From bac6f9681420dabd8737861f61fbaf743c33214c Mon Sep 17 00:00:00 2001
From: Harivansh Rathi <rathiharivansh@gmail.com>
Date: Sat, 18 Apr 2026 22:48:37 -0400
Subject: [PATCH] ci(netty): disable NoNewPrivileges on runner so sudo works
 for deploy

Made-with: Cursor
---
 hosts/netty/forgejo-runner.nix | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/hosts/netty/forgejo-runner.nix b/hosts/netty/forgejo-runner.nix
index 1720269..276f6e6 100644
--- a/hosts/netty/forgejo-runner.nix
+++ b/hosts/netty/forgejo-runner.nix
@@ -8,6 +8,10 @@ let
   cacheRoot = "/var/cache/forgejo-runner";
 in
 {
+  systemd.services.gitea-runner-netty.serviceConfig = {
+    NoNewPrivileges = lib.mkForce false;
+  };
+
   security.sudo.extraRules = [
     {
       users = [ "gitea-runner" ];