From 22ac4b4b5e66f643b2b5e9d627c83d4fdfde10d3 Mon Sep 17 00:00:00 2001
From: Satria <admin@satr14.my.id>
Date: Sat, 14 Mar 2026 20:59:04 +0700
Subject: [PATCH] update workflow and sudo perms

---
 .forgejo/workflows/activate.yml | 5 +++--
 modules/system/homelab/git.nix  | 7 +++++++
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 2f39882..d1ef9f1 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -10,7 +10,7 @@ env:
   
 jobs:
   deploy:
-    runs-on: nixos-server
+    runs-on: nixos-server:host
     defaults:
       run:
         shell: /bin/sh -e {0}
@@ -38,4 +38,5 @@ jobs:
           ssh-private-key: ${{ secrets.DEPLOY_SSH_KEY }}
             
       - name: Deploy System over SSH
-        run: nixos-rebuild switch --flake ./src#homelab --target-host root@localhost -L --show-trace 
\ No newline at end of file
+        run: nixos-rebuild switch --flake ./src#homelab --target-host root@localhost -L --show-trace 
+
diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix
index 792246c..59359d1 100644
--- a/modules/system/homelab/git.nix
+++ b/modules/system/homelab/git.nix
@@ -1,4 +1,11 @@
 { lib, pkgs, homelab, ... }: {
+  security.sudo.extraRules = [{
+    users = [ "gitea-runner" ]; 
+    commands = [{ 
+      command = "/run/current-system/sw/bin/nixos-rebuild"; 
+      options = [ "NOPASSWD" ]; 
+    }];
+  }];
   services = {
     forgejo = {
       enable = true;