uses ssh instead

.forgejo/workflows/activate.yml

@@ -1,33 +1,31 @@
-name: Activate NixOS Homelab Configuration On Push
+name: NixOS Rebuild
-on:
-  workflow_dispatch:
-  push:
-    branches:
-      - main
 
-env:
+on:
-  PATH: /current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin
+  push:
+    branches: [ main ]
+  workflow_dispatch:
 
 jobs:
-  build-and-activate:
+  rebuild:
     runs-on: self-hosted
-    defaults:
-      run:
-        shell: /bin/sh -e {0}
     steps:
-      - name: Clone
+      - name: Setup SSH key
-        run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
+        run: |
+          mkdir -p ./ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ./ssh/deploy_key
+          chmod 600 ./ssh/deploy_key
+          echo "StrictHostKeyChecking no" > ./ssh/config
 
-      - name: Activate
+      - name: Rebuild (${{ github.event.inputs.action || 'switch' }})
-        run: sudo nixos-rebuild switch --flake ./src#homelab -L
+        run: |
-
+          ssh -i ./ssh/deploy_key root@localhost \
-      - name: Rollback on failure
+            "nixos-rebuild switch \
-        if: failure()
+              --flake git+http://localhost:5080/satr14/nix-flake#homelab -L"
-        run: sudo nixos-rebuild --rollback
 
       - name: Show generation
-        run: nixos-version
-
-      - name: Clean up
         if: always()
-        run: rm -rf src
+        run: ssh -i ./ssh/deploy_key root@localhost "nixos-version"
+
+      - name: Clean Up
+        if: always()
+        run: rm -f ./ssh/deploy_key

lib/options.nix

@@ -18,6 +18,7 @@
     cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
     ssh-keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIESvQFXoUBafatqnxTd6qk3WEOcfwb3AIWVTstR3lHzX forgejo"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner"
     ];
     disks = {
       gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery 

modules/system/homelab/git.nix

@@ -45,48 +45,11 @@
       url = "https://git.proxy.${homelab.domain}";
       tokenFile = "/root/forgejo-token-runner"; 
       labels = [ "self-hosted:host" "docker" ];
-      hostPackages = with pkgs; [ bash coreutils git nix ];
+      hostPackages = with pkgs; [ bash coreutils git nix openssh nodejs ];
     };
   };
-  users.users.gitea-runner = {
-    isSystemUser = true;
-    group = "gitea-runner";
-  };
   users.groups.gitea-runner = {};
   systemd.services."gitea-runner-nixos-deploy" = {
-    restartIfChanged = true;
+    restartIfChanged = false;
-    # serviceConfig = {
-    #   User  = lib.mkForce "root";
-    #   Group = lib.mkForce "root";
-
-    #   NoNewPrivileges         = lib.mkForce false;
-    #   RestrictSUIDSGID        = lib.mkForce false;
-    #   PrivateUsers            = lib.mkForce false;
-    #   PrivateTmp              = lib.mkForce false;
-    #   PrivateDevices          = lib.mkForce false;
-    #   ProtectSystem           = lib.mkForce false;
-    #   ProtectHome             = lib.mkForce false;
-    #   ProtectKernelTunables   = lib.mkForce false;
-    #   ProtectKernelModules    = lib.mkForce false;
-    #   ProtectKernelLogs       = lib.mkForce false;
-    #   ProtectControlGroups    = lib.mkForce false;
-    #   RestrictNamespaces      = lib.mkForce false;
-    #   RestrictRealtime        = lib.mkForce false;
-    #   LockPersonality         = lib.mkForce false;
-    #   MemoryDenyWriteExecute  = lib.mkForce false;
-    #   ProtectProc             = lib.mkForce "default";
-    #   SystemCallArchitectures = lib.mkForce "";
-    #   SystemCallFilter        = lib.mkForce [];
-    #   ReadWritePaths          = lib.mkForce [];
-    #   ReadOnlyPaths           = lib.mkForce [];
-    #   InaccessiblePaths       = lib.mkForce [];
-    # };
   };
-  # security.sudo.extraRules = [{
-  #   users = [ "gitea-runner" ]; 
-  #   commands = [{ 
-  #     command = "/run/current-system/sw/bin/nixos-rebuild"; 
-  #     options = [ "NOPASSWD" ]; 
-  #   }];
-  # }];
 }