Initial commit: GitLab Runner for Unraid

Auto-registering GitLab Runner Docker image with Unraid CA template,
multi-platform CI/CD pipeline (GHCR + Docker Hub), and documentation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Mirko Haaser

.dockerignore

@@ -0,0 +1,11 @@
+.git
+.github
+.gitignore
+.dockerignore
+.claude
+.DS_Store
+README.md
+LICENSE
+unraid-template/
+test-config/
+*.md

.github/workflows/docker-publish.yml

@@ -0,0 +1,69 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches: [main]
+    tags: ['v*']
+  pull_request:
+    branches: [main]
+
+env:
+  GHCR_IMAGE: ghcr.io/mcgo/unraid-gitlab-runner
+  DOCKERHUB_IMAGE: mcgo/unraid-gitlab-runner
+
+jobs:
+  build-and-push:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to GitHub Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to Docker Hub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ${{ env.GHCR_IMAGE }}
+            ${{ env.DOCKERHUB_IMAGE }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max

.gitignore

@@ -0,0 +1,16 @@
+# OS
+.DS_Store
+Thumbs.db
+
+# IDE
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# Docker
+test-config/
+
+# Environment
+.env
+*.env.local

Dockerfile

@@ -0,0 +1,7 @@
+FROM gitlab/gitlab-runner:alpine
+
+COPY entrypoint.sh /entrypoint.sh
+RUN chmod +x /entrypoint.sh
+
+ENTRYPOINT ["/usr/bin/dumb-init", "/entrypoint.sh"]
+CMD ["run", "--user=gitlab-runner", "--working-directory=/home/gitlab-runner"]

README.md

@@ -0,0 +1,97 @@
+# GitLab Runner for Unraid
+
+A GitLab Runner Docker image designed for Unraid, with automatic registration on first start.
+
+Based on `gitlab/gitlab-runner:alpine` — adds auto-registration via environment variables and ships with an Unraid Community Applications template.
+
+## Quick Start
+
+```bash
+docker run -d \
+  --name gitlab-runner \
+  --restart unless-stopped \
+  -e CI_SERVER_URL=https://gitlab.com \
+  -e RUNNER_TOKEN=glrt-xxxxxxxxxxxx \
+  -e RUNNER_EXECUTOR=docker \
+  -v /var/run/docker.sock:/var/run/docker.sock \
+  -v /mnt/user/appdata/gitlab-runner:/etc/gitlab-runner \
+  mcgo/unraid-gitlab-runner
+```
+
+## Installation on Unraid
+
+1. Go to the **Apps** tab in Unraid
+2. Search for **GitLab Runner**
+3. Click **Install** and fill in the template variables
+4. The runner will automatically register itself at your GitLab instance
+
+### Manual Template Install
+
+If the template is not yet available in Community Applications:
+
+1. In Unraid, go to **Docker > Add Container > Template Repositories**
+2. Add: `https://github.com/mcgo/unraid-gitlab-runner`
+3. The template will appear under **Docker > Add Container**
+
+## Creating a Runner Token
+
+### Modern Tokens (GitLab 16.0+, recommended)
+
+1. Go to your GitLab project/group/instance **Settings > CI/CD > Runners**
+2. Click **New project runner** (or group/instance runner)
+3. Configure the runner settings (tags, description, etc.) in the UI
+4. Copy the token (starts with `glrt-`)
+
+With modern tokens, tags and other settings are configured in GitLab's UI — the `RUNNER_TAG_LIST`, `RUNNER_UNTAGGED`, and `RUNNER_LOCKED` environment variables have no effect.
+
+### Legacy Registration Tokens (deprecated)
+
+If you're using a legacy registration token, you can still pass `RUNNER_TAG_LIST`, `RUNNER_UNTAGGED`, and `RUNNER_LOCKED` as environment variables.
+
+## Environment Variables
+
+### Required
+
+| Variable | Description | Default |
+|---|---|---|
+| `CI_SERVER_URL` | URL of your GitLab instance | — |
+| `RUNNER_TOKEN` | Runner authentication token | — |
+
+### Basic Configuration
+
+| Variable | Description | Default |
+|---|---|---|
+| `RUNNER_NAME` | Display name in GitLab | `unraid-runner` |
+| `RUNNER_EXECUTOR` | `docker` or `shell` | `docker` |
+| `DOCKER_IMAGE` | Default image for CI jobs | `alpine:latest` |
+| `RUNNER_CONCURRENT` | Max parallel jobs | `1` |
+
+### Advanced
+
+| Variable | Description | Default |
+|---|---|---|
+| `RUNNER_TAG_LIST` | Comma-separated tags (legacy tokens only) | — |
+| `RUNNER_UNTAGGED` | Run untagged jobs (legacy tokens only) | — |
+| `RUNNER_LOCKED` | Lock to project (legacy tokens only) | — |
+| `DOCKER_PRIVILEGED` | Enable privileged mode for Docker executor | `false` |
+| `DOCKER_VOLUMES` | Additional volumes, comma-separated | — |
+| `UNREGISTER_ON_STOP` | Unregister runner on container stop | `false` |
+| `CA_CERTIFICATES_PATH` | Path to custom CA cert inside container | — |
+
+## Volumes
+
+| Container Path | Recommended Host Path | Description |
+|---|---|---|
+| `/etc/gitlab-runner` | `/mnt/user/appdata/gitlab-runner` | Runner configuration (persists registration) |
+| `/var/run/docker.sock` | `/var/run/docker.sock` | Docker socket (required for Docker executor) |
+
+## Docker Images
+
+This image is available on:
+
+- **GHCR**: `ghcr.io/mcgo/unraid-gitlab-runner`
+- **Docker Hub**: `mcgo/unraid-gitlab-runner`
+
+## License
+
+MIT

entrypoint.sh

@@ -0,0 +1,135 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# ──────────────────────────────────────────────
+# GitLab Runner Entrypoint
+# Auto-registers the runner on first start and
+# handles graceful shutdown with optional unregister.
+# ──────────────────────────────────────────────
+
+CONFIG_DIR="/etc/gitlab-runner"
+CONFIG_FILE="${CONFIG_DIR}/config.toml"
+
+# ── CA Certificate handling ───────────────────
+setup_ca_certificate() {
+  local ca_file="${CA_CERTIFICATES_PATH:-}"
+  if [[ -z "$ca_file" ]]; then
+    return
+  fi
+
+  if [[ ! -f "$ca_file" ]]; then
+    echo "[entrypoint] WARNING: CA_CERTIFICATES_PATH set but file not found: ${ca_file}"
+    return
+  fi
+
+  echo "[entrypoint] Installing custom CA certificate from ${ca_file} ..."
+  cp "$ca_file" /usr/local/share/ca-certificates/custom-ca.crt
+  update-ca-certificates --fresh >/dev/null 2>&1 || true
+}
+
+# ── Registration check ────────────────────────
+is_registered() {
+  [[ -f "$CONFIG_FILE" ]] && grep -q '\[\[runners\]\]' "$CONFIG_FILE" 2>/dev/null
+}
+
+# ── Register runner ───────────────────────────
+register_runner() {
+  if [[ -z "${CI_SERVER_URL:-}" ]]; then
+    echo "[entrypoint] ERROR: CI_SERVER_URL is required but not set."
+    exit 1
+  fi
+  if [[ -z "${RUNNER_TOKEN:-}" ]]; then
+    echo "[entrypoint] ERROR: RUNNER_TOKEN is required but not set."
+    exit 1
+  fi
+
+  local executor="${RUNNER_EXECUTOR:-docker}"
+
+  echo "[entrypoint] Registering runner at ${CI_SERVER_URL} ..."
+
+  local args=(
+    --non-interactive
+    --url "$CI_SERVER_URL"
+    --token "$RUNNER_TOKEN"
+    --name "${RUNNER_NAME:-unraid-runner}"
+    --executor "$executor"
+  )
+
+  # Docker-executor specific options
+  if [[ "$executor" == "docker" ]]; then
+    args+=(--docker-image "${DOCKER_IMAGE:-alpine:latest}")
+
+    if [[ "${DOCKER_PRIVILEGED:-false}" == "true" ]]; then
+      args+=(--docker-privileged)
+    fi
+
+    if [[ -n "${DOCKER_VOLUMES:-}" ]]; then
+      IFS=',' read -ra vols <<< "$DOCKER_VOLUMES"
+      for vol in "${vols[@]}"; do
+        vol="$(echo "$vol" | xargs)"  # trim whitespace
+        [[ -n "$vol" ]] && args+=(--docker-volumes "$vol")
+      done
+    fi
+  fi
+
+  # Legacy token options (ignored by modern runner tokens glrt-*)
+  if [[ -n "${RUNNER_TAG_LIST:-}" ]]; then
+    args+=(--tag-list "$RUNNER_TAG_LIST")
+  fi
+  if [[ -n "${RUNNER_UNTAGGED:-}" ]]; then
+    args+=(--run-untagged="$RUNNER_UNTAGGED")
+  fi
+  if [[ -n "${RUNNER_LOCKED:-}" ]]; then
+    args+=(--locked="$RUNNER_LOCKED")
+  fi
+
+  gitlab-runner register "${args[@]}"
+  echo "[entrypoint] Runner registered successfully."
+}
+
+# ── Patch global config ───────────────────────
+patch_global_config() {
+  local concurrent="${RUNNER_CONCURRENT:-1}"
+
+  if [[ ! -f "$CONFIG_FILE" ]]; then
+    return
+  fi
+
+  if grep -q '^concurrent' "$CONFIG_FILE"; then
+    sed -i "s/^concurrent *=.*/concurrent = ${concurrent}/" "$CONFIG_FILE"
+  else
+    sed -i "1i concurrent = ${concurrent}" "$CONFIG_FILE"
+  fi
+
+  echo "[entrypoint] Set concurrent = ${concurrent}"
+}
+
+# ── Graceful shutdown ─────────────────────────
+shutdown() {
+  echo "[entrypoint] Received shutdown signal, stopping runner ..."
+  gitlab-runner stop 2>/dev/null || true
+
+  if [[ "${UNREGISTER_ON_STOP:-false}" == "true" ]]; then
+    echo "[entrypoint] Unregistering runner ..."
+    gitlab-runner unregister --all-runners 2>/dev/null || true
+  fi
+
+  exit 0
+}
+
+trap shutdown SIGQUIT SIGTERM SIGINT
+
+# ── Main ──────────────────────────────────────
+setup_ca_certificate
+
+if ! is_registered; then
+  register_runner
+  patch_global_config
+else
+  echo "[entrypoint] Runner already registered, skipping registration."
+  # Still patch concurrent in case the env var changed
+  patch_global_config
+fi
+
+echo "[entrypoint] Starting gitlab-runner ..."
+exec gitlab-runner "$@"