From 46e0d4f573abf3b5eb3de374a4582fefc9acbc55 Mon Sep 17 00:00:00 2001
From: sfriedrich <simon.friedrich@ceotronics.com>
Date: Thu, 8 Jan 2026 11:34:56 +0100
Subject: [PATCH] feat: add forgejo runner

---
 ct/forgejo-runner.sh              |  95 ++++++++++++++++++++
 install/forgejo-runner-install.sh | 140 ++++++++++++++++++++++++++++++
 2 files changed, 235 insertions(+)
 create mode 100644 ct/forgejo-runner.sh
 create mode 100644 install/forgejo-runner-install.sh

diff --git a/ct/forgejo-runner.sh b/ct/forgejo-runner.sh
new file mode 100644
index 000000000..c8196a4ea
--- /dev/null
+++ b/ct/forgejo-runner.sh
@@ -0,0 +1,95 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+
+# Copyright (c) 2026
+# Author: Simon Friedrich
+# License: MIT
+# Source: https://forgejo.org/
+
+APP="Forgejo Runner"
+var_tags="${var_tags:-ci}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-12}"
+
+# REQUIRED for Podman-in-LXC
+var_unprivileged="1"
+var_nesting="1"
+var_keyctl="1"
+
+# -------------------------------------------------
+# Framework setup
+# -------------------------------------------------
+header_info "$APP"
+variables
+color
+catch_errors
+
+# -------------------------------------------------
+# Description
+# -------------------------------------------------
+function description() {
+  cat <<EOF
+Forgejo Actions Runner using Podman (unprivileged LXC)
+
+Required inputs:
+- Forgejo Instance URL
+- Forgejo Runner Registration Token
+
+Requirements:
+- unprivileged container
+- nesting enabled
+- keyctl enabled
+- unconfined AppArmor profile
+EOF
+}
+
+# -------------------------------------------------
+# Update logic
+# -------------------------------------------------
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /usr/local/bin/forgejo-runner ]]; then
+    msg_error "No ${APP} installation found!"
+    exit 1
+  fi
+
+  msg_info "Stopping Forgejo Runner"
+  systemctl stop forgejo-runner
+  msg_ok "Stopped Forgejo Runner"
+
+  msg_info "Fetching latest Forgejo Runner version"
+  RELEASE=$(curl -fsSL https://code.forgejo.org/api/v1/repos/forgejo/runner/releases/latest \
+    | grep -oP '"tag_name":\s*"\K[^"]+' | sed 's/^v//')
+
+  msg_info "Updating Forgejo Runner to v${RELEASE}"
+  curl -fsSL \
+    "https://code.forgejo.org/forgejo/runner/releases/download/v${RELEASE}/forgejo-runner-linux-amd64" \
+    -o /usr/local/bin/forgejo-runner
+
+  chmod +x /usr/local/bin/forgejo-runner
+  msg_ok "Updated Forgejo Runner"
+
+  msg_info "Starting Forgejo Runner"
+  systemctl daemon-reload
+  systemctl start forgejo-runner
+  msg_ok "Started Forgejo Runner"
+
+  msg_ok "Update completed successfully!"
+  exit
+}
+
+# -------------------------------------------------
+# Install
+# -------------------------------------------------
+start
+build_container
+description
+
+msg_ok "Completed successfully!"
+echo -e "${INFO}${YW}Forgejo Runner is now online and ready.${CL}"
\ No newline at end of file
diff --git a/install/forgejo-runner-install.sh b/install/forgejo-runner-install.sh
new file mode 100644
index 000000000..6b46ea731
--- /dev/null
+++ b/install/forgejo-runner-install.sh
@@ -0,0 +1,140 @@
+#!/usr/bin/env bash
+# Copyright (c) 2026
+# Author: Simon Friedrich
+# License: MIT
+# Source: https://forgejo.org/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+# -------------------------------------------------
+# App-specific input (MUST be before variables)
+# -------------------------------------------------
+if [[ -z "$var_forgejo_instance" ]]; then
+  read -rp "Forgejo Instance URL (e.g. https://code.forgejo.org): " var_forgejo_instance
+fi
+
+if [[ -z "$var_forgejo_runner_token" ]]; then
+  read -rp "Forgejo Runner Registration Token: " var_forgejo_runner_token
+  echo
+fi
+
+if [[ -z "$var_forgejo_instance" || -z "$var_forgejo_runner_token" ]]; then
+  echo "❌ Forgejo instance URL and runner token are required."
+  exit 1
+fi
+
+export FORGEJO_INSTANCE="$var_forgejo_instance"
+export FORGEJO_RUNNER_TOKEN="$var_forgejo_runner_token"
+
+msg_info "Installing dependencies"
+$STD apt-get install -y \
+  curl jq gnupg git wget ca-certificates \
+  podman podman-docker
+msg_ok "Dependencies installed"
+
+msg_info "Enabling Podman socket"
+systemctl enable --now podman.socket
+msg_ok "Podman socket enabled"
+
+# -------------------------------------------------
+# Architecture
+# -------------------------------------------------
+RAW_ARCH=$(uname -m)
+ARCH=$(echo "$RAW_ARCH" | sed 's/x86_64/amd64/;s/aarch64/arm64/')
+msg_info "Detected architecture: $ARCH"
+
+# -------------------------------------------------
+# Fetch latest Forgejo Runner version
+# -------------------------------------------------
+msg_info "Fetching latest Forgejo Runner release"
+RUNNER_VERSION=$(
+  curl -fsSL https://data.forgejo.org/api/v1/repos/forgejo/runner/releases/latest |
+  jq -r .name | sed 's/^v//'
+)
+
+[[ -z "$RUNNER_VERSION" ]] && {
+  msg_error "Unable to determine Forgejo Runner version"
+  exit 1
+}
+
+msg_ok "Forgejo Runner v${RUNNER_VERSION}"
+
+# -------------------------------------------------
+# Download Runner
+# -------------------------------------------------
+FORGEJO_URL="https://code.forgejo.org/forgejo/runner/releases/download/v${RUNNER_VERSION}/forgejo-runner-${RUNNER_VERSION}-linux-${ARCH}"
+
+msg_info "Downloading Forgejo Runner"
+wget -q -O /usr/local/bin/forgejo-runner "$FORGEJO_URL"
+chmod +x /usr/local/bin/forgejo-runner
+msg_ok "Runner installed"
+
+# -------------------------------------------------
+# Signature verification
+# -------------------------------------------------
+msg_info "Verifying signature"
+wget -q -O /tmp/forgejo-runner.asc "${FORGEJO_URL}.asc"
+
+GPG_KEY="EB114F5E6C0DC2BCDD183550A4B61A2DC5923710"
+if ! gpg --list-keys "$GPG_KEY" >/dev/null 2>&1; then
+  gpg --keyserver hkps://keys.openpgp.org --recv "$GPG_KEY" >/dev/null 2>&1
+fi
+
+gpg --verify /tmp/forgejo-runner.asc /usr/local/bin/forgejo-runner >/dev/null 2>&1 \
+  && msg_ok "Signature valid" \
+  || { msg_error "Signature verification failed"; exit 1; }
+
+# -------------------------------------------------
+# Runner registration
+# -------------------------------------------------
+msg_info "Registering Forgejo Runner"
+
+export DOCKER_HOST="unix:///run/podman/podman.sock"
+
+forgejo-runner register \
+  --instance "$FORGEJO_INSTANCE" \
+  --token "$FORGEJO_RUNNER_TOKEN" \
+  --name "$HOSTNAME" \
+  --labels "linux-${ARCH}:docker://node:20-bookworm" \
+  --no-interactive
+
+msg_ok "Runner registered"
+
+# -------------------------------------------------
+# systemd service
+# -------------------------------------------------
+msg_info "Creating systemd service"
+
+cat <<EOF >/etc/systemd/system/forgejo-runner.service
+[Unit]
+Description=Forgejo Runner
+Documentation=https://forgejo.org/docs/latest/admin/actions/
+After=podman.socket
+Requires=podman.socket
+
+[Service]
+User=root
+WorkingDirectory=/root
+Environment=DOCKER_HOST=unix:///run/podman/podman.sock
+ExecStart=/usr/local/bin/forgejo-runner daemon
+Restart=on-failure
+RestartSec=10
+TimeoutSec=0
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl daemon-reload
+systemctl enable --now forgejo-runner
+msg_ok "Forgejo Runner service enabled"
+
+motd_ssh
+customize
+cleanup_lxc
\ No newline at end of file