ci: run actions runner as normal user

2024-05-30 15:49:56 +02:00 · 2024-05-30 15:49:56 +02:00 · 87ea6353a2
parent 418810f4bc
commit 87ea6353a2
2 changed files with 31 additions and 18 deletions
--- a/.forgejo/workflows/check.yml
+++ b/.forgejo/workflows/check.yml
@ -8,13 +8,6 @@ jobs:
      - name: Check out repository code
        uses: https://code.forgejo.org/actions/checkout@v4

-      - name: Prepare cachix
-        uses: https://github.com/cachix/cachix-action@v14
-        with:
-          name: pub-solar
-          authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
-          useDaemon: false
-
      - name: Check formatting
        run: |
          nix --accept-flake-config --access-tokens '' develop --command treefmt --fail-on-change
--- a/hosts/tankstelle/forgejo-actions-runner.nix
+++ b/hosts/tankstelle/forgejo-actions-runner.nix
@ -15,17 +15,37 @@
  # Needed for the docker runner to communicate with the act_runner cache
  networking.firewall.trustedInterfaces = [ "br-+" ];

-  systemd.services."gitea-runner-tankstelle".path = with pkgs; [
-    coreutils
-    bash
-    coreutils
-    curl
-    gawk
-    gitMinimal
-    gnused
-    nodejs
-    wget
-  ];
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/tankstelle";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    # Required to interact with nix daemon
+    extraGroups = [
+     "wheel"
+    ];
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = { };
+
+  systemd.tmpfiles.rules = [ "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -" ];
+
+  systemd.services."gitea-runner-tankstelle" = {
+    serviceConfig.DynamicUser = lib.mkForce false;
+    path = with pkgs; [
+      coreutils
+      bash
+      coreutils
+      curl
+      gawk
+      gitMinimal
+      gnused
+      nodejs
+      wget
+      cachix
+      jq
+    ];
+  };

  # forgejo actions runner
  # https://forgejo.org/docs/latest/admin/actions/