From 6024695830f9054fe5b03554ada09b77ab4ead3a Mon Sep 17 00:00:00 2001
From: Satria <admin@satr14.my.id>
Date: Sat, 14 Mar 2026 10:33:04 +0700
Subject: [PATCH] workflow verbosity and sudo fix

---
 .forgejo/workflows/activate.yml | 8 ++++----
 modules/system/homelab/git.nix  | 8 +++++++-
 2 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 420d2b2..6bbb687 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -15,10 +15,10 @@ jobs:
         shell: /bin/sh -e {0}
     steps:
       - name: Clone
-        run: git clone http://localhost:5080/satr14/nix-flake.git src
+        run: git clone -v http://localhost:5080/satr14/nix-flake.git src
       - name: Build
-        run: nixos-rebuild build --flake ./src#homelab
+        run: nixos-rebuild build --flake ./src#homelab -L --show-trace -v
       - name: Activate
-        run: sudo nixos-rebuild switch --flake ./src#homelab
+        run: sudo nixos-rebuild switch --flake ./src#homelab -L --show-trace -v
       - name: Clean
-        run: rm -rf src
\ No newline at end of file
+        run: rm -rfv src
\ No newline at end of file
diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix
index 360f002..2af435c 100644
--- a/modules/system/homelab/git.nix
+++ b/modules/system/homelab/git.nix
@@ -1,4 +1,4 @@
-{ pkgs, homelab, ... }: {
+{ lib, pkgs, homelab, ... }: {
   security.sudo.extraRules = [{ # for configuration activation on push to git
     users = [ "gitea-runner" ]; 
     commands = [{ 
@@ -63,4 +63,10 @@
       hostPackages = with pkgs; [ bash coreutils git nix nodejs ];
     };
   };
+  systemd.services."gitea-runner-nixos-deploy".serviceConfig = {
+    # Force systemd to allow privilege escalation (sudo) for this service
+    NoNewPrivileges = lib.mkForce false;
+    RestrictSUIDSGID = lib.mkForce false;
+    PrivateUsers = lib.mkForce false;
+  };
 }