alex/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

environment

Browse Source
This commit is contained in:
Alex Mickelson
2026-02-07 13:39:59 -07:00
parent d39ab4b5f2
commit a308b23380
1 changed files with 8 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
nix/home-server.nix
View File

@@ -323,14 +323,20 @@
"/bin" "/bin"
]; ];
environment.binsh = "${pkgs.bash}/bin/bash";
systemd.services.gitea-runner-infrastructure.serviceConfig = { systemd.services.gitea-runner-infrastructure.serviceConfig = {
ReadWritePaths = [ ReadWritePaths = [
"/data/cloudflare/" "/data/cloudflare/"
"/data/runner/infrastructure" "/data/runner/infrastructure"
"/data/runner" "/data/runner"
"/home/github/infrastructure" "/home/github/infrastructure"
"/nix/store" # ADD THIS - critical for accessing bash and other nix packages
]; ];
# Also add read-only bind for /nix/store as a fallback
BindReadOnlyPaths = [
"/nix/store"
];
PrivateDevices = false; PrivateDevices = false;
DeviceAllow = [ "/dev/zfs rw" ]; DeviceAllow = [ "/dev/zfs rw" ];
ProtectProc = "default"; ProtectProc = "default";
@@ -338,17 +344,8 @@
PrivateMounts = false; PrivateMounts = false;
PrivateUsers = false; PrivateUsers = false;
ProtectHome = false; ProtectHome = false;
NoNewPrivileges = false; NoNewPrivileges = false; # ADD THIS
# Make sure the service can see /nix/store
BindReadOnlyPaths = [
"/nix/store"
];
Environment = [
"SHELL=${pkgs.bash}/bin/bash"
"BASH=${pkgs.bash}/bin/bash"
];
Restart = lib.mkForce "always"; Restart = lib.mkForce "always";
}; };