Initial commit: Ansible playbook for Gitea Act Runner deployment

Automated deployment of act_runner on Ubuntu 20.04+ servers: - Docker CE installation (DEB822 format) - Node.js 24.x via NodeSource - act_runner binary with SHA256 verification - systemd service with security hardening - CI: ansible-lint via Gitea Actions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-10 16:01:06 +01:00
commit 6982bcf372
21 changed files with 1462 additions and 0 deletions
--- a/roles/act_runner/tasks/binary.yml
+++ b/roles/act_runner/tasks/binary.yml
@@ -0,0 +1,88 @@
+---
+# =============================================================================
+# Gitea Act Runner - Binary Installation
+# =============================================================================
+#
+# Downloads and installs the act_runner binary from:
+# https://dl.gitea.com/act_runner/
+#
+# Security: Binary integrity is verified via SHA256 checksum.
+#
+# =============================================================================
+
+# Construct download URLs based on version and architecture.
+- name: Set act_runner download URLs
+  ansible.builtin.set_fact:
+    act_runner_download_url: >-
+      https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}
+    act_runner_checksum_url: >-
+      https://dl.gitea.com/act_runner/{{ act_runner_version }}/act_runner-{{ act_runner_version }}-linux-{{ act_runner_arch }}.sha256
+
+# Download the act_runner binary to a temporary location.
+- name: Download act_runner binary
+  ansible.builtin.get_url:
+    url: "{{ act_runner_download_url }}"
+    dest: /tmp/act_runner
+    mode: '0755'
+
+# Download checksum file for verification (when enabled).
+- name: Download act_runner checksum
+  ansible.builtin.get_url:
+    url: "{{ act_runner_checksum_url }}"
+    dest: /tmp/act_runner.sha256
+    mode: '0644'
+  when: act_runner_verify_checksum
+
+# Read the expected checksum from the downloaded file.
+- name: Read expected checksum
+  ansible.builtin.slurp:
+    src: /tmp/act_runner.sha256
+  register: act_runner_expected_checksum_file
+  when: act_runner_verify_checksum
+
+# Parse the checksum (format: "checksum  filename").
+- name: Parse expected checksum
+  ansible.builtin.set_fact:
+    act_runner_expected_checksum: "{{ (act_runner_expected_checksum_file.content | b64decode).split()[0] }}"
+  when: act_runner_verify_checksum
+
+# Calculate actual checksum of downloaded binary.
+- name: Calculate actual checksum
+  ansible.builtin.stat:
+    path: /tmp/act_runner
+    checksum_algorithm: sha256
+  register: act_runner_actual_checksum
+  when: act_runner_verify_checksum
+
+# Verify checksums match (fail if tampered).
+- name: Verify checksum matches
+  ansible.builtin.assert:
+    that:
+      - act_runner_actual_checksum.stat.checksum == act_runner_expected_checksum
+    fail_msg: >-
+      Checksum verification FAILED!
+      Expected: {{ act_runner_expected_checksum }}
+      Actual: {{ act_runner_actual_checksum.stat.checksum }}
+      The downloaded binary may have been tampered with.
+    success_msg: "Checksum verified: {{ act_runner_expected_checksum }}"
+  when: act_runner_verify_checksum
+
+# Install binary to final location.
+- name: Install act_runner binary
+  ansible.builtin.copy:
+    src: /tmp/act_runner
+    dest: "{{ act_runner_bin_path }}"
+    remote_src: true
+    owner: root
+    group: root
+    mode: '0755'
+  notify: Restart act_runner
+
+# Clean up temporary files.
+- name: Clean up temporary files
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /tmp/act_runner
+    - /tmp/act_runner.sha256