commit b6fc7d59b3a70de44f2e2fe8ee49ea387b6f37ee
Author: Pierre Prinetti <pierreprinetti@redhat.com>
Date:   Fri Jul 7 20:04:22 2023 +0200

    First commit

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..7f673d6
--- /dev/null
+++ b/README.md
@@ -0,0 +1,53 @@
+# forgejo-hetzer-runner
+
+Spawn a new Forgejo runner on Hetzner infrastructure.
+
+**Requirements:**
+* [`jq`](https://jqlang.github.io/jq)
+
+**Required environment variables:**
+* `HETZNER_API_TOKEN`: A Hetzner token valid for operating servers
+
+## Usage
+
+**To stand up a runner:**
+
+```shell
+./runner-up.sh -r <runner_token>
+```
+
+Avoid root login with password by passing your SSH key ID on server creation:
+
+```shell
+./runner-up.sh -s <ssh_key id> -r <runner_token>
+```
+
+**Delete the server(s):**
+```shell
+./runner-get.sh | jq '.servers[].id' | xargs -r -n1 ./runner-down.sh
+```
+
+**Log in:**
+```shell
+ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no "runner@$(./runner-get.sh | jq -j '.servers[0].public_net.ipv4.ip')"
+```
+
+## Fetching a registration token
+
+The `FORGEJO_TOKEN` must be manually retrieved from the web interface. Note that each token is only valid for registering one runner.
+
+* Retrieve a token to register a runner for your organization: `https://codeberg.org/org/${organization_name}/settings/runners`
+* Retrieve a token to register a runner for one repository: `https://codeberg.org/${user_or_organization_name}/${repository_name}/settings/runners`
+
+This issue tracks the addition of an API endpoint to fetch registration tokens in Forgejo: https://codeberg.org/forgejo/forgejo/issues/1030
+
+## Additional notes
+
+The server has to have an IPv4 interface. Otherwise:
+* fetching `forgejo-runner` fails because `code.forgejo.org` is IPv4-only
+* fetching default Docker base images fails because `docker.io` is IPv4-only
+* your CI steps might involve communicating with an IPv4-only machine.
+
+## External references
+
+* [Hetzner cloud API reference](https://docs.hetzner.cloud/)
diff --git a/runner-down.sh b/runner-down.sh
new file mode 100755
index 0000000..143fc97
--- /dev/null
+++ b/runner-down.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+declare -r id="$1"
+
+curl -isS \
+	-X DELETE \
+	-H "Authorization: Bearer ${HETZNER_API_TOKEN}" \
+  	"https://api.hetzner.cloud/v1/servers/${id}"
diff --git a/runner-get.sh b/runner-get.sh
new file mode 100755
index 0000000..a1f0e2a
--- /dev/null
+++ b/runner-get.sh
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+curl -sS \
+	-X GET \
+	-H "Authorization: Bearer ${HETZNER_API_TOKEN}" \
+	--url-query 'label_selector=role==runner' \
+	'https://api.hetzner.cloud/v1/servers'
diff --git a/runner-up.sh b/runner-up.sh
new file mode 100755
index 0000000..77acf53
--- /dev/null
+++ b/runner-up.sh
@@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+
+set -Eeuo pipefail
+
+random_string() {
+	declare -r length="$1"
+	tr -dc a-z </dev/random \
+		| head -c "$length"
+}
+
+declare \
+	image='debian-12' \
+	location='fsn1' \
+	name="runner-$(random_string 5)" \
+	server_type='cx11' \
+	cloud_init_path='runner.cloud-init.yaml' \
+	ssh_key_id='' \
+	runner_token="${FORGEJO_TOKEN:-}" \
+
+while getopts "hi:l:n:t:c:r:s:" arg; do
+	case $arg in
+		h)
+			echo 'runner-up'
+			echo 'https://codeberg.org/pierreprinetti/forgejo-hetzner-runner'
+			echo
+			echo -e 'Usage:'
+			echo -e "\t-i: image (default: '${image}')"
+			echo -e "\t-l: location (default: '${location}')"
+			echo -e "\t-n: name (default: '${name}')"
+			echo -e "\t-t: type (default: '${server_type}')"
+			echo -e "\t-c: cloud-init path (default: '${cloud_init_path}')"
+			echo -e "\t-r: Forgejo runner token (default: '${runner_token}')"
+			echo -e "\t-s: SSH key ID (default: none)"
+			echo
+			exit 0
+			;;
+		i)
+			image=$OPTARG
+			;;
+		l)
+			location=$OPTARG
+			;;
+		n)
+			name=$OPTARG
+			;;
+		t)
+			server_type=$OPTARG
+			;;
+		c)
+			cloud_init_path=$OPTARG
+			;;
+		r)
+			runner_token=$OPTARG
+			;;
+		s)
+			ssh_key_id=$OPTARG
+			;;
+		*)
+			exit 1
+			;;
+	esac
+done
+readonly \
+	image \
+	location \
+	name \
+	server_type \
+	cloud_init_path \
+	runner_token \
+	ssh_key_id
+shift $((OPTIND-1))
+
+if [[ -z "$runner_token" ]]; then
+	echo 'Set a runner token'
+	exit 1
+fi
+
+declare authorized_ssh_key
+declare data
+data="$(jq -c \
+	--arg image "$image" \
+	--arg location "$location" \
+	--arg name "$name" \
+	--arg server_type "$server_type" \
+	'.
+	| .image=$image
+	| .location=$location
+	| .name=$name
+	| .server_type=$server_type
+	| .labels.role="runner"
+' <<< '{}')"
+if [[ -n $ssh_key_id ]]; then
+	data="$(jq -c --argjson ssh_key_id "$ssh_key_id" '.ssh_keys=[$ssh_key_id]' <<< "$data")"
+	authorized_ssh_key="$(curl -sS -X GET \
+		-H "Authorization: Bearer $HETZNER_API_TOKEN" \
+		"https://api.hetzner.cloud/v1/ssh_keys/${ssh_key_id}" \
+		| jq -r '.ssh_key.public_key')"
+fi
+readonly authorized_ssh_key
+
+export runner_token
+export authorized_ssh_key
+data="$(jq -c --arg cloud_init "$(envsubst '$authorized_ssh_key $runner_token' < "$cloud_init_path")" '.user_data=$cloud_init' <<< "$data")"
+readonly data
+
+curl -isS \
+	-X POST \
+	-H "Authorization: Bearer ${HETZNER_API_TOKEN}" \
+	-H "Content-Type: application/json" \
+	-d "$data" \
+  	'https://api.hetzner.cloud/v1/servers'
diff --git a/runner.cloud-init.yaml b/runner.cloud-init.yaml
new file mode 100644
index 0000000..ac56b48
--- /dev/null
+++ b/runner.cloud-init.yaml
@@ -0,0 +1,49 @@
+#cloud-config
+package_update: true
+package_upgrade: true
+packages:
+  - apparmor
+  - docker.io
+runcmd:
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 2/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i '$a AllowUsers runner' /etc/ssh/sshd_config
+  - curl -sSL https://code.forgejo.org/forgejo/runner/releases/download/v2.1.0/forgejo-runner-amd64 > /usr/bin/forgejo-runner
+  - echo 'f0dab69994fcdc3d35ef34b59ff3cff6f44a70112a6e7125f1fb7949d879e02e2a2d1d0a3ac8732b2bae7e47bfb7358a8fa5f409fe4d85e48c4e69b0c38c8e43  /usr/bin/forgejo-runner' | sha512sum -c && chmod +x /usr/bin/forgejo-runner
+  - mkdir -p /etc/runner
+  - cd /etc/runner && /usr/bin/forgejo-runner register --no-interactive --token ${runner_token} --name runner --instance https://codeberg.org --labels docker:docker://node:16-bullseye
+  - /usr/bin/forgejo-runner generate-config > /etc/runner/config.yml
+  - chown -R runner:runner /etc/runner
+  - |
+    cat > /etc/systemd/system/runner.service <<EOF
+    [Unit]
+    Description=Forgejo runner
+    Wants=network.target
+    After=network.target
+
+    [Service]
+    Type=simple
+    User=runner
+    Group=runner
+    WorkingDirectory=/etc/runner
+    ExecStart=/usr/bin/forgejo-runner daemon
+    Restart=on-failure
+    RestartSec=5
+
+    [Install]
+    WantedBy=multi-user.target
+    EOF
+  - systemctl enable runner.service
+  - reboot
+users:
+  - groups: users, admin, docker
+    name: runner
+    shell: /bin/bash
+    ssh_authorized_keys:
+      - ${authorized_ssh_key}
+    sudo: ALL=(ALL) NOPASSWD:ALL