Mark
6982bcf372
Some checks failed
Ansible Lint / Ansible Lint Check (push) Has been cancelled
Automated deployment of act_runner on Ubuntu 20.04+ servers: - Docker CE installation (DEB822 format) - Node.js 24.x via NodeSource - act_runner binary with SHA256 verification - systemd service with security hardening - CI: ansible-lint via Gitea Actions Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
72 lines
1.9 KiB
Django/Jinja
72 lines
1.9 KiB
Django/Jinja
# =============================================================================
|
|
# Gitea Act Runner - Systemd Service Unit
|
|
# =============================================================================
|
|
# Managed by Ansible - DO NOT EDIT MANUALLY
|
|
#
|
|
# Common commands:
|
|
# systemctl status act_runner - Check service status
|
|
# systemctl restart act_runner - Restart the service
|
|
# journalctl -u act_runner -f - Follow service logs
|
|
#
|
|
# See: https://www.freedesktop.org/software/systemd/man/latest/systemd.service.html
|
|
# =============================================================================
|
|
|
|
[Unit]
|
|
# Human-readable description
|
|
Description=Gitea Actions runner
|
|
|
|
# Documentation link
|
|
Documentation=https://gitea.com/gitea/act_runner
|
|
|
|
# Start after Docker and network are available
|
|
After=docker.service network-online.target
|
|
|
|
# Request network-online.target to be started
|
|
Wants=network-online.target
|
|
|
|
[Service]
|
|
# Simple type: process runs in foreground
|
|
Type=simple
|
|
|
|
# Main command
|
|
ExecStart={{ act_runner_bin_path }} daemon --config {{ act_runner_config_dir }}/config.yaml
|
|
|
|
# Reload command (sends HUP signal)
|
|
ExecReload=/bin/kill -s HUP $MAINPID
|
|
|
|
# Working directory
|
|
WorkingDirectory={{ act_runner_home }}
|
|
|
|
# No timeout for start/stop (jobs may take long)
|
|
TimeoutSec=0
|
|
|
|
# Wait before restarting after failure
|
|
RestartSec=10
|
|
|
|
# Always restart on any exit
|
|
Restart=always
|
|
|
|
# Run as unprivileged user
|
|
User={{ act_runner_user }}
|
|
Group={{ act_runner_group }}
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Security Hardening
|
|
# ---------------------------------------------------------------------------
|
|
|
|
# No new privileges via setuid/setgid
|
|
NoNewPrivileges=true
|
|
|
|
# Make /usr, /boot, /efi read-only
|
|
ProtectSystem=strict
|
|
|
|
# Allow writes only to these paths
|
|
ReadWritePaths={{ act_runner_home }} {{ act_runner_config_dir }}
|
|
|
|
# Private /tmp directory
|
|
PrivateTmp=true
|
|
|
|
[Install]
|
|
# Start on normal boot
|
|
WantedBy=multi-user.target
|