From 0f0308bf6878141f46d8f497e8456e8c3c19541e Mon Sep 17 00:00:00 2001
From: Daniel Maksymilian Syrnicki <info@danielmaksymilian.com>
Date: Tue, 14 Apr 2026 18:45:32 +0200
Subject: [PATCH] ci: switch build-iso to docker-outside-of-docker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The DinD setup was the wrong tool here: forgejo-runner runs on host
docker, but it spawned jobs via the DinD sidecar — meaning jobs
were isolated inside DinD's own docker namespace and couldn't reach
`docker-in-docker` by hostname, and couldn't see the
`forgejo-runner_default` network (which only exists on host docker).

Switched the runner (compose.yml + data/config.yml) to talk directly
to host docker via `/var/run/docker.sock` and added it to the host
`docker` group (GID 988) so the non-root runner user can use the
socket. `valid_volumes` now whitelists the socket so job containers
can mount it too.

Workflow now mounts /var/run/docker.sock into the job container and
points DOCKER_HOST at that unix socket. `./iso/build.sh` then runs
its inner `docker run --privileged archlinux:latest` against the
host daemon — no nested docker.

Tradeoff: this is less isolated than DinD (jobs have full host docker
access — they could spawn arbitrary containers), but on a dedicated
single-user build VM the DooD simplification is worth it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .forgejo/workflows/build-iso.yml | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/.forgejo/workflows/build-iso.yml b/.forgejo/workflows/build-iso.yml
index a244c4a..d428cad 100644
--- a/.forgejo/workflows/build-iso.yml
+++ b/.forgejo/workflows/build-iso.yml
@@ -16,14 +16,16 @@ jobs:
   build-iso:
     runs-on: ubuntu-latest
     timeout-minutes: 30
-    # DOCKER_HOST points the docker CLI at the DinD sidecar. The sidecar's
-    # hostname is DNS-resolvable because forgejo-runner is configured with
-    # `container.network: "forgejo-runner_default"`, which attaches every
-    # job container to the shared network where docker-in-docker lives.
-    # The default `ubuntu-latest` image (catthehacker/ubuntu:act-latest)
-    # already ships the docker CLI.
+    # The runner is configured for docker-outside-of-docker: it mounts the
+    # host's /var/run/docker.sock. Jobs get the same socket so the
+    # `docker run` inside build.sh talks to the host daemon directly,
+    # no DinD gymnastics.
+    container:
+      image: catthehacker/ubuntu:act-latest
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
     env:
-      DOCKER_HOST: tcp://docker-in-docker:2375
+      DOCKER_HOST: unix:///var/run/docker.sock
     steps:
       - uses: actions/checkout@v4