From 2f176f94740cd5482fe723098c70045219663d9d Mon Sep 17 00:00:00 2001
From: Alex Mickelson <alexmickelson96@gmail.com>
Date: Sat, 7 Feb 2026 14:03:42 -0700
Subject: [PATCH] gitea runner

---
 nix/modules/gitea-runner.nix | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/nix/modules/gitea-runner.nix b/nix/modules/gitea-runner.nix
index d13cc6f..8cf1fe5 100644
--- a/nix/modules/gitea-runner.nix
+++ b/nix/modules/gitea-runner.nix
@@ -55,7 +55,6 @@
   ];
 
   systemd.services.gitea-runner-infrastructure.serviceConfig = {
-    # Use the actual location where the module creates the .runner file
     WorkingDirectory = lib.mkForce "/var/lib/gitea-runner/infrastructure";
     
     ReadWritePaths = lib.mkForce [ 
@@ -65,13 +64,21 @@
       "/data/runner"
       "/home/github/infrastructure"
     ];
-    BindReadOnlyPaths = [
+    
+    # CRITICAL: Completely disable mount namespace isolation
+    PrivateMounts = lib.mkForce false;
+    MountFlags = lib.mkForce "";
+    
+    # Also bind the nix store
+    BindReadOnlyPaths = lib.mkForce [
       "/nix/store"
+      "/nix/var"
+      "/run/current-system"
     ];
-    # Disable all sandboxing features
+    
+    # Disable all other sandboxing features
     DynamicUser = lib.mkForce false;
     PrivateDevices = lib.mkForce false;
-    PrivateMounts = lib.mkForce false;
     PrivateTmp = lib.mkForce false;
     PrivateUsers = lib.mkForce false;
     ProtectClock = lib.mkForce false;