steffen/cryodev
1
0
Fork 0
Code Issues Pull requests Projects Releases 2 Packages Wiki Activity Actions

switch CI deploy to local nixos-rebuild instead of deploy-rs over SSH

Browse source 
Runner runs on the same server it deploys to, so SSH to itself was
unnecessarily complex. Now builds locally and activates directly.

- Replace deploy-rs SSH workflow with local build + switch
- Add NOPASSWD sudo for gitea-runner to run nix-env and
  switch-to-configuration (required for local deployment)
- Remove SSH key setup from deploy workflow
This commit is contained in:
steffen 2026-03-14 14:33:06 +01:00
parent 4ef5199810
commit e2e87d5694
2 changed files with 10 additions and 11 deletions
Download patch file Download diff file Expand all files Collapse all files

6
modules/nixos/forgejo-runner/default.nix
View file

@ -31,6 +31,12 @@ in
config = mkIf cfg.enable {
nix.settings.trusted-users = [ "gitea-runner" ];
# Allow gitea-runner to deploy system configurations without password
security.sudo.extraConfig = ''
gitea-runner ALL=(root) NOPASSWD: /run/current-system/sw/bin/nix-env -p /nix/var/nix/profiles/system --set *
gitea-runner ALL=(root) NOPASSWD: /nix/store/*/bin/switch-to-configuration *
'';
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {