satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

sandbox bypass run as root
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 36s
Details

Browse source
This commit is contained in:
Satria 2026-03-15 09:06:28 +07:00
commit a48b426cc0
2 changed files with 22 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.forgejo/workflows/activate.yml
View file

@ -19,11 +19,11 @@ jobs:
run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
- name: Activate - name: Activate
run: sudo nixos-rebuild switch --flake ./src#homelab -L run: nixos-rebuild switch --flake ./src#homelab -L
- name: Rollback on failure - name: Rollback on failure
if: failure() if: failure()
run: sudo nixos-rebuild --rollback run: nixos-rebuild --rollback
- name: Show generation - name: Show generation
run: nixos-version run: nixos-version

40
modules/system/homelab/git.nix
View file

@ -51,30 +51,30 @@
systemd.services."gitea-runner-nixos-deploy" = { systemd.services."gitea-runner-nixos-deploy" = {
restartIfChanged = true; restartIfChanged = true;
serviceConfig = { serviceConfig = {
# User = lib.mkForce "root"; User = lib.mkForce "root";
# Group = lib.mkForce "root"; Group = lib.mkForce "root";
NoNewPrivileges = lib.mkForce false; NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false; RestrictSUIDSGID = lib.mkForce false;
PrivateUsers = lib.mkForce false; PrivateUsers = lib.mkForce false;
# PrivateTmp = lib.mkForce false; PrivateTmp = lib.mkForce false;
# PrivateDevices = lib.mkForce false; PrivateDevices = lib.mkForce false;
# ProtectSystem = lib.mkForce false; ProtectSystem = lib.mkForce false;
# ProtectHome = lib.mkForce false; ProtectHome = lib.mkForce false;
# ProtectKernelTunables = lib.mkForce false; ProtectKernelTunables = lib.mkForce false;
# ProtectKernelModules = lib.mkForce false; ProtectKernelModules = lib.mkForce false;
# ProtectKernelLogs = lib.mkForce false; ProtectKernelLogs = lib.mkForce false;
# ProtectControlGroups = lib.mkForce false; ProtectControlGroups = lib.mkForce false;
# RestrictNamespaces = lib.mkForce false; RestrictNamespaces = lib.mkForce false;
# RestrictRealtime = lib.mkForce false; RestrictRealtime = lib.mkForce false;
# LockPersonality = lib.mkForce false; LockPersonality = lib.mkForce false;
# MemoryDenyWriteExecute = lib.mkForce false; MemoryDenyWriteExecute = lib.mkForce false;
# ProtectProc = lib.mkForce "default"; ProtectProc = lib.mkForce "default";
# SystemCallArchitectures = lib.mkForce ""; SystemCallArchitectures = lib.mkForce "";
# SystemCallFilter = lib.mkForce []; SystemCallFilter = lib.mkForce [];
# ReadWritePaths = lib.mkForce []; ReadWritePaths = lib.mkForce [];
# ReadOnlyPaths = lib.mkForce []; ReadOnlyPaths = lib.mkForce [];
# InaccessiblePaths = lib.mkForce []; InaccessiblePaths = lib.mkForce [];
}; };
}; };
security.sudo.extraRules = [{ security.sudo.extraRules = [{