environment

.gitea/workflows/apply-kubernetes.yml

@@ -1,6 +1,19 @@
 name: Apply Kuberentes Configs
 on: [push, workflow_dispatch]
 jobs:
+  test-environment:
+    runs-on: home-server
+    steps:
+      - name: test basic commands
+        run: |
+          echo "=== Environment Info ==="
+          whoami
+          pwd
+          echo "=== Test bash ==="
+          bash --version
+          echo "=== Test git ==="
+          git --version
+          echo "=== Success ==="
   update-repo:
     runs-on: home-server
     steps:

nix/modules/gitea-runner.nix

@@ -7,7 +7,7 @@
     url = "https://git.alexmickelson.guru";
     tokenFile = "/data/runner/gitea-infrastructure-token.txt";
     labels = [
-        "home-server"
+      "home-server:host"
       "native:host"
     ];
     hostPackages = with pkgs; [
@@ -25,7 +25,9 @@
       kubernetes-helm
     ];
     settings = {
-        container = { enabled = false; };
+      container = { 
+        enabled = false;
+      };
     };
   };
 };
@@ -52,23 +54,20 @@
 systemd.tmpfiles.rules = [
   "d /data/runner 0755 gitea-runner gitea-runner -"
   "f /data/runner/gitea-infrastructure-token.txt 0600 gitea-runner gitea-runner -"
+  "d /var/lib/gitea-runner 0755 gitea-runner gitea-runner -"
+  "d /var/lib/gitea-runner/infrastructure 0755 gitea-runner gitea-runner -"
 ];
 
+# Override only the sandboxing settings, keep ExecStart from the module
 systemd.services.gitea-runner-infrastructure.serviceConfig = {
-    # Use the actual location where the module creates the .runner file
+  # Keep the working directory
   WorkingDirectory = lib.mkForce "/var/lib/gitea-runner/infrastructure";
   
-    ReadWritePaths = lib.mkForce [ 
-      "/var/lib/gitea-runner"
-      "/data/cloudflare/"
-      "/data/runner/infrastructure"
-      "/data/runner"
-      "/home/github/infrastructure"
-    ];
-    BindReadOnlyPaths = [
-      "/nix/store"
-    ];
-    # Disable all sandboxing features
+  # Override user/group
+  User = lib.mkForce "gitea-runner";
+  Group = lib.mkForce "gitea-runner";
+  
+  # Remove ALL sandboxing - run as a normal user process
   DynamicUser = lib.mkForce false;
   PrivateDevices = lib.mkForce false;
   PrivateMounts = lib.mkForce false;
@@ -91,10 +90,10 @@
   LockPersonality = lib.mkForce false;
   SystemCallFilter = lib.mkForce [ ];
   RestrictAddressFamilies = lib.mkForce [ ];
+  ReadWritePaths = lib.mkForce [ ];
+  BindReadOnlyPaths = lib.mkForce [ ];
   
-    User = lib.mkForce "gitea-runner";
-    Group = lib.mkForce "gitea-runner";
-    
+  # Allow access to devices
   DeviceAllow = lib.mkForce [ "/dev/zfs rw" ];
   DevicePolicy = lib.mkForce "auto";