job "act-runner" {
  group "act-runner" {
    network {
      mode = "bridge"
    }

    # Consul Connect upstream to Gitea so the runner can register and receive jobs
    service {
      name = "act-runner"
      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "code-connect"
              local_bind_port  = 3000
            }
          }
        }
      }
    }

    task "act-runner" {
      driver = "docker"

      config {
        image   = "gitea/act_runner:latest"
        volumes = ["/var/run/docker.sock:/var/run/docker.sock"]
      }

      env = {
        GITEA_INSTANCE_URL = "http://localhost:3000"
        CONFIG_FILE        = "/secrets/runner-config.yml"
      }

      # Required SOPS key:
      #   act-runner.registration_token — runner registration token from Gitea
      #   Admin → Settings → Actions → Runners → Create new runner
      template {
        data        = <<EOF
GITEA_RUNNER_REGISTRATION_TOKEN={{ with nomadVar "nomad/jobs/act-runner" }}{{ .registration_token }}{{ end }}
EOF
        destination = "secrets/runner.env"
        env         = true
      }

      # Limit which images/labels the runner will accept so it doesn't pick up
      # unrelated workloads if more runners are added later.
      template {
        data        = <<EOF
runner:
  labels:
    - "ubuntu-latest:docker://node:20-bookworm"
    - "ubuntu-22.04:docker://node:20-bookworm"
    - "ubuntu-24.04:docker://node:20-bookworm"
EOF
        destination = "secrets/runner-config.yml"
      }

      resources {
        cpu        = 200
        memory     = 256
        memory_max = 1024
      }
    }
  }
}