From 6e8692e44e3ef865fede7ee61f1753a29d2dee35 Mon Sep 17 00:00:00 2001
From: Satria <admin@satr14.my.id>
Date: Sat, 14 Mar 2026 11:25:23 +0700
Subject: [PATCH] use ssh instead of sudo

---
 .forgejo/workflows/activate.yml | 27 +++++++++++++++++----------
 lib/options.nix                 |  3 +++
 modules/system/homelab/git.nix  | 21 +++------------------
 modules/system/server.nix       |  2 ++
 4 files changed, 25 insertions(+), 28 deletions(-)

diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 6bbb687..edec26a 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -6,19 +6,26 @@ on:
       
 env:
   PATH: /run/current-system/sw/bin:/run/wrappers/bin
-      
+  
 jobs:
-  build-and-activate:
+  deploy:
     runs-on: nixos-server
     defaults:
       run:
         shell: /bin/sh -e {0}
+    
     steps:
-      - name: Clone
-        run: git clone -v http://localhost:5080/satr14/nix-flake.git src
-      - name: Build
-        run: nixos-rebuild build --flake ./src#homelab -L --show-trace -v
-      - name: Activate
-        run: sudo nixos-rebuild switch --flake ./src#homelab -L --show-trace -v
-      - name: Clean
-        run: rm -rfv src
\ No newline at end of file
+      - name: 1. Clone Repository
+        run: |
+          rm -rf src
+          git clone https://git.satr14.my.id/satr14/nix-flake.git src
+
+      - name: 2. Setup SSH Key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H localhost >> ~/.ssh/known_hosts
+
+      - name: 3. Deploy System over SSH
+        run: nixos-rebuild switch --flake ./src#homelab --target-host root@localhost -L --show-trace 
\ No newline at end of file
diff --git a/lib/options.nix b/lib/options.nix
index c25e663..0c497a0 100644
--- a/lib/options.nix
+++ b/lib/options.nix
@@ -16,6 +16,9 @@
   homelab = rec {
     domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc.
     cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
+    ssh-keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner"
+    ];
     disks = {
       gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery 
       data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data
diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix
index 1903a4f..4ea9bc1 100644
--- a/modules/system/homelab/git.nix
+++ b/modules/system/homelab/git.nix
@@ -1,11 +1,4 @@
 { lib, pkgs, homelab, ... }: {
-  security.sudo.extraRules = [{ # for configuration activation on push to git
-    users = [ "gitea-runner" ]; 
-    commands = [{ 
-      command = "/run/current-system/sw/bin/nixos-rebuild"; 
-      options = [ "NOPASSWD" ]; 
-    }];
-  }];
   services = {
     forgejo = {
       enable = true;
@@ -51,17 +44,9 @@
       name = "nixos-server-runner";
       url = "https://git.proxy.${homelab.domain}";
       tokenFile = "/root/forgejo-token-runner"; 
-      labels = [ "nixos-server" ];
-      hostPackages = with pkgs; [ bash coreutils git nix nodejs sudo ];
-      container.enable = false;
-    };
-  };
-  systemd.services."gitea-runner-nixos-deploy" = {
-    restartIfChanged = false;
-    serviceConfig = {
-      NoNewPrivileges = lib.mkForce false;
-      RestrictSUIDSGID = lib.mkForce false;
-      PrivateUsers = lib.mkForce false;
+      labels = [ "nixos-server:host" ];
+      hostPackages = with pkgs; [ bash coreutils git nix ];
     };
   };
+  systemd.services."gitea-runner-nixos-deploy".restartIfChanged = false;
 }
diff --git a/modules/system/server.nix b/modules/system/server.nix
index e86d6fa..fd10d22 100644
--- a/modules/system/server.nix
+++ b/modules/system/server.nix
@@ -29,6 +29,8 @@ in {
     ./base.nix
   ];
 
+  users.users.root.openssh.authorizedKeys.keys = homelab.ssh-keys;
+  
   services.tailscale = {
     enable = true;
     authKeyFile = "/mnt/data/tailscale/authkey";