LGTM.

I like it. It is not breaking anything but is just here as 3rd way to do it. I'd merge that as is. Even if you missed something in the template, it is not critical because things can be added if needed. Very good job!

Sounds fair, I am removing it from draft state.

I guess people will love this new feature. If you are keen in getting a maintainer of this repo, just say a word.

Hey, thanks for the work on this, would it be possible to get a new release including this feature?

@riemers cc

I've tried to switch to the template using the master, thus only updating the dependency version, and setting gitlab_runner_config_update_mode: by_template, and here is some feedback (only ran in check mode, I don't want to make the switch until I'm sure I will have all I need available) :

• I had to add id and token_obtained_at in my runner configs (I took the auto generated values I found in the current file, they were previously auto generated/filled)
• Under [runners.docker.sysctls], I was also using "net.ipv4.ip_forward" = "1", and it's no more taking into account and seems missing from the template
• It's also not using various settings under runners.docker that I had set manually: allowed_images, security_opt, and memory.
• A bunch of other default settings are also no more set (and not yet clear to me if they come from the role or from the runner default configuration), but I think some could be set manually: disable_entrypoint_overwrite, oom_kill_disable and network_mtu (and this one do not some to be in the template).
• At top level the connection_max_age = "15m0s" and shutdown_timeout = 0 seems also to be missing/not available in the template (they were there by default).
• There was also under [session_server], session_timeout = 1800 that was apparently set by default and that gets removed.
• And under [runners.cache], MaxUploadedArchiveSize = 0 was apparently set by the default runner conf

So maybe a new release should only be published once these points are clarified/fixed (I assume some/most points can be ignored, but some may need to be addressed, in case someone is having suggestion, I could look at making a PR).

So I just realised that most of the parts I'm missing where set using the extra_configs settings, which can append content to various sections:

I've addressed the points I need via #401, seems to be OK:

TASK [riemers.gitlab-runner : (Unix) Configure Gitlab Runner via template] ******************************************
--- before: /etc/gitlab-runner/config.toml
+++ after: /home/baptiste/.ansible/tmp/ansible-local-1795717gnspj19_/tmpr63fpteg/config.toml.j2
@@ -1,56 +1,44 @@
 concurrent = 4
 check_interval = 0
-connection_max_age = "15m0s"
-shutdown_timeout = 0
-
-[session_server]
-  session_timeout = 1800

 [[runners]]
   name = "Sysadmin project GitLab Runner"
   limit = 0
-  output_limit = 4096
   url = "https://gitlab.xxx.xxx"
   environment = []
+  executor = "docker"
+  output_limit = 4096
   id = 6
   token = "glrt-[REDACTED]"
   token_obtained_at = 2025-09-15T09:24:25Z
   token_expires_at = 0001-01-01T00:00:00Z
-  executor = "docker"
+  [runners.docker]
+    image = "alpine"
+    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
+    memory = "2g"
+    security_opt = ["seccomp=unconfined", "apparmor=unconfined"]
+    allowed_images = ["docker.io/anchore/syft:*", "docker.io/aquasec/trivy:*", "docker.io/cytopia/*:*", "docker.io/geerlingguy/*:*", "docker.io/hadolint/hadolint:*", "docker.io/haxorof/ansible-lint:*", "docker.io/renovate/renovate:*", "docker.io/zricethezav/gitleaks:*", "gitlab.xxx.xxx:5050/**/*:*", "quay.io/containers/buildah:*", "quay.io/containers/skopeo:*", "registry.gitlab.com/**/*:*"]
+    [runners.docker.sysctls]
+      net.ipv4.ip_forward = "1"
   [runners.cache]
-    MaxUploadedArchiveSize = 0
-  [runners.docker]
-    allowed_images = ["docker.io/anchore/syft:*", "docker.io/aquasec/trivy:*", "docker.io/cytopia/*:*", "docker.io/geerlingguy/*:*", "docker.io/hadolint/hadolint:*", "docker.io/haxorof/ansible-lint:*", "docker.io/renovate/renovate:*", "docker.io/zricethezav/gitleaks:*", "gitlab.xxx.xxx:5050/**/*:*", "quay.io/containers/buildah:*", "quay.io/containers/skopeo:*", "registry.gitlab.com/**/*:*"]
-    security_opt = ["seccomp=unconfined", "apparmor=unconfined"]
-    memory = "2g"
-    image = "alpine"
-    disable_entrypoint_overwrite = false
-    oom_kill_disable = false
-    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
-    network_mtu = 0

-    [runners.docker.sysctls]
-      "net.ipv4.ip_forward" = "1"
 [[runners]]
   name = "Instance GitLab Runner"
   limit = 0
-  output_limit = 4096
   url = "https://gitlab.xxx.xxx"
   environment = []
+  executor = "docker"
+  output_limit = 4096
   id = 7
   token = "glrt-[REDACTED]"
   token_obtained_at = 2025-09-15T09:24:28Z
   token_expires_at = 0001-01-01T00:00:00Z
-  executor = "docker"
+  [runners.docker]
+    image = "alpine"
+    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
+    memory = "1g"
+    allowed_images = ["docker.io/anchore/syft:*", "docker.io/aquasec/trivy:*", "docker.io/cytopia/ansible:*", "docker.io/geerlingguy/*:*", "docker.io/hadolint/hadolint:*", "docker.io/haxorof/ansible-lint:*", "docker.io/renovate/renovate:*", "docker.io/zricethezav/gitleaks:*", "gitlab.xxx.xxx:5050/**/*:*", "quay.io/containers/buildah:*", "quay.io/containers/skopeo:*", "registry.gitlab.com/**/*:*"]
+    [runners.docker.sysctls]
+      net.ipv4.ip_forward = "1"
   [runners.cache]
-    MaxUploadedArchiveSize = 0
-  [runners.docker]
-    allowed_images = ["docker.io/anchore/syft:*", "docker.io/aquasec/trivy:*", "docker.io/cytopia/ansible:*", "docker.io/geerlingguy/*:*", "docker.io/hadolint/hadolint:*", "docker.io/haxorof/ansible-lint:*", "docker.io/renovate/renovate:*", "docker.io/zricethezav/gitleaks:*", "gitlab.xxx.xxx:5050/**/*:*", "quay.io/containers/buildah:*", "quay.io/containers/skopeo:*", "registry.gitlab.com/**/*:*"]
-    memory = "1g"
-    image = "alpine"
-    disable_entrypoint_overwrite = false
-    oom_kill_disable = false
-    volumes = ["/var/run/docker.sock:/var/run/docker.sock", "/cache"]
-    network_mtu = 0
-    [runners.docker.sysctls]
-      "net.ipv4.ip_forward" = "1"
+

changed: [vps-XXX.vps.ovh.net]

• I had to add id and token_obtained_at in my runner configs (I took the auto generated values I found in the current file, they were previously auto generated/filled)

Yes, that was one of the issues I faced with this approach. We could consider parsing the original TOML to get this information specifically maybe, cause generally parsing the whole TOML feels quite complex. TBH I am not really sure what's the best approach on this.

• Under [runners.docker.sysctls], I was also using "net.ipv4.ip_forward" = "1", and it's no more taking into account and seems missing from the template
• It's also not using various settings under runners.docker that I had set manually: allowed_images, security_opt, and memory.

Yes, indeed not every available option was included. Thank you for adding more of them.

• A bunch of other default settings are also no more set (and not yet clear to me if they come from the role or from the runner default configuration), but I think some could be set manually: disable_entrypoint_overwrite, oom_kill_disable and network_mtu (and this one do not some to be in the template).
• At top level the connection_max_age = "15m0s" and shutdown_timeout = 0 seems also to be missing/not available in the template (they were there by default).
• There was also under [session_server], session_timeout = 1800 that was apparently set by default and that gets removed.
• And under [runners.cache], MaxUploadedArchiveSize = 0 was apparently set by the default runner conf

I seem to have missed some of those or messed up with their naming, I will take a look and create a PR for them.