satr14/nix-flake
1
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

retry sudo and fix workflow
Some checks failed
Activate NixOS Homelab Configuration On Push / build-and-activate (push) Failing after 0s
Details

Browse source
This commit is contained in:
Satria 2026-03-15 08:50:24 +07:00
commit afc2575c4d
2 changed files with 52 additions and 25 deletions
Download patch file Download diff file Expand all files Collapse all files

26
.forgejo/workflows/activate.yml
View file

@ -3,10 +3,10 @@ on:
push: push:
branches: branches:
- main - main
env: env:
PATH: /run/current-system/sw/bin:/run/wrappers/bin PATH: /run/current-system/sw/bin:/run/wrappers/bin:/nix/var/nix/profiles/default/bin
jobs: jobs:
build-and-activate: build-and-activate:
runs-on: self-hosted runs-on: self-hosted
@ -15,10 +15,18 @@ jobs:
shell: /bin/sh -e {0} shell: /bin/sh -e {0}
steps: steps:
- name: Clone - name: Clone
run: git clone http://localhost:5080/satr14/nix-flake.git src run: git clone --depth 1 http://localhost:5080/satr14/nix-flake.git src
- name: Build
run: nixos-rebuild build --flake ./src#homelab -L --show-trace
- name: Activate - name: Activate
run: nixos-rebuild switch --flake ./src#homelab -L --show-trace run: sudo nixos-rebuild switch --flake ./src#homelab -L
- name: Clean
run: rm -rfv src - name: Rollback on failure
if: failure()
run: sudo nixos-rebuild --rollback
- name: Show generation
run: nixos-version
- name: Clean up
if: always()
run: rm -rf src

51
modules/system/homelab/git.nix
View file

@ -1,11 +1,4 @@
{ lib, pkgs, homelab, ... }: { { lib, pkgs, homelab, ... }: {
security.sudo.extraRules = [{
users = [ "gitea-runner" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
services = { services = {
forgejo = { forgejo = {
enable = true; enable = true;
@ -55,14 +48,40 @@
hostPackages = with pkgs; [ bash coreutils git nix ]; hostPackages = with pkgs; [ bash coreutils git nix ];
}; };
}; };
systemd.services."gitea-runner-nixos-deploy".serviceConfig = { systemd.services."gitea-runner-nixos-deploy" = {
NoNewPrivileges = lib.mkForce false; restartIfChanged = true;
RestrictSUIDSGID = lib.mkForce false; serviceConfig = {
PrivateUsers = lib.mkForce false; # User = lib.mkForce "root";
User = lib.mkForce "root"; # Group = lib.mkForce "root";
ProtectSystem = lib.mkForce false;
ProtectHome = lib.mkForce false; NoNewPrivileges = lib.mkForce false;
ReadWritePaths = lib.mkForce [ "/" ]; RestrictSUIDSGID = lib.mkForce false;
PrivateUsers = lib.mkForce false;
# PrivateTmp = lib.mkForce false;
# PrivateDevices = lib.mkForce false;
# ProtectSystem = lib.mkForce false;
# ProtectHome = lib.mkForce false;
# ProtectKernelTunables = lib.mkForce false;
# ProtectKernelModules = lib.mkForce false;
# ProtectKernelLogs = lib.mkForce false;
# ProtectControlGroups = lib.mkForce false;
# RestrictNamespaces = lib.mkForce false;
# RestrictRealtime = lib.mkForce false;
# LockPersonality = lib.mkForce false;
# MemoryDenyWriteExecute = lib.mkForce false;
# ProtectProc = lib.mkForce "default";
# SystemCallArchitectures = lib.mkForce "";
# SystemCallFilter = lib.mkForce [];
# ReadWritePaths = lib.mkForce [];
# ReadOnlyPaths = lib.mkForce [];
# InaccessiblePaths = lib.mkForce [];
};
}; };
systemd.services."gitea-runner-nixos-deploy".restartIfChanged = false; security.sudo.extraRules = [{
users = [ "gitea-runner" ];
commands = [{
command = "/run/current-system/sw/bin/nixos-rebuild";
options = [ "NOPASSWD" ];
}];
}];
} }