Fix forgejo-runner networking for tailnet access

- Add --accept-routes to tailscale-ci-gateway for service routing - Run forgejo-runner as root for docker socket access - Mount actual docker socket path (not symlink) - Use gateway network namespace for tailnet connectivity - Registration uses gateway network for Forgejo access Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-24 12:56:25 -08:00 · 2026-01-24 12:56:25 -08:00 · c79dc94325
commit c79dc94325
parent 911913bb2e
3 changed files with 7 additions and 5 deletions
--- a/ansible/roles/forgejo_runner/tasks/main.yml
+++ b/ansible/roles/forgejo_runner/tasks/main.yml
@ -39,7 +39,7 @@
  ansible.builtin.command:
    cmd: >
      docker run --rm
-      --network {{ forgejo_runner_network }}
+      --network=container:tailscale-ci-gateway
      -v {{ forgejo_runner_data_dir }}:/data
      {{ forgejo_runner_image }}
      forgejo-runner register
--- a/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
+++ b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2
@ -15,13 +15,14 @@
 /usr/local/bin/docker rm {{ forgejo_runner_container_name }} 2>/dev/null || true

 # Run the forgejo-runner daemon in a container
-# - On tailnet-jobs network (can reach Forgejo via Tailscale gateway)
-# - Mounts /usr/local/bin/docker socket to spawn job containers
+# - Uses gateway's network namespace for tailnet access (to poll Forgejo)
+# - Mounts docker socket to spawn job containers
 # - Mounts config and data directories
 exec /usr/local/bin/docker run --rm \
  --name {{ forgejo_runner_container_name }} \
-  --network {{ forgejo_runner_network }} \
-  -v /var/run//usr/local/bin/docker.sock:/var/run//usr/local/bin/docker.sock \
+  --network=container:tailscale-ci-gateway \
+  --user root \
+  -v {{ ansible_env.HOME }}/.docker/run/docker.sock:/var/run/docker.sock \
  -v {{ forgejo_runner_config_dir }}/config.yaml:/config.yaml:ro \
  -v {{ forgejo_runner_data_dir }}:/data \
  {{ forgejo_runner_image }} \
--- a/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2
+++ b/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2
@ -26,6 +26,7 @@ exec /usr/local/bin/docker run --rm \
  -e TS_STATE_DIR=/var/lib/tailscale \
  -e TS_USERSPACE=false \
  -e TS_ACCEPT_DNS=true \
+  -e TS_EXTRA_ARGS="--accept-routes" \
  {{ tailscale_ci_gateway_image }}
 ]]></string>
    </array>