From 94c8e911901e27502388c0b3c6225f4e67f64f9b Mon Sep 17 00:00:00 2001
From: Harivansh Rathi <rathiharivansh@gmail.com>
Date: Sat, 18 Apr 2026 22:50:46 -0400
Subject: [PATCH] ci(netty): disable DynamicUser on runner (implies
 NoNewPrivileges + RestrictSUIDSGID that break sudo)

Made-with: Cursor
---
 hosts/netty/forgejo-runner.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/hosts/netty/forgejo-runner.nix b/hosts/netty/forgejo-runner.nix
index 276f6e6..f4cedeb 100644
--- a/hosts/netty/forgejo-runner.nix
+++ b/hosts/netty/forgejo-runner.nix
@@ -9,9 +9,21 @@ let
 in
 {
   systemd.services.gitea-runner-netty.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = lib.mkForce "gitea-runner";
+    Group = lib.mkForce "gitea-runner";
     NoNewPrivileges = lib.mkForce false;
+    RestrictSUIDSGID = lib.mkForce false;
   };
 
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+    home = "/var/lib/gitea-runner";
+    createHome = true;
+  };
+  users.groups.gitea-runner = { };
+
   security.sudo.extraRules = [
     {
       users = [ "gitea-runner" ];