -d

参考

• https://wiki.archlinux.org/title/Gitea
• https://docs.gitea.com/zh-cn/
• https://github.com/FiloSottile/mkcert
• https://docs.gitea.com/installation/install-with-docker
• https://docs.gitea.com/usage/actions/act-runner