Will Anderson
bec948bcca
The Gitea Actions runners on Legion need build containers to be able to clone repos. They run with network: host so they can't resolve gitea.git.svc.cluster.local — they have to use the public URL. The public URL sits behind Cloudflare Access, which is why the previous naive switch (#3) had to be reverted. This change keeps the runner daemon registered against the in-cluster URL (no CF Access on the polling loop) but rewrites http://gitea.git.svc.cluster.local:3000/ to https://git.neuralplatform.ai/ inside the build container, with the CF Access service-token headers injected via git extraHeader. The redirect script is sourced before every job step via BASH_ENV; the CF Access credentials reach the build container through act_runner's container.env, which we now populate from the new gitea-runner-cf-access Vault path that PR #5's Terraform writes. Known limitation documented in the init script: actions/checkout's per-job auth header is keyed to the in-cluster URL and gets dropped after the insteadOf rewrite. Public repos work; private repos that need that token will need a follow-up.
infrastructure
Personal infrastructure-as-code for Legion (k3s home server) and supporting tooling.
| Doc | What it covers |
|---|---|
AGENTS.md |
Full reference: machines, secrets, services, domains, namespaces, common operations |
servers/legion/README.md |
What's running on Legion and how deployment works |
servers/legion/RUNBOOK.md |
Disaster recovery — full restore from scratch |
Quick start
cd servers/legion
direnv allow
terraform plan
terraform apply
Push to servers/ to deploy app changes via Argo CD.