From 2cbee49cb5ca1ae0249c5be5d695d32a62629f35 Mon Sep 17 00:00:00 2001
From: Johanna Dorothea Reichmann <transcaffeine@finally.coffee>
Date: Mon, 23 Oct 2023 11:41:39 +0200
Subject: [PATCH] feat(github_runner): add ansible role to install as systemd
 service

---
 roles/github_runner/defaults/main.yml         |  25 ++++
 roles/github_runner/handlers/main.yml         |   6 +
 roles/github_runner/tasks/main.yml            | 125 ++++++++++++++++++
 .../github-actions-runner.service.j2          |  12 ++
 4 files changed, 168 insertions(+)
 create mode 100644 roles/github_runner/defaults/main.yml
 create mode 100644 roles/github_runner/handlers/main.yml
 create mode 100644 roles/github_runner/tasks/main.yml
 create mode 100644 roles/github_runner/templates/github-actions-runner.service.j2

diff --git a/roles/github_runner/defaults/main.yml b/roles/github_runner/defaults/main.yml
new file mode 100644
index 0000000..d97d0e9
--- /dev/null
+++ b/roles/github_runner/defaults/main.yml
@@ -0,0 +1,25 @@
+---
+
+github_runner_user: "github-runner"
+github_runner_user_groups:
+  - "docker"
+github_runner_base_path: "/opt/github-runner"
+github_runner_work_path: "{{ github_runner_base_path }}/cache"
+github_runner_tarball: "{{ github_runner_base_path }}/github-actions-runner.tar.gz"
+
+github_runner_systemd_unit_name: "github-actions-runner.service"
+github_runner_systemd_unit_description: >-
+  GitHub Actions self-hosted runner
+
+github_runner_github_org: ~
+github_runner_github_bearer_token: ~
+github_runner_github_registration_token_url: >-
+  https://api.github.com/orgs/{{ github_runner_github_org }}/actions/runners/registration-token
+github_runner_github_runner_download_url: >-
+  https://api.github.com/orgs/{{ github_runner_github_org }}/actions/runners/downloads
+github_runner_distribution: linux
+github_runner_architecture: x64
+
+github_runner_enabled: true
+github_runner_autostart: "{{ github_runner_enabled | ternary('enabled', 'disabled') }}"
+github_runner_state: "started"
diff --git a/roles/github_runner/handlers/main.yml b/roles/github_runner/handlers/main.yml
new file mode 100644
index 0000000..43d3b5b
--- /dev/null
+++ b/roles/github_runner/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+
+- name: Ensure systemd has reloaded the unit files
+  ansible.builtin.systemd:
+    daemon_reload: true
+  listen: systemd_reload
diff --git a/roles/github_runner/tasks/main.yml b/roles/github_runner/tasks/main.yml
new file mode 100644
index 0000000..1d23c31
--- /dev/null
+++ b/roles/github_runner/tasks/main.yml
@@ -0,0 +1,125 @@
+---
+
+- name: Ensure required variables are provided
+  ansible.builtin.assert:
+    that:
+      - github_runner_github_org is defined 
+      - >-
+          github_runner_github_org is string
+          and github_runner_github_org is iterable
+          and github_runner_github_org is sequence
+          and github_runner_github_org is not mapping
+      - github_runner_github_bearer_token is defined
+      - >-
+          github_runner_github_bearer_token is string
+          and github_runner_github_bearer_token is iterable
+          and github_runner_github_bearer_token is sequence
+          and github_runner_github_bearer_token is not mapping
+    fail_msg: "Both 'github_runner_github_org" and 'github_runner_github_bearer_token' need to be defined"
+    success_msg: "'github_runner_github_org' and 'github_runner_github_bearer_token' are populated"
+  when: github_runner_enabled == true and github_runner_state == "started"
+
+- name: Ensure user '{{ github_runner_user }}' exists
+  ansible.builtin.user:
+    name: "{{ github_runner_user }}"
+    state: present
+    system: true
+    create_home: false
+    groups: "{{ github_runner_user_groups }}"
+    append: true
+  register: github_runner_user_info
+
+- name: Ensure directories for binaries and work dir exist
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: "directory"
+    mode: "0750"
+  loop:
+    - "{{ github_runner_base_path }}"
+    - "{{ github_runner_work_path }}"
+
+- name: Download and unpack tarball with github runner
+  block:
+    - name: Retrieve download URL from GitHub API
+      ansible.builtin.uri:
+        method:
+        url: "{{ github_runner_github_runner_download_url }}"
+        headers:
+          Accept: "Application/vnd.github+json"
+          Authorization: "{{ github_runner_github_bearer_token }}"
+          "X-GitHub-Api-Version": "2022-11-28"
+        register: github_runner_download_urls
+
+    - name: Download github runner tarball
+      ansible.builtin.get_url:
+        url: "{{ gh_runner_dl_url }}" 
+        dest: "{{ github_runner_tarball }}"
+        mode: "0644"
+        owner: "{{ github_runner_user_info.uid | default(github_runner_user) }}"
+      vars:
+        gh_runner_dl_url: >-
+          {{ github_runner_download_urls.json
+          | selectattr('os', 'eq', github_runner_distribution)
+          | selectattr('architecture', 'eq', github_runner-architecture)
+          | map(attribute='download_url')
+          }}
+
+    - name: Extract github runner tarball
+      ansible.builtin.unarchive:
+        src: "{{ github_runner_tarball }}"
+        dest: "{{ github_runner_base_path }}"
+        remote_src: true
+        mode: "u+rwX,g+rX,o+rX"
+        owner: "{{ github_runner_user_info.uid | default(github_runner_user) }}"
+  always:
+    - name: Ensure tarball is cleaned up
+      ansible.builtin.file:
+        path: "{{ github_runner_tarball }}"
+        state: absent
+
+- name: Register runner with GitHub
+  block:
+    - name: Obtain short-lived registration token
+      ansible.builtin.uri:
+        method: POST
+        url: "{{ github_runner_github_registration_token_url }}"
+        headers:
+          Accept: "application/vnd.github+json"
+          Authorization: "Bearer {{ github_runner_github_bearer_token }}"
+          "X-GitHub-Api-Version": "2022-11-28"
+        body_format: raw
+        body: omit
+      register: github_runner_registration_token_info
+
+      failed_when: github_runner_registratio_token_info.status | int != 201
+      changed_when: github_runner_registratio_token_info.status | int == 201
+
+    - name: Run configure script
+      ansible.builtin.command:
+        cmd: "{{ github_runner_base_path }}/configure.sh --url {{ gh_url }} --token {{ gh_token }}"
+      vars:
+        gh_token: "{{ github_runner_registration_token_info.json.token }}"
+        gh_url: "https://github.com/{{ github_runner_github_org_name }}"
+
+- name: Ensure systemd service file is templated
+  ansible.builtin.template:
+    src: "github-actions-runner.service.j2"
+    dest: "/etc/systemd/systemd/{{ github_runner_systemd_unit_name }}"
+    mode: "0644"
+    owner: root
+    group: root
+  notify:
+    - systemd_reload
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd unit for github actions runner is {{ github_runner_autostart }}
+  ansible.builtin.systemd:
+    name: "{{ github_runner_systemd_unit_name }}"
+    enabled: "{{ github_runner_enabled }}"
+  when: ansible_facts['service_mgr'] == 'systemd'
+
+- name: Ensure systemd unit for github actions runner is {{ github_runner_state }}
+  ansible.builtin.systemd:
+    name: "{{ github_runner_systemd_unit_name }}"
+    state: "{{ github_runner_state }}"
+  when: ansible_facts['service_mgr'] == 'systemd'
diff --git a/roles/github_runner/templates/github-actions-runner.service.j2 b/roles/github_runner/templates/github-actions-runner.service.j2
new file mode 100644
index 0000000..e47a404
--- /dev/null
+++ b/roles/github_runner/templates/github-actions-runner.service.j2
@@ -0,0 +1,12 @@
+[Unit]
+Description={{ github_runner_systemd_unit_description }}
+
+[Service]
+Type=exec
+User={{ github_runner_user }}
+WorkingDirectory={{ github_runner_base_path }}
+
+ExecStart={{ github_runner_base_path }}/run.sh
+
+[Install]
+WantedBy=multi-user.target