From 60341e7c0ba3eafb516158b98dabfef0580da439 Mon Sep 17 00:00:00 2001 From: Satria Date: Sun, 15 Mar 2026 09:25:32 +0700 Subject: [PATCH] simpler method --- .forgejo/workflows/activate.yml | 6 +-- modules/system/homelab/git.nix | 65 +++++++++++++++++---------------- 2 files changed, 36 insertions(+), 35 deletions(-) diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml index 903a7f4..3a0f83a 100644 --- a/.forgejo/workflows/activate.yml +++ b/.forgejo/workflows/activate.yml @@ -6,7 +6,7 @@ on: - main env: - PATH: /run/current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin + PATH: /current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin jobs: build-and-activate: @@ -19,11 +19,11 @@ jobs: run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src - name: Activate - run: nixos-rebuild switch --flake ./src#homelab -L + run: sudo nixos-rebuild switch --flake ./src#homelab -L - name: Rollback on failure if: failure() - run: nixos-rebuild --rollback + run: sudo nixos-rebuild --rollback - name: Show generation run: nixos-version diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix index 8638803..fe9bad2 100644 --- a/modules/system/homelab/git.nix +++ b/modules/system/homelab/git.nix @@ -48,40 +48,41 @@ hostPackages = with pkgs; [ bash coreutils git nix ]; }; }; + users.users.gitea-runner.isSystemUser = true; systemd.services."gitea-runner-nixos-deploy" = { restartIfChanged = true; - serviceConfig = { - User = lib.mkForce "root"; - Group = lib.mkForce "root"; + # serviceConfig = { + # User = lib.mkForce "root"; + # Group = lib.mkForce "root"; - NoNewPrivileges = lib.mkForce false; - RestrictSUIDSGID = lib.mkForce false; - PrivateUsers = lib.mkForce false; - PrivateTmp = lib.mkForce false; - PrivateDevices = lib.mkForce false; - ProtectSystem = lib.mkForce false; - ProtectHome = lib.mkForce false; - ProtectKernelTunables = lib.mkForce false; - ProtectKernelModules = lib.mkForce false; - ProtectKernelLogs = lib.mkForce false; - ProtectControlGroups = lib.mkForce false; - RestrictNamespaces = lib.mkForce false; - RestrictRealtime = lib.mkForce false; - LockPersonality = lib.mkForce false; - MemoryDenyWriteExecute = lib.mkForce false; - ProtectProc = lib.mkForce "default"; - SystemCallArchitectures = lib.mkForce ""; - SystemCallFilter = lib.mkForce []; - ReadWritePaths = lib.mkForce []; - ReadOnlyPaths = lib.mkForce []; - InaccessiblePaths = lib.mkForce []; - }; + # NoNewPrivileges = lib.mkForce false; + # RestrictSUIDSGID = lib.mkForce false; + # PrivateUsers = lib.mkForce false; + # PrivateTmp = lib.mkForce false; + # PrivateDevices = lib.mkForce false; + # ProtectSystem = lib.mkForce false; + # ProtectHome = lib.mkForce false; + # ProtectKernelTunables = lib.mkForce false; + # ProtectKernelModules = lib.mkForce false; + # ProtectKernelLogs = lib.mkForce false; + # ProtectControlGroups = lib.mkForce false; + # RestrictNamespaces = lib.mkForce false; + # RestrictRealtime = lib.mkForce false; + # LockPersonality = lib.mkForce false; + # MemoryDenyWriteExecute = lib.mkForce false; + # ProtectProc = lib.mkForce "default"; + # SystemCallArchitectures = lib.mkForce ""; + # SystemCallFilter = lib.mkForce []; + # ReadWritePaths = lib.mkForce []; + # ReadOnlyPaths = lib.mkForce []; + # InaccessiblePaths = lib.mkForce []; + # }; }; - security.sudo.extraRules = [{ - users = [ "gitea-runner" ]; - commands = [{ - command = "/run/current-system/sw/bin/nixos-rebuild"; - options = [ "NOPASSWD" ]; - }]; - }]; + # security.sudo.extraRules = [{ + # users = [ "gitea-runner" ]; + # commands = [{ + # command = "/run/current-system/sw/bin/nixos-rebuild"; + # options = [ "NOPASSWD" ]; + # }]; + # }]; }