From a48b426cc002596c64df611ad68bb2b97583a954 Mon Sep 17 00:00:00 2001
From: Satria <admin@satr14.my.id>
Date: Sun, 15 Mar 2026 09:06:28 +0700
Subject: [PATCH] sandbox bypass run as root

---
 .forgejo/workflows/activate.yml |  4 ++--
 modules/system/homelab/git.nix  | 40 ++++++++++++++++-----------------
 2 files changed, 22 insertions(+), 22 deletions(-)

diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml
index 8184d36..903a7f4 100644
--- a/.forgejo/workflows/activate.yml
+++ b/.forgejo/workflows/activate.yml
@@ -19,11 +19,11 @@ jobs:
         run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
 
       - name: Activate
-        run: sudo nixos-rebuild switch --flake ./src#homelab -L
+        run: nixos-rebuild switch --flake ./src#homelab -L
 
       - name: Rollback on failure
         if: failure()
-        run: sudo nixos-rebuild --rollback
+        run: nixos-rebuild --rollback
 
       - name: Show generation
         run: nixos-version
diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix
index a1a8b4e..8638803 100644
--- a/modules/system/homelab/git.nix
+++ b/modules/system/homelab/git.nix
@@ -51,30 +51,30 @@
   systemd.services."gitea-runner-nixos-deploy" = {
     restartIfChanged = true;
     serviceConfig = {
-      # User  = lib.mkForce "root";
-      # Group = lib.mkForce "root";
+      User  = lib.mkForce "root";
+      Group = lib.mkForce "root";
 
       NoNewPrivileges         = lib.mkForce false;
       RestrictSUIDSGID        = lib.mkForce false;
       PrivateUsers            = lib.mkForce false;
-      # PrivateTmp              = lib.mkForce false;
-      # PrivateDevices          = lib.mkForce false;
-      # ProtectSystem           = lib.mkForce false;
-      # ProtectHome             = lib.mkForce false;
-      # ProtectKernelTunables   = lib.mkForce false;
-      # ProtectKernelModules    = lib.mkForce false;
-      # ProtectKernelLogs       = lib.mkForce false;
-      # ProtectControlGroups    = lib.mkForce false;
-      # RestrictNamespaces      = lib.mkForce false;
-      # RestrictRealtime        = lib.mkForce false;
-      # LockPersonality         = lib.mkForce false;
-      # MemoryDenyWriteExecute  = lib.mkForce false;
-      # ProtectProc             = lib.mkForce "default";
-      # SystemCallArchitectures = lib.mkForce "";
-      # SystemCallFilter        = lib.mkForce [];
-      # ReadWritePaths          = lib.mkForce [];
-      # ReadOnlyPaths           = lib.mkForce [];
-      # InaccessiblePaths       = lib.mkForce [];
+      PrivateTmp              = lib.mkForce false;
+      PrivateDevices          = lib.mkForce false;
+      ProtectSystem           = lib.mkForce false;
+      ProtectHome             = lib.mkForce false;
+      ProtectKernelTunables   = lib.mkForce false;
+      ProtectKernelModules    = lib.mkForce false;
+      ProtectKernelLogs       = lib.mkForce false;
+      ProtectControlGroups    = lib.mkForce false;
+      RestrictNamespaces      = lib.mkForce false;
+      RestrictRealtime        = lib.mkForce false;
+      LockPersonality         = lib.mkForce false;
+      MemoryDenyWriteExecute  = lib.mkForce false;
+      ProtectProc             = lib.mkForce "default";
+      SystemCallArchitectures = lib.mkForce "";
+      SystemCallFilter        = lib.mkForce [];
+      ReadWritePaths          = lib.mkForce [];
+      ReadOnlyPaths           = lib.mkForce [];
+      InaccessiblePaths       = lib.mkForce [];
     };
   };
   security.sudo.extraRules = [{