simpler method
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 0s
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 0s
This commit is contained in:
parent
a48b426cc0
commit
60341e7c0b
2 changed files with 36 additions and 35 deletions
|
|
@ -48,40 +48,41 @@
|
|||
hostPackages = with pkgs; [ bash coreutils git nix ];
|
||||
};
|
||||
};
|
||||
users.users.gitea-runner.isSystemUser = true;
|
||||
systemd.services."gitea-runner-nixos-deploy" = {
|
||||
restartIfChanged = true;
|
||||
serviceConfig = {
|
||||
User = lib.mkForce "root";
|
||||
Group = lib.mkForce "root";
|
||||
# serviceConfig = {
|
||||
# User = lib.mkForce "root";
|
||||
# Group = lib.mkForce "root";
|
||||
|
||||
NoNewPrivileges = lib.mkForce false;
|
||||
RestrictSUIDSGID = lib.mkForce false;
|
||||
PrivateUsers = lib.mkForce false;
|
||||
PrivateTmp = lib.mkForce false;
|
||||
PrivateDevices = lib.mkForce false;
|
||||
ProtectSystem = lib.mkForce false;
|
||||
ProtectHome = lib.mkForce false;
|
||||
ProtectKernelTunables = lib.mkForce false;
|
||||
ProtectKernelModules = lib.mkForce false;
|
||||
ProtectKernelLogs = lib.mkForce false;
|
||||
ProtectControlGroups = lib.mkForce false;
|
||||
RestrictNamespaces = lib.mkForce false;
|
||||
RestrictRealtime = lib.mkForce false;
|
||||
LockPersonality = lib.mkForce false;
|
||||
MemoryDenyWriteExecute = lib.mkForce false;
|
||||
ProtectProc = lib.mkForce "default";
|
||||
SystemCallArchitectures = lib.mkForce "";
|
||||
SystemCallFilter = lib.mkForce [];
|
||||
ReadWritePaths = lib.mkForce [];
|
||||
ReadOnlyPaths = lib.mkForce [];
|
||||
InaccessiblePaths = lib.mkForce [];
|
||||
};
|
||||
# NoNewPrivileges = lib.mkForce false;
|
||||
# RestrictSUIDSGID = lib.mkForce false;
|
||||
# PrivateUsers = lib.mkForce false;
|
||||
# PrivateTmp = lib.mkForce false;
|
||||
# PrivateDevices = lib.mkForce false;
|
||||
# ProtectSystem = lib.mkForce false;
|
||||
# ProtectHome = lib.mkForce false;
|
||||
# ProtectKernelTunables = lib.mkForce false;
|
||||
# ProtectKernelModules = lib.mkForce false;
|
||||
# ProtectKernelLogs = lib.mkForce false;
|
||||
# ProtectControlGroups = lib.mkForce false;
|
||||
# RestrictNamespaces = lib.mkForce false;
|
||||
# RestrictRealtime = lib.mkForce false;
|
||||
# LockPersonality = lib.mkForce false;
|
||||
# MemoryDenyWriteExecute = lib.mkForce false;
|
||||
# ProtectProc = lib.mkForce "default";
|
||||
# SystemCallArchitectures = lib.mkForce "";
|
||||
# SystemCallFilter = lib.mkForce [];
|
||||
# ReadWritePaths = lib.mkForce [];
|
||||
# ReadOnlyPaths = lib.mkForce [];
|
||||
# InaccessiblePaths = lib.mkForce [];
|
||||
# };
|
||||
};
|
||||
security.sudo.extraRules = [{
|
||||
users = [ "gitea-runner" ];
|
||||
commands = [{
|
||||
command = "/run/current-system/sw/bin/nixos-rebuild";
|
||||
options = [ "NOPASSWD" ];
|
||||
}];
|
||||
}];
|
||||
# security.sudo.extraRules = [{
|
||||
# users = [ "gitea-runner" ];
|
||||
# commands = [{
|
||||
# command = "/run/current-system/sw/bin/nixos-rebuild";
|
||||
# options = [ "NOPASSWD" ];
|
||||
# }];
|
||||
# }];
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue