From 0d4fccf5f8ae97103e7a91a90fd82931a7c5fe55 Mon Sep 17 00:00:00 2001
From: Brooke <brooke@myco.systems>
Date: Wed, 5 Nov 2025 13:44:39 -0500
Subject: [PATCH] block out files for using socket proxy instead of dind

---
 .env.sample               | 12 +++++-
 abra.sh                   |  8 ++++
 compose.runner.yml        | 90 ++++++++++++++++++++++++---------------
 runner-config.toml.tmpl   |  2 +
 runner-entrypoint.sh.tmpl |  9 ++++
 5 files changed, 86 insertions(+), 35 deletions(-)
 create mode 100644 runner-config.toml.tmpl
 create mode 100644 runner-entrypoint.sh.tmpl

diff --git a/.env.sample b/.env.sample
index fba7abb..729ee57 100644
--- a/.env.sample
+++ b/.env.sample
@@ -22,8 +22,18 @@ SECRET_REGISTRATION_TOKEN_VERSION=v1
 
 SSO=false
 ## Authentik Configuration
+
 # SSO=true
 # ORG_NAME="My Organization"
 # SSO_PROVIDER_URL="https://authentik.mydomain.com/application/o/gitlab/"
 # SSO_PROVIDER_ID="your authentik Client ID"
-# SECRET_SSO_PROVIDER_SECRET_VERSION=v1
\ No newline at end of file
+# SECRET_SSO_PROVIDER_SECRET_VERSION=v1
+
+
+## Runner Configuration
+
+RUNNER_TIMEOUT=30 
+# Number of seconds until the forceful shutdown operation times out and exits the process.
+
+RUNNER_CONCURENCY=5
+# Limits how many jobs can run concurrently, across all registered runners.
\ No newline at end of file
diff --git a/abra.sh b/abra.sh
index 3747411..1b8551c 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 GITLAB_CONF_VERSION=v1
 ENTRYPOINT_VERSION=v1
+RUNNER_ENTRYPOINT_VERSION=v1
+RUNNER_CONF_VERSION=v1
 
 run_rails_command() {
     su -p root -s /bin/sh -c "gitlab-rails runner '$@'"
@@ -28,4 +30,10 @@ disable_signups() {
 enable_signups () {
     run_rails_command 'Gitlab::CurrentSettings.update!(signup_enabled: true)'
     reconfigure
+}
+
+register_runner() {
+    RUNNER_TOKEN="$1"
+
+    gitlab-runner register --non-interactive --url "https://$CI_SERVER_URL" --token "$RUNNER_TOKEN" --executor "docker"
 }
\ No newline at end of file
diff --git a/compose.runner.yml b/compose.runner.yml
index 21fa8fa..13a825a 100644
--- a/compose.runner.yml
+++ b/compose.runner.yml
@@ -2,55 +2,67 @@
 version: "3.8"
 
 services:
-  dind:
-    image: docker:20-dind
-    privileged: true
-    environment:
-      DOCKER_TLS_CERTDIR: ""
-    command:
-      - --storage-driver=overlay2
-    networks:
-      - internal
-    deploy:
-      restart_policy:
-        condition: on-failure
-
   runner:
     image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
     depends_on:
       - dind
     environment:
-      - DOCKER_HOST=tcp://dind:2375
+      - CI_SERVER_URL=${DOMAIN}
+      - DOCKER_HOST=tcp://socket-proxy:2375
+      - RUNNER_TIMEOUT
+      - RUNNER_CONCURENCY
+    configs:
+      - source: runner_conf
+        target: /etc/gitlab-runner/config.toml
+      - source: entrypoint
+        target: /custom-entrypoint.sh
+        mode: 0555
     volumes:
-      - 'runnner_config:/etc/gitlab-runner'
+      - "runnner_config:/etc/gitlab-runner"
     networks:
       - internal
     deploy:
       restart_policy:
         condition: on-failure
+    entrypoint: /custom-entrypoint.sh
 
-  register-runner:
-    image: registry.gitlab.com/gitlab-org/gitlab-runner:alpine
-    depends_on:
-      - dind
+  socket-proxy:
+    image: lscr.io/linuxserver/socket-proxy:3.2.6
     environment:
-      - CI_SERVER_URL=${DOMAIN}
-      - REGISTRATION_TOKEN_file=/run/secrets/registration_token
-    command:
-      - register
-      - --non-interactive
-      - --locked=false
-      - --name=${RUNNER_NAME}
-      - --executor=docker
-      - --docker-image=docker:20-dind
-      - --docker-volumes=/var/run/docker.sock:/var/run/docker.sock
+      - PROXY_READ_TIMEOUT=5000
+      - ALLOW_START=1
+      - ALLOW_STOP=1
+      - ALLOW_RESTARTS=1
+      - AUTH=1
+      - BUILD=1
+      - COMMIT=1
+      - CONFIGS=1
+      - CONTAINERS=1
+      - DISABLE_IPV6=0
+      - DISTRIBUTION=0
+      - EVENTS=1
+      - EXEC=1
+      - IMAGES=1
+      - INFO=1
+      - NETWORKS=1
+      - NODES=1
+      - PING=1
+      - POST=1
+      - PLUGINS=1
+      - SECRETS=1
+      - SERVICES=1
+      - SESSION=1
+      - SWARM=1
+      - SYSTEM=1
+      - TASKS=1
+      - VERSION=1
+      - VOLUMES=1
     volumes:
-      - 'runnner_config:/etc/gitlab-runner'
+      - /var/run/docker.sock:/var/run/docker.sock:ro
     networks:
       - internal
-    deploy:
-      restart_policy:
-        condition: none
+    ports:
+      - "2375:2375"
 
 volumes:
   runnner_config:
@@ -58,4 +70,14 @@ volumes:
 secrets:
   registration_token:
     name: ${STACK_NAME}_registration_token_${SECRET_REGISTRATION_TOKEN_VERSION}
-    external: true
\ No newline at end of file
+    external: true
+
+configs:
+  runner_conf:
+    name: ${STACK_NAME}_runner_config_${RUNNER_CONF_VERSION}
+    file: runner-config.toml.tmpl
+    template_driver: golang
+  entrypoint:
+    name: ${STACK_NAME}_runner_entrypoint_${RUNNER_ENTRYPOINT_VERSION}
+    file: runner-entrypoint.sh.tmpl
+    template_driver: golang
diff --git a/runner-config.toml.tmpl b/runner-config.toml.tmpl
new file mode 100644
index 0000000..7ad8ce8
--- /dev/null
+++ b/runner-config.toml.tmpl
@@ -0,0 +1,2 @@
+concurrent = {{ env RUNNER_CONCURENCY }}
+shutdown_timeout = {{ env RUNNER_TIMEOUT }}
\ No newline at end of file
diff --git a/runner-entrypoint.sh.tmpl b/runner-entrypoint.sh.tmpl
new file mode 100644
index 0000000..8df2f07
--- /dev/null
+++ b/runner-entrypoint.sh.tmpl
@@ -0,0 +1,9 @@
+#!/bin/sh
+
+set -e
+
+while [ ! -s /some/file ]
+do
+  echo "The runner was not registered yet. Next try in 5 seconds."
+  sleep 5
+done