From 5371ce3d261ec05b8d2a3f8960569de2545d29d2 Mon Sep 17 00:00:00 2001
From: Gabor Boros <gabor.brs@gmail.com>
Date: Thu, 9 Oct 2025 09:59:21 +0400
Subject: [PATCH] feat: add self-hosted github runner playbook

Signed-off-by: Gabor Boros <gabor.brs@gmail.com>
---
 README.md                                     |  4 +++
 group_vars/private_github_runner.yml          |  5 ++++
 inventory.ini                                 |  2 ++
 playbooks/private-github-runner.yml           | 12 +++++++++
 .../roles/github-runner/defaults/main.yml     |  8 ++++++
 playbooks/roles/github-runner/tasks/main.yml  | 25 +++++++++++++++++++
 requirements.yml                              |  5 ++++
 7 files changed, 61 insertions(+)
 create mode 100644 group_vars/private_github_runner.yml
 create mode 100644 playbooks/private-github-runner.yml
 create mode 100644 playbooks/roles/github-runner/defaults/main.yml
 create mode 100644 playbooks/roles/github-runner/tasks/main.yml

diff --git a/README.md b/README.md
index 2cfe111..d38d02b 100644
--- a/README.md
+++ b/README.md
@@ -11,6 +11,10 @@ This repository contains ansible deployment scripts for deploying a variety of R
 
 _**macOS notes: On macOS, add `export OBJC_DISABLE_INITIALIZE_FORK_SAFETY=YES` to your `zshrc`, as ansible have a process forking bug: https://docs.ansible.com/ansible/latest/reference_appendices/faq.html#running-on-macos-as-a-control-node. Also, make sure your `tar` command is `GNU tar`. On macOS, install it by executing `brew install gnu-tar`._
 
+## Initial playbook runs
+
+For DigitalOcean Droplets, use `ansible_user=root` in the inventory or CLI until the common playbook is not applied. Once it is done, remove the parameter.
+
 ## Working with Ansible Vault
 
 Before inlining any encrypted passwords, carefully consider whether it's truly necessary. Ansible Vault allows you to encrypt strings or files directly within Ansible without needing additional installations.
diff --git a/group_vars/private_github_runner.yml b/group_vars/private_github_runner.yml
new file mode 100644
index 0000000..a1142e1
--- /dev/null
+++ b/group_vars/private_github_runner.yml
@@ -0,0 +1,5 @@
+---
+COMMON_SSH_KEY_GITHUB_USERS:
+  - gabor-boros
+  - srh
+
diff --git a/inventory.ini b/inventory.ini
index bd80ea3..d6d40da 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -3,3 +3,5 @@ download.rethinkdb.com
 
 [update_checker]
 update.rethinkdb.com
+
+[github_runner]
diff --git a/playbooks/private-github-runner.yml b/playbooks/private-github-runner.yml
new file mode 100644
index 0000000..2019f03
--- /dev/null
+++ b/playbooks/private-github-runner.yml
@@ -0,0 +1,12 @@
+---
+- name: Set up private GitHub runner
+  hosts: github_runner
+  become: true
+  roles:
+    - role: common
+      tags:
+        - common
+
+    - role: github-runner
+      tags:
+        - github-runner
diff --git a/playbooks/roles/github-runner/defaults/main.yml b/playbooks/roles/github-runner/defaults/main.yml
new file mode 100644
index 0000000..d7e7e10
--- /dev/null
+++ b/playbooks/roles/github-runner/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+GITHUB_RUNNER_TOKEN: "{{ lookup('env', 'GITHUB_ACCESS_TOKEN') }}"
+GITHUB_RUNNER_VERSION: "latest"
+GITHUB_RUNNER_USER: runner
+GITHUB_RUNNER_DIRECTORY: "{{ 'C:\\actions-runner' if ansible_facts.system == 'Win32NT' else '/opt/actions-runner' }}"
+GITHUB_RUNNER_LABELS:
+  - "pre-release"
+  - "rethinkdb-{{ ansible_facts.architecture }}"
diff --git a/playbooks/roles/github-runner/tasks/main.yml b/playbooks/roles/github-runner/tasks/main.yml
new file mode 100644
index 0000000..9173a76
--- /dev/null
+++ b/playbooks/roles/github-runner/tasks/main.yml
@@ -0,0 +1,25 @@
+---
+- name: "Ensure {{ GITHUB_RUNNER_USER }} user exists"
+  user:
+    name: "{{ GITHUB_RUNNER_USER }}"
+    shell: /bin/bash
+    state: present
+
+- name: "Ensure {{ GITHUB_RUNNER_DIRECTORY }} exists and owned"
+  file:
+    path: "{{ GITHUB_RUNNER_DIRECTORY }}"
+    state: directory
+    owner: "{{ GITHUB_RUNNER_USER }}"
+
+- name: "Install GitHub runner"
+  import_role:
+    name: monolithprojects.github_actions_runner
+  vars:
+    github_account: rethinkdb
+    github_repo: rethinkdb
+    access_token: "{{ GITHUB_RUNNER_TOKEN }}"
+    runner_name: "rethinkdb-runner-{{ ansible_facts.architecture }}"
+    runner_version: "{{ GITHUB_RUNNER_VERSION }}"
+    runner_user: "{{ GITHUB_RUNNER_USER }}"
+    runner_dir: "{{ GITHUB_RUNNER_DIRECTORY }}"
+    runner_labels: "{{ GITHUB_RUNNER_LABELS }}"
diff --git a/requirements.yml b/requirements.yml
index 253c0cd..c18cea8 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -15,3 +15,8 @@ roles:
     src: https://github.com/geerlingguy/ansible-role-certbot.git
     version: 3b3cc546d123c06b294182c747cacaab83174fca
     scm: git
+
+  - name: monolithprojects.github_actions_runner
+    src: https://github.com/MonolithProjects/ansible-github_actions_runner.git
+    version: ed4b47a28940824d5b25822df41c638e5eba96a5
+    scm: git