environment

nix/home-server.nix

@@ -323,14 +323,20 @@
     "/bin"
   ];
   
-  environment.binsh = "${pkgs.bash}/bin/bash";
   systemd.services.gitea-runner-infrastructure.serviceConfig = {
     ReadWritePaths = [
       "/data/cloudflare/"
       "/data/runner/infrastructure"
       "/data/runner"
       "/home/github/infrastructure"
+      "/nix/store"  # ADD THIS - critical for accessing bash and other nix packages
     ];
+    
+    # Also add read-only bind for /nix/store as a fallback
+    BindReadOnlyPaths = [
+      "/nix/store"
+    ];
+    
     PrivateDevices = false;
     DeviceAllow = [ "/dev/zfs rw" ];
     ProtectProc = "default";
@@ -338,16 +344,7 @@
     PrivateMounts = false;
     PrivateUsers = false;
     ProtectHome = false;
-    NoNewPrivileges = false;
-    
-    # Make sure the service can see /nix/store
-    BindReadOnlyPaths = [
-      "/nix/store"
-    ];
-     Environment = [
-      "SHELL=${pkgs.bash}/bin/bash"
-      "BASH=${pkgs.bash}/bin/bash"
-    ];
+    NoNewPrivileges = false;  # ADD THIS
     
     Restart = lib.mkForce "always";
   };