From afc2575c4d5f0a5d31f617560a0d9a8524b3fbdc Mon Sep 17 00:00:00 2001 From: Satria Date: Sun, 15 Mar 2026 08:50:24 +0700 Subject: [PATCH] retry sudo and fix workflow --- .forgejo/workflows/activate.yml | 26 +++++++++++------ modules/system/homelab/git.nix | 51 ++++++++++++++++++++++----------- 2 files changed, 52 insertions(+), 25 deletions(-) diff --git a/.forgejo/workflows/activate.yml b/.forgejo/workflows/activate.yml index aa00711..bb38a85 100644 --- a/.forgejo/workflows/activate.yml +++ b/.forgejo/workflows/activate.yml @@ -3,10 +3,10 @@ on: push: branches: - main - + env: - PATH: /run/current-system/sw/bin:/run/wrappers/bin - + PATH: /run/current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin + jobs: build-and-activate: runs-on: self-hosted @@ -15,10 +15,18 @@ jobs: shell: /bin/sh -e {0} steps: - name: Clone - run: git clone http://localhost:5080/satr14/nix-flake.git src - - name: Build - run: nixos-rebuild build --flake ./src#homelab -L --show-trace + run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src + - name: Activate - run: nixos-rebuild switch --flake ./src#homelab -L --show-trace - - name: Clean - run: rm -rfv src + run: sudo nixos-rebuild switch --flake ./src#homelab -L + + - name: Rollback on failure + if: failure() + run: sudo nixos-rebuild --rollback + + - name: Show generation + run: nixos-version + + - name: Clean up + if: always() + run: rm -rf src \ No newline at end of file diff --git a/modules/system/homelab/git.nix b/modules/system/homelab/git.nix index 7e34e3c..a1a8b4e 100644 --- a/modules/system/homelab/git.nix +++ b/modules/system/homelab/git.nix @@ -1,11 +1,4 @@ { lib, pkgs, homelab, ... }: { - security.sudo.extraRules = [{ - users = [ "gitea-runner" ]; - commands = [{ - command = "/run/current-system/sw/bin/nixos-rebuild"; - options = [ "NOPASSWD" ]; - }]; - }]; services = { forgejo = { enable = true; @@ -55,14 +48,40 @@ hostPackages = with pkgs; [ bash coreutils git nix ]; }; }; - systemd.services."gitea-runner-nixos-deploy".serviceConfig = { - NoNewPrivileges = lib.mkForce false; - RestrictSUIDSGID = lib.mkForce false; - PrivateUsers = lib.mkForce false; - User = lib.mkForce "root"; - ProtectSystem = lib.mkForce false; - ProtectHome = lib.mkForce false; - ReadWritePaths = lib.mkForce [ "/" ]; + systemd.services."gitea-runner-nixos-deploy" = { + restartIfChanged = true; + serviceConfig = { + # User = lib.mkForce "root"; + # Group = lib.mkForce "root"; + + NoNewPrivileges = lib.mkForce false; + RestrictSUIDSGID = lib.mkForce false; + PrivateUsers = lib.mkForce false; + # PrivateTmp = lib.mkForce false; + # PrivateDevices = lib.mkForce false; + # ProtectSystem = lib.mkForce false; + # ProtectHome = lib.mkForce false; + # ProtectKernelTunables = lib.mkForce false; + # ProtectKernelModules = lib.mkForce false; + # ProtectKernelLogs = lib.mkForce false; + # ProtectControlGroups = lib.mkForce false; + # RestrictNamespaces = lib.mkForce false; + # RestrictRealtime = lib.mkForce false; + # LockPersonality = lib.mkForce false; + # MemoryDenyWriteExecute = lib.mkForce false; + # ProtectProc = lib.mkForce "default"; + # SystemCallArchitectures = lib.mkForce ""; + # SystemCallFilter = lib.mkForce []; + # ReadWritePaths = lib.mkForce []; + # ReadOnlyPaths = lib.mkForce []; + # InaccessiblePaths = lib.mkForce []; + }; }; - systemd.services."gitea-runner-nixos-deploy".restartIfChanged = false; + security.sudo.extraRules = [{ + users = [ "gitea-runner" ]; + commands = [{ + command = "/run/current-system/sw/bin/nixos-rebuild"; + options = [ "NOPASSWD" ]; + }]; + }]; }