alex/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

environment

Browse Source
This commit is contained in:
Alex Mickelson
2026-02-07 13:41:21 -07:00
parent a308b23380
commit cb8bff7c0a
1 changed files with 36 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
nix/home-server.nix
View File

@@ -312,7 +312,6 @@
kubectl kubectl
kubernetes-helm kubernetes-helm
]; ];
settings = { settings = {
container = { enabled = false; }; container = { enabled = false; };
}; };
@@ -322,39 +321,59 @@
environment.pathsToLink = [ environment.pathsToLink = [
"/bin" "/bin"
]; ];
# Completely disable all sandboxing
systemd.services.gitea-runner-infrastructure.serviceConfig = { systemd.services.gitea-runner-infrastructure.serviceConfig = {
ReadWritePaths = [ # Your existing paths
ReadWritePaths = lib.mkForce [
"/data/cloudflare/" "/data/cloudflare/"
"/data/runner/infrastructure" "/data/runner/infrastructure"
"/data/runner" "/data/runner"
"/home/github/infrastructure" "/home/github/infrastructure"
"/nix/store" # ADD THIS - critical for accessing bash and other nix packages
]; ];
# Also add read-only bind for /nix/store as a fallback # Disable all sandboxing features
BindReadOnlyPaths = [ DynamicUser = lib.mkForce false;
"/nix/store" PrivateDevices = lib.mkForce false;
]; PrivateMounts = lib.mkForce false;
PrivateTmp = lib.mkForce false;
PrivateUsers = lib.mkForce false;
ProtectClock = lib.mkForce false;
ProtectControlGroups = lib.mkForce false;
ProtectHome = lib.mkForce false;
ProtectHostname = lib.mkForce false;
ProtectKernelLogs = lib.mkForce false;
ProtectKernelModules = lib.mkForce false;
ProtectKernelTunables = lib.mkForce false;
ProtectProc = lib.mkForce "default";
ProtectSystem = lib.mkForce false;
NoNewPrivileges = lib.mkForce false;
RestrictNamespaces = lib.mkForce false;
RestrictRealtime = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
RemoveIPC = lib.mkForce false;
LockPersonality = lib.mkForce false;
SystemCallFilter = lib.mkForce [ ];
RestrictAddressFamilies = lib.mkForce [ ];
PrivateDevices = false; # Ensure it runs as your existing user, not a dynamic one
DeviceAllow = [ "/dev/zfs rw" ]; User = lib.mkForce "gitea-runner";
ProtectProc = "default"; Group = lib.mkForce "gitea-runner";
ProtectSystem = false;
PrivateMounts = false; # Allow access to devices
PrivateUsers = false; DeviceAllow = lib.mkForce [ "/dev/zfs rw" ];
ProtectHome = false; DevicePolicy = lib.mkForce "auto";
NoNewPrivileges = false; # ADD THIS
Restart = lib.mkForce "always"; Restart = lib.mkForce "always";
}; };
# Make sure the user exists
users.users.gitea-runner = { users.users.gitea-runner = {
isNormalUser = true; isNormalUser = true;
description = "Gitea Actions Runner"; description = "Gitea Actions Runner";
home = "/home/gitea-runner"; home = "/home/gitea-runner";
createHome = true; createHome = true;
extraGroups = [ "docker" ]; extraGroups = [ "docker" "wheel" ]; # Add wheel if you need sudo
packages = with pkgs; [ packages = with pkgs; [
kubernetes-helm kubernetes-helm
]; ];