From 50c5788e6bc4394956585d0cb603885918af8c63 Mon Sep 17 00:00:00 2001 From: Satria Date: Sun, 15 Mar 2026 09:49:32 +0700 Subject: [PATCH] uses ssh instead --- .forgejo/workflows/activate.yml | 46 ++++++++++++++++----------------- lib/options.nix | 1 + modules/system/homelab/git.nix | 41 ++--------------------------- 3 files changed, 25 insertions(+), 63 deletions(-) diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml index 3a0f83a..5aa6dbe 100644 --- a/.forgejo/workflows/activate.yml +++ b/.forgejo/workflows/activate.yml @@ -1,33 +1,31 @@ -name: Activate NixOS Homelab Configuration On Push -on: - workflow_dispatch: - push: - branches: - - main +name: NixOS Rebuild -env: - PATH: /current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin +on: + push: + branches: [ main ] + workflow_dispatch: jobs: - build-and-activate: + rebuild: runs-on: self-hosted - defaults: - run: - shell: /bin/sh -e {0} steps: - - name: Clone - run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src + - name: Setup SSH key + run: | + mkdir -p ./ssh + echo "${{ secrets.DEPLOY_SSH_KEY }}" > ./ssh/deploy_key + chmod 600 ./ssh/deploy_key + echo "StrictHostKeyChecking no" > ./ssh/config - - name: Activate - run: sudo nixos-rebuild switch --flake ./src#homelab -L - - - name: Rollback on failure - if: failure() - run: sudo nixos-rebuild --rollback + - name: Rebuild (${{ github.event.inputs.action || 'switch' }}) + run: | + ssh -i ./ssh/deploy_key root@localhost \ + "nixos-rebuild switch \ + --flake git+http://localhost:5080/satr14/nix-flake#homelab -L" - name: Show generation - run: nixos-version - - - name: Clean up if: always() - run: rm -rf src \ No newline at end of file + run: ssh -i ./ssh/deploy_key root@localhost "nixos-version" + + - name: Clean Up + if: always() + run: rm -f ./ssh/deploy_key \ No newline at end of file diff --git a/lib/options.nix b/lib/options.nix index 792167e..882af83 100644 --- a/lib/options.nix +++ b/lib/options.nix @@ -18,6 +18,7 @@ cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a"; ssh-keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESvQFXoUBafatqnxTd6qk3WEOcfwb3AIWVTstR3lHzX forgejo" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner" ]; disks = { gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix index aaaf885..7ca738c 100644 --- a/modules/system/homelab/git.nix +++ b/modules/system/homelab/git.nix @@ -45,48 +45,11 @@ url = "https://git.proxy.${homelab.domain}"; tokenFile = "/root/forgejo-token-runner"; labels = [ "self-hosted:host" "docker" ]; - hostPackages = with pkgs; [ bash coreutils git nix ]; + hostPackages = with pkgs; [ bash coreutils git nix openssh nodejs ]; }; }; - users.users.gitea-runner = { - isSystemUser = true; - group = "gitea-runner"; - }; users.groups.gitea-runner = {}; systemd.services."gitea-runner-nixos-deploy" = { - restartIfChanged = true; - # serviceConfig = { - # User = lib.mkForce "root"; - # Group = lib.mkForce "root"; - - # NoNewPrivileges = lib.mkForce false; - # RestrictSUIDSGID = lib.mkForce false; - # PrivateUsers = lib.mkForce false; - # PrivateTmp = lib.mkForce false; - # PrivateDevices = lib.mkForce false; - # ProtectSystem = lib.mkForce false; - # ProtectHome = lib.mkForce false; - # ProtectKernelTunables = lib.mkForce false; - # ProtectKernelModules = lib.mkForce false; - # ProtectKernelLogs = lib.mkForce false; - # ProtectControlGroups = lib.mkForce false; - # RestrictNamespaces = lib.mkForce false; - # RestrictRealtime = lib.mkForce false; - # LockPersonality = lib.mkForce false; - # MemoryDenyWriteExecute = lib.mkForce false; - # ProtectProc = lib.mkForce "default"; - # SystemCallArchitectures = lib.mkForce ""; - # SystemCallFilter = lib.mkForce []; - # ReadWritePaths = lib.mkForce []; - # ReadOnlyPaths = lib.mkForce []; - # InaccessiblePaths = lib.mkForce []; - # }; + restartIfChanged = false; }; - # security.sudo.extraRules = [{ - # users = [ "gitea-runner" ]; - # commands = [{ - # command = "/run/current-system/sw/bin/nixos-rebuild"; - # options = [ "NOPASSWD" ]; - # }]; - # }]; }