v0.3.0-6: add commented Turborepo Remote Cache env block to config.yaml

Adds TURBO_API / TURBO_TOKEN / TURBO_TEAM example env vars (all
commented) under runner.envs, pointing at http://host.containers.internal:3128
for use with the new turborepo-remote-cache package.

config.yaml

@@ -13,7 +13,14 @@ runner:
   # Execute how many tasks concurrently at the same time.
   capacity: 1
   # Extra environment variables to run jobs.
-  envs: {}
+  envs:
+    npm_config_store_dir: /cache/pnpm-store
+    # Turborepo Remote Cache — uncomment if turborepo-remote-cache-{service,container}
+    # is installed on the host. The runner reaches the host via host.containers.internal
+    # (Podman built-in). TURBO_TOKEN must match /etc/turborepo-remote-cache/config.env.
+    # TURBO_API: http://host.containers.internal:3128
+    # TURBO_TOKEN: CHANGE_ME
+    # TURBO_TEAM: local
   # Extra environment variables to run jobs from a file.
   # It will be ignored if it's empty or the file doesn't exist.
   env_file: .env
@@ -59,7 +66,7 @@ container:
   # Whether to use privileged mode or not when launching task containers (privileged mode is required for Docker-in-Docker).
   privileged: false
   # And other options to be used when the container is started (eg, --add-host=my.gitea.url:host-gateway).
-  options:
+  options: -v /var/cache/act-runner/pnpm-store:/cache/pnpm-store:z
   # The parent directory of a job's working directory.
   # If it's empty, /workspace will be used.
   workdir_parent:

gitea-act-runner-setup

@@ -18,4 +18,4 @@ chown gitea-runner:gitea-runner "$RUNNER_DIR"
 systemctl enable --now gitea-runner-podman.service
 
 cd "$RUNNER_DIR"
-sudo -u gitea-runner gitea-act-runner register -c "$CONFIG"
+runuser -u gitea-runner -- gitea-act-runner register -c "$CONFIG"

gitea-act-runner.sysusers

@@ -1,2 +1,2 @@
-# Type Name             ID             GECOS                  Home directory                  Shell
+g gitea-runner 125
-u      gitea-runner     -              "Gitea Act Runner"     /var/lib/gitea/runners          /sbin/nologin
+u gitea-runner 125:125 "Gitea Act Runner" /var/lib/gitea/runners /sbin/nologin

gitea-act_runner.spec

@@ -1,6 +1,6 @@
 Name:           gitea-act_runner
 Version:        0.3.0
-Release:        2%{?dist}
+Release:        6%{?dist}
 Summary:        Gitea act runner service.
 License:        MIT
 Group:          System Environment/Base
@@ -13,10 +13,12 @@ Source11:       config.yaml
 Source12:       gitea-act-runner-setup
 Source13:       gitea-act-runner.sysusers
 Source14:       gitea-runner-podman.service
+Source15:       storage.conf
+Source16:       limits.conf
 
 BuildRequires:  systemd-rpm-macros
-Requires:       shadow-utils
 Requires:       podman
+Requires:       systemd-container
 %{?systemd_requires}
 
 ExclusiveArch:  x86_64 aarch64
@@ -48,19 +50,30 @@ install -m 755 %{SOURCE12} %{buildroot}%{_bindir}/gitea-act-runner-setup
 
 install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners
 
-%post
+# Podman storage config for gitea-runner user — uses native btrfs driver
+# instead of overlayfs for better performance on btrfs filesystems
+install -d -m 750 %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers
+install -m 644 %{SOURCE15} %{buildroot}%{_sharedstatedir}/gitea/runners/.config/containers/storage.conf
+
+# Resource limits drop-in (shipped commented out as a template)
+install -d -m 755 %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
+install -m 644 %{SOURCE16} %{buildroot}%{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
+
+install -d -m 755 %{buildroot}/var/cache/act-runner/pnpm-store
+
+%pre
 %sysusers_create_package gitea-act-runner %{SOURCE13}
 
+%post
 if [ $1 -eq 1 ]; then
     loginctl enable-linger gitea-runner || :
 fi
 
-if ! grep -q "gitea-runner" /etc/subuid; then
+if ! grep -q "^gitea-runner:" /etc/subuid 2>/dev/null; then
-    LAST_ID=$(tail -n 1 /etc/subuid | cut -d: -f2)
+    NEXT=$(awk -F: '{n=$2+$3} END{print n+0}' /etc/subuid 2>/dev/null)
-    [ -z "$LAST_ID" ] && START_ID=100000 || START_ID=$((LAST_ID + 65536))
+    [ "$NEXT" -lt 524288 ] && NEXT=524288
-
+    END=$((NEXT + 65535))
-    echo "gitea-runner:$START_ID:65536" >> /etc/subuid
+    usermod --add-subuids "$NEXT-$END" --add-subgids "$NEXT-$END" gitea-runner 2>/dev/null || :
-    echo "gitea-runner:$START_ID:65536" >> /etc/subgid
 fi
 
 %systemd_post gitea-act_runner@.service
@@ -86,11 +99,39 @@ fi
 %{_unitdir}/gitea-runner-podman.service
 %{_sysusersdir}/gitea-act-runner.conf
 
+%dir %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d
+%config(noreplace) %{_sysconfdir}/systemd/system/gitea-act_runner@.service.d/limits.conf
+
 %defattr(-,gitea-runner,gitea-runner,750)
+%dir %{_sharedstatedir}/gitea/runners
 %dir %{_sysconfdir}/gitea
 %dir %{_sysconfdir}/gitea/runners
 %config(noreplace) %{_sysconfdir}/gitea/runners/runner1.yaml
 
+%dir %{_sharedstatedir}/gitea/runners/.config
+%dir %{_sharedstatedir}/gitea/runners/.config/containers
+%config(noreplace) %{_sharedstatedir}/gitea/runners/.config/containers/storage.conf
+
+%dir /var/cache/act-runner
+%dir /var/cache/act-runner/pnpm-store
+
 %changelog
+* Wed Apr 08 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-6
+- Add commented Turborepo Remote Cache env block to config.yaml
+  (TURBO_API/TURBO_TOKEN/TURBO_TEAM) for use with the new
+  turborepo-remote-cache package
+
+* Wed Apr 08 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-5
+- Fix gitea-runner UID/GID to 125 for stable user@125.service unit name
+- Use BindsTo= for gitea-runner-podman.service dependency
+- Wait for user@125.service and Podman socket before runner starts
+- Ship commented-out limits.conf drop-in for resource caps
+
+* Mon Apr 06 2026 Zoran Pericic <zpericic@netst.org> - 0.3.0-4
+- Add Podman btrfs storage.conf for gitea-runner user
+- Add dependency on gitea-runner-podman.service
+- Use usermod --add-subuids for subuid/subgid allocation
+- Add systemd-container dependency for loginctl enable-linger
+
 * Mon Mar 17 2025 Zoran Pericic <zpericic@netst.org> - 0.3.0-2
 - Add gitea-runner-podman.service for rootless Podman API socket

gitea-act_runner@.service

@@ -1,6 +1,8 @@
 [Unit]
 Description=Act runner is a runner for Gitea
-After=network.target
+After=network.target gitea-runner-podman.service user@125.service
+Wants=user@125.service
+BindsTo=gitea-runner-podman.service
 ConditionPathExists=/var/lib/gitea/runners/%i/.runner
 StartLimitIntervalSec=60
 StartLimitBurst=3
@@ -14,6 +16,8 @@ StateDirectoryMode=0750
 WorkingDirectory=/var/lib/gitea/runners/%i
 Environment=HOME=/var/lib/gitea/runners/%i
 
+# Wait for podman to actually create its socket before starting
+ExecStartPre=/bin/sh -c 'for i in $(seq 1 60); do [ -S /run/gitea-runner/podman/podman.sock ] && exit 0; sleep 1; done; echo "podman socket never appeared" >&2; exit 1'
 ExecStart=/usr/bin/gitea-act-runner daemon -c /etc/gitea/runners/%i.yaml
 
 Restart=on-failure

gitea-runner-podman.service

@@ -1,6 +1,7 @@
 [Unit]
 Description=Podman API socket for Gitea Act Runner
-After=network.target
+After=network.target systemd-logind.service user@125.service
+Wants=user@125.service
 
 [Service]
 Type=exec

limits.conf

@@ -0,0 +1,33 @@
+# Resource limits drop-in for gitea-act_runner@.service
+# ======================================================
+#
+# Installed to:
+#   /etc/systemd/system/gitea-act_runner@.service.d/limits.conf
+#
+# This file is shipped with all values commented out as examples.
+# Uncomment and adjust to protect the host from runaway CI jobs.
+#
+# A runaway build can exhaust memory and take down user@125.service
+# (the rootless user manager), which kills the Podman socket and
+# breaks all running runners until the service is restarted.
+#
+# Setting MemoryHigh/MemoryMax caps the cgroup, so the kernel OOM
+# killer targets the runner's children first instead of user@.service.
+#
+# Recommended starting points for a dedicated CI host:
+#   MemoryHigh : soft limit — kernel throttles above this
+#   MemoryMax  : hard limit — kernel kills processes above this
+#   TasksMax   : max number of tasks (processes + threads)
+#
+# Also consider adding matching limits in your runner config.yaml
+# under container.options, e.g.:
+#   options: --memory=8g --memory-swap=8g -v /var/cache/act-runner/pnpm-store:/cache/pnpm-store:z
+#
+# After editing, reload systemd:
+#   systemctl daemon-reload
+#   systemctl restart gitea-act_runner@<instance>.service
+
+[Service]
+# MemoryHigh=10G
+# MemoryMax=12G
+# TasksMax=4096

storage.conf

@@ -0,0 +1,51 @@
+# Podman storage configuration for gitea-runner user
+# ==================================================
+#
+# PREREQUISITE: /var/lib/gitea must be a separate Btrfs mount point.
+# This ensures all runner workloads (container images, layers, build cache)
+# stay on the Btrfs partition, isolated from the system root filesystem.
+#
+# Example /etc/fstab entry (recommended mount options for CI workloads):
+#   /dev/sdXN  /var/lib/gitea  btrfs  noatime,compress=zstd:1,space_cache=v2,autodefrag,discard=async,commit=120  0 0
+#
+# Mount option breakdown:
+#   noatime        - Skip access time updates on reads, reduces write I/O
+#   compress=zstd:1 - Transparent compression; level 1 is fast with good ratio,
+#                     can reduce container image storage by up to 50%
+#   space_cache=v2 - Faster free-space tracking for frequent allocate/delete
+#                     cycles typical of container image churn
+#   autodefrag     - Background defrag for small random writes (build artifacts)
+#   discard=async  - Async TRIM for SSDs (omit this for spinning disks)
+#   commit=120     - Flush data every 120s instead of 30s — reduces write
+#                     overhead; acceptable for CI data that can be rebuilt
+#
+# WHY BTRFS DRIVER?
+# - Fast snapshots: Gitea runners frequently pull and remove images. The btrfs
+#   driver uses subvolumes, which is faster than OverlayFS on XFS.
+# - Layer deduplication: When multiple runners use similar base images (e.g.
+#   node, go), Btrfs deduplicates them automatically, saving disk space.
+# - Resource isolation: Since /var/lib/gitea is a separate mount, heavy runner
+#   I/O won't slow down the system root on XFS.
+#
+# INSTALLATION:
+# This file is installed to:
+#   /var/lib/gitea/runners/.config/containers/storage.conf
+# Podman reads it automatically when running as the gitea-runner user.
+#
+# INITIALIZATION (run as gitea-runner after install):
+#   podman system reset
+#   podman info | grep -E "store|graphRoot"
+# Verify: storage.driver must be "btrfs" and graphRoot must point
+# inside /var/lib/gitea/runners/
+#
+# All values below are commented out as examples. Uncomment and adjust
+# to match your environment.
+
+# [storage]
+# driver = "btrfs"
+#
+# # Podman will automatically create subdirectories here
+# graphroot = "/var/lib/gitea/runners/.local/share/containers/storage"
+
+# [storage.options]
+# # Optional: add quotas here if you want to limit disk space for runners