satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

use ssh instead of sudo
Some checks failed
Activate NixOS Homelab Configuration On Push / deploy (push) Has been cancelled
Details

Browse source
This commit is contained in:
Satria 2026-03-14 11:25:23 +07:00
commit 6e8692e44e
4 changed files with 25 additions and 28 deletions
Download patch file Download diff file Expand all files Collapse all files

27
.forgejo/workflows/activate.yml
View file

@ -6,19 +6,26 @@ on:
env: env:
PATH: /run/current-system/sw/bin:/run/wrappers/bin PATH: /run/current-system/sw/bin:/run/wrappers/bin
jobs: jobs:
build-and-activate: deploy:
runs-on: nixos-server runs-on: nixos-server
defaults: defaults:
run: run:
shell: /bin/sh -e {0} shell: /bin/sh -e {0}
steps: steps:
- name: Clone - name: 1. Clone Repository
run: git clone -v http://localhost:5080/satr14/nix-flake.git src run: |
- name: Build rm -rf src
run: nixos-rebuild build --flake ./src#homelab -L --show-trace -v git clone https://git.satr14.my.id/satr14/nix-flake.git src
- name: Activate
run: sudo nixos-rebuild switch --flake ./src#homelab -L --show-trace -v - name: 2. Setup SSH Key
- name: Clean run: |
run: rm -rfv src mkdir -p ~/.ssh
echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
chmod 600 ~/.ssh/id_ed25519
ssh-keyscan -H localhost >> ~/.ssh/known_hosts
- name: 3. Deploy System over SSH
run: nixos-rebuild switch --flake ./src#homelab --target-host root@localhost -L --show-trace

3
lib/options.nix
View file

@ -16,6 +16,9 @@
homelab = rec { homelab = rec {
domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc. domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc.
cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a"; cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
ssh-keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner"
];
disks = { disks = {
gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery
data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data

21
modules/system/homelab/git.nix
View file

@ -1,11 +1,4 @@
{ lib, pkgs, homelab, ... }: { { lib, pkgs, homelab, ... }: {
security.sudo.extraRules = [{ # for configuration activation on push to git
users = [ "gitea-runner" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;
@ -51,17 +44,9 @@
name = "nixos-server-runner"; name = "nixos-server-runner";
url = "https://git.proxy.${homelab.domain}"; url = "https://git.proxy.${homelab.domain}";
tokenFile = "/root/forgejo-token-runner"; tokenFile = "/root/forgejo-token-runner";
labels = [ "nixos-server" ]; labels = [ "nixos-server:host" ];
hostPackages = with pkgs; [ bash coreutils git nix nodejs sudo ]; hostPackages = with pkgs; [ bash coreutils git nix ];
container.enable = false;
};
};
systemd.services."gitea-runner-nixos-deploy" = {
restartIfChanged = false;
serviceConfig = {
NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
PrivateUsers = lib.mkForce false;
}; };
}; };
systemd.services."gitea-runner-nixos-deploy".restartIfChanged = false;
} }

2
modules/system/server.nix
View file

@ -29,6 +29,8 @@ in {
./base.nix ./base.nix
]; ];
users.users.root.openssh.authorizedKeys.keys = homelab.ssh-keys;
services.tailscale = { services.tailscale = {
enable = true; enable = true;
authKeyFile = "/mnt/data/tailscale/authkey"; authKeyFile = "/mnt/data/tailscale/authkey";