satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

simpler method
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 0s
Details

Browse source
This commit is contained in:
Satria 2026-03-15 09:25:32 +07:00
commit 60341e7c0b
2 changed files with 36 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.forgejo/workflows/activate.yml
View file

@ -6,7 +6,7 @@ on:
- main
env:
PATH: /run/current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin
PATH: /current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin
jobs:
build-and-activate:
@ -19,11 +19,11 @@ jobs:
run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
- name: Activate
run: nixos-rebuild switch --flake ./src#homelab -L
run: sudo nixos-rebuild switch --flake ./src#homelab -L
- name: Rollback on failure
if: failure()
run: nixos-rebuild --rollback
run: sudo nixos-rebuild --rollback
- name: Show generation
run: nixos-version

65
modules/system/homelab/git.nix
View file

@ -48,40 +48,41 @@
hostPackages = with pkgs; [ bash coreutils git nix ];
};
};
users.users.gitea-runner.isSystemUser = true;
systemd.services."gitea-runner-nixos-deploy" = {
restartIfChanged = true;
serviceConfig = {
User = lib.mkForce "root";
Group = lib.mkForce "root";
# serviceConfig = {
# User = lib.mkForce "root";
# Group = lib.mkForce "root";
NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
PrivateUsers = lib.mkForce false;
PrivateTmp = lib.mkForce false;
PrivateDevices = lib.mkForce false;
ProtectSystem = lib.mkForce false;
ProtectHome = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
ProtectControlGroups = lib.mkForce false;
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce false;
LockPersonality = lib.mkForce false;
MemoryDenyWriteExecute = lib.mkForce false;
ProtectProc = lib.mkForce "default";
SystemCallArchitectures = lib.mkForce "";
SystemCallFilter = lib.mkForce [];
ReadWritePaths = lib.mkForce [];
ReadOnlyPaths = lib.mkForce [];
InaccessiblePaths = lib.mkForce [];
# NoNewPrivileges = lib.mkForce false;
# RestrictSUIDSGID = lib.mkForce false;
# PrivateUsers = lib.mkForce false;
# PrivateTmp = lib.mkForce false;
# PrivateDevices = lib.mkForce false;
# ProtectSystem = lib.mkForce false;
# ProtectHome = lib.mkForce false;
# ProtectKernelTunables = lib.mkForce false;
# ProtectKernelModules = lib.mkForce false;
# ProtectKernelLogs = lib.mkForce false;
# ProtectControlGroups = lib.mkForce false;
# RestrictNamespaces = lib.mkForce false;
# RestrictRealtime = lib.mkForce false;
# LockPersonality = lib.mkForce false;
# MemoryDenyWriteExecute = lib.mkForce false;
# ProtectProc = lib.mkForce "default";
# SystemCallArchitectures = lib.mkForce "";
# SystemCallFilter = lib.mkForce [];
# ReadWritePaths = lib.mkForce [];
# ReadOnlyPaths = lib.mkForce [];
# InaccessiblePaths = lib.mkForce [];
# };
};
};
security.sudo.extraRules = [{
users = [ "gitea-runner" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
# security.sudo.extraRules = [{
# users = [ "gitea-runner" ];
# commands = [{
# command = "/run/current-system/sw/bin/nixos-rebuild";
# options = [ "NOPASSWD" ];
# }];
# }];
}