familienarchiv/runner-config.yaml

# runner-config.yaml — only the relevant section
container:
  # passed as DOCKER_HOST inside the job container
  docker_host: "unix:///var/run/docker.sock"
  # Job workspaces are stored here on the NAS and mounted at the same
  # absolute path inside job containers. Identical host ↔ container path
  # is the requirement: Docker Compose resolves relative bind mounts to
  # $(pwd) inside the job container and passes that absolute path to the
  # host daemon — the daemon must find the file at that exact host path.
  # Prerequisite: mkdir -p /volume1/gitea-workspace on the NAS, and add
  #   - /volume1/gitea-workspace:/volume1/gitea-workspace
  # to the runner service volumes in gitea's docker-compose.yml.
  workdir_parent: /volume1/gitea-workspace
  # whitelists volumes that workflow steps may bind-mount
  valid_volumes:
    - "/var/run/docker.sock"
    - "/volume1/gitea-workspace"
  # appended to `docker run` when the runner spawns a job container
  # SECURITY: Mounting the Docker socket grants job containers root-equivalent
  # access to the host Docker daemon. Acceptable here because only trusted code
  # from this private repo runs on this runner. Do NOT use on a runner that
  # accepts untrusted PRs from external contributors.
  options: "-v /var/run/docker.sock:/var/run/docker.sock -v /volume1/gitea-workspace:/volume1/gitea-workspace"
  # keep network mode default (bridge) — Testcontainers handles its own networking
  force_pull: false