satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simpler method
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 0s
Details

Browse source
This commit is contained in:
Satria 2026-03-15 09:25:32 +07:00
commit 60341e7c0b
2 changed files with 36 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.forgejo/workflows/activate.yml
View file

@ -6,7 +6,7 @@ on:
- main - main
env: env:
PATH: /run/current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin PATH: /current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin
jobs: jobs:
build-and-activate: build-and-activate:
@ -19,11 +19,11 @@ jobs:
run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
- name: Activate - name: Activate
run: nixos-rebuild switch --flake ./src#homelab -L run: sudo nixos-rebuild switch --flake ./src#homelab -L
- name: Rollback on failure - name: Rollback on failure
if: failure() if: failure()
run: nixos-rebuild --rollback run: sudo nixos-rebuild --rollback
- name: Show generation - name: Show generation
run: nixos-version run: nixos-version

65
modules/system/homelab/git.nix
View file

@ -48,40 +48,41 @@
hostPackages = with pkgs; [ bash coreutils git nix ]; hostPackages = with pkgs; [ bash coreutils git nix ];
}; };
}; };
users.users.gitea-runner.isSystemUser = true;
systemd.services."gitea-runner-nixos-deploy" = { systemd.services."gitea-runner-nixos-deploy" = {
restartIfChanged = true; restartIfChanged = true;
serviceConfig = { # serviceConfig = {
User = lib.mkForce "root"; # User = lib.mkForce "root";
Group = lib.mkForce "root"; # Group = lib.mkForce "root";
NoNewPrivileges = lib.mkForce false; # NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false; # RestrictSUIDSGID = lib.mkForce false;
PrivateUsers = lib.mkForce false; # PrivateUsers = lib.mkForce false;
PrivateTmp = lib.mkForce false; # PrivateTmp = lib.mkForce false;
PrivateDevices = lib.mkForce false; # PrivateDevices = lib.mkForce false;
ProtectSystem = lib.mkForce false; # ProtectSystem = lib.mkForce false;
ProtectHome = lib.mkForce false; # ProtectHome = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false; # ProtectKernelTunables = lib.mkForce false;
ProtectKernelModules = lib.mkForce false; # ProtectKernelModules = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false; # ProtectKernelLogs = lib.mkForce false;
ProtectControlGroups = lib.mkForce false; # ProtectControlGroups = lib.mkForce false;
RestrictNamespaces = lib.mkForce false; # RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce false; # RestrictRealtime = lib.mkForce false;
LockPersonality = lib.mkForce false; # LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce false; # MemoryDenyWriteExecute = lib.mkForce false;
ProtectProc = lib.mkForce "default"; # ProtectProc = lib.mkForce "default";
SystemCallArchitectures = lib.mkForce ""; # SystemCallArchitectures = lib.mkForce "";
SystemCallFilter = lib.mkForce []; # SystemCallFilter = lib.mkForce [];
ReadWritePaths = lib.mkForce []; # ReadWritePaths = lib.mkForce [];
ReadOnlyPaths = lib.mkForce []; # ReadOnlyPaths = lib.mkForce [];
InaccessiblePaths = lib.mkForce []; # InaccessiblePaths = lib.mkForce [];
# };
}; };
}; # security.sudo.extraRules = [{
security.sudo.extraRules = [{ # users = [ "gitea-runner" ];
users = [ "gitea-runner" ]; # commands = [{
commands = [{ # command = "/run/current-system/sw/bin/nixos-rebuild";
command = "/run/current-system/sw/bin/nixos-rebuild"; # options = [ "NOPASSWD" ];
options = [ "NOPASSWD" ]; # }];
}]; # }];
}];
} }