use ssh instead of sudo

2026-03-14 11:25:23 +07:00 · 2026-03-14 11:25:23 +07:00 · 6e8692e44e
commit 6e8692e44e
parent 04700f6f65
4 changed files with 25 additions and 28 deletions
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@ -6,19 +6,26 @@ on:
      
 env:
  PATH: /run/current-system/sw/bin:/run/wrappers/bin
-      
+  
 jobs:
-  build-and-activate:
+  deploy:
    runs-on: nixos-server
    defaults:
      run:
        shell: /bin/sh -e {0}
+    
    steps:
-      - name: Clone
-        run: git clone -v http://localhost:5080/satr14/nix-flake.git src
-      - name: Build
-        run: nixos-rebuild build --flake ./src#homelab -L --show-trace -v
-      - name: Activate
-        run: sudo nixos-rebuild switch --flake ./src#homelab -L --show-trace -v
-      - name: Clean
-        run: rm -rfv src
+      - name: 1. Clone Repository
+        run: |
+          rm -rf src
+          git clone https://git.satr14.my.id/satr14/nix-flake.git src
+
+      - name: 2. Setup SSH Key
+        run: |
+          mkdir -p ~/.ssh
+          echo "${{ secrets.DEPLOY_SSH_KEY }}" > ~/.ssh/id_ed25519
+          chmod 600 ~/.ssh/id_ed25519
+          ssh-keyscan -H localhost >> ~/.ssh/known_hosts
+
+      - name: 3. Deploy System over SSH
+        run: nixos-rebuild switch --flake ./src#homelab --target-host root@localhost -L --show-trace 
--- a/lib/options.nix
+++ b/lib/options.nix
@ -16,6 +16,9 @@
  homelab = rec {
    domain = "satr14.my.id"; # root domain for dns, ssl certs, reverse proxy, etc.
    cf-tunnel-id = "26318288-cdd7-4e58-904b-c45f10d3e40a";
+    ssh-keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJtdH1YqRH9xhuHMivezLvj/hpH77yfH3HUCaRboB/hb forgejo-deploy-runner"
+    ];
    disks = {
      gallery = "/dev/disk/by-uuid/834f51c1-90ee-4601-ba76-ef0419198d67"; # disk for photo gallery 
      data = "/dev/disk/by-uuid/a5752dd6-092d-484c-969c-2fdc7cb4a5f0"; # disk for app data
--- a/modules/system/homelab/git.nix
+++ b/modules/system/homelab/git.nix
@ -1,11 +1,4 @@
 { lib, pkgs, homelab, ... }: {
-  security.sudo.extraRules = [{ # for configuration activation on push to git
-    users = [ "gitea-runner" ]; 
-    commands = [{ 
-      command = "/run/current-system/sw/bin/nixos-rebuild"; 
-      options = [ "NOPASSWD" ]; 
-    }];
-  }];
  services = {
    forgejo = {
      enable = true;
@ -51,17 +44,9 @@
      name = "nixos-server-runner";
      url = "https://git.proxy.${homelab.domain}";
      tokenFile = "/root/forgejo-token-runner"; 
-      labels = [ "nixos-server" ];
-      hostPackages = with pkgs; [ bash coreutils git nix nodejs sudo ];
-      container.enable = false;
-    };
-  };
-  systemd.services."gitea-runner-nixos-deploy" = {
-    restartIfChanged = false;
-    serviceConfig = {
-      NoNewPrivileges = lib.mkForce false;
-      RestrictSUIDSGID = lib.mkForce false;
-      PrivateUsers = lib.mkForce false;
+      labels = [ "nixos-server:host" ];
+      hostPackages = with pkgs; [ bash coreutils git nix ];
    };
  };
+  systemd.services."gitea-runner-nixos-deploy".restartIfChanged = false;
 }
--- a/modules/system/server.nix
+++ b/modules/system/server.nix
@ -29,6 +29,8 @@ in {
    ./base.nix
  ];

+  users.users.root.openssh.authorizedKeys.keys = homelab.ssh-keys;
+  
  services.tailscale = {
    enable = true;
    authKeyFile = "/mnt/data/tailscale/authkey";