From c79dc943259883b6fb802581bcd58d461f2dd0a2 Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Sat, 24 Jan 2026 12:56:25 -0800 Subject: [PATCH] Fix forgejo-runner networking for tailnet access - Add --accept-routes to tailscale-ci-gateway for service routing - Run forgejo-runner as root for docker socket access - Mount actual docker socket path (not symlink) - Use gateway network namespace for tailnet connectivity - Registration uses gateway network for Forgejo access Co-Authored-By: Claude Opus 4.5 --- ansible/roles/forgejo_runner/tasks/main.yml | 2 +- .../forgejo_runner/templates/forgejo-runner.plist.j2 | 9 +++++---- .../templates/tailscale-ci-gateway.plist.j2 | 1 + 3 files changed, 7 insertions(+), 5 deletions(-) diff --git a/ansible/roles/forgejo_runner/tasks/main.yml b/ansible/roles/forgejo_runner/tasks/main.yml index 72e114b..0cce725 100644 --- a/ansible/roles/forgejo_runner/tasks/main.yml +++ b/ansible/roles/forgejo_runner/tasks/main.yml @@ -39,7 +39,7 @@ ansible.builtin.command: cmd: > docker run --rm - --network {{ forgejo_runner_network }} + --network=container:tailscale-ci-gateway -v {{ forgejo_runner_data_dir }}:/data {{ forgejo_runner_image }} forgejo-runner register diff --git a/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 index adf2288..e0d07a6 100644 --- a/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 +++ b/ansible/roles/forgejo_runner/templates/forgejo-runner.plist.j2 @@ -15,13 +15,14 @@ /usr/local/bin/docker rm {{ forgejo_runner_container_name }} 2>/dev/null || true # Run the forgejo-runner daemon in a container -# - On tailnet-jobs network (can reach Forgejo via Tailscale gateway) -# - Mounts /usr/local/bin/docker socket to spawn job containers +# - Uses gateway's network namespace for tailnet access (to poll Forgejo) +# - Mounts docker socket to spawn job containers # - Mounts config and data directories exec /usr/local/bin/docker run --rm \ --name {{ forgejo_runner_container_name }} \ - --network {{ forgejo_runner_network }} \ - -v /var/run//usr/local/bin/docker.sock:/var/run//usr/local/bin/docker.sock \ + --network=container:tailscale-ci-gateway \ + --user root \ + -v {{ ansible_env.HOME }}/.docker/run/docker.sock:/var/run/docker.sock \ -v {{ forgejo_runner_config_dir }}/config.yaml:/config.yaml:ro \ -v {{ forgejo_runner_data_dir }}:/data \ {{ forgejo_runner_image }} \ diff --git a/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2 b/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2 index 287c120..7c223eb 100644 --- a/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2 +++ b/ansible/roles/tailscale_ci_gateway/templates/tailscale-ci-gateway.plist.j2 @@ -26,6 +26,7 @@ exec /usr/local/bin/docker run --rm \ -e TS_STATE_DIR=/var/lib/tailscale \ -e TS_USERSPACE=false \ -e TS_ACCEPT_DNS=true \ + -e TS_EXTRA_ARGS="--accept-routes" \ {{ tailscale_ci_gateway_image }} ]]>