harivansh-afk/nix
1
1
Fork 0
mirror of https://github.com/harivansh-afk/nix.git synced 2026-04-19 23:01:35 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

ci(netty): disable DynamicUser on runner (implies NoNewPrivileges + RestrictSUIDSGID that break sudo)
Some checks failed
quality / changes (push) Failing after 0s
Details
quality / Flake Check (push) Has been skipped
Details
quality / Nix Format Check (push) Has been skipped
Details
quality / Deploy netty (push) Has been skipped
Details

Browse source 
Made-with: Cursor
This commit is contained in:
Harivansh Rathi 2026-04-18 22:50:46 -04:00
parent bac6f96814
commit 94c8e91190
1 changed files with 12 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

12
hosts/netty/forgejo-runner.nix
View file

@ -9,9 +9,21 @@ let
in in
{ {
systemd.services.gitea-runner-netty.serviceConfig = { systemd.services.gitea-runner-netty.serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce "gitea-runner";
Group = lib.mkForce "gitea-runner";
NoNewPrivileges = lib.mkForce false; NoNewPrivileges = lib.mkForce false;
RestrictSUIDSGID = lib.mkForce false;
}; };
users.users.gitea-runner = {
isSystemUser = true;
group = "gitea-runner";
home = "/var/lib/gitea-runner";
createHome = true;
};
users.groups.gitea-runner = { };
security.sudo.extraRules = [ security.sudo.extraRules = [
{ {
users = [ "gitea-runner" ]; users = [ "gitea-runner" ];