UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Activity

Merge pull request 'add keys to allow builder to work with ssh git refs' (#16) from builder-ci into main
All checks were successful
CI / Format Check (push) Successful in 2s
Details
CI / Flake Check (push) Successful in 1m27s
Details
CI / Evaluate Key Configurations (nix-builder) (push) Successful in 11s
Details
CI / Evaluate Key Configurations (nix-desktop1) (push) Successful in 12s
Details
CI / Evaluate Key Configurations (nix-laptop1) (push) Successful in 9s
Details
CI / Evaluate Artifacts (installer-iso-nix-laptop1) (push) Successful in 17s
Details
CI / Evaluate Artifacts (lxc-nix-builder) (push) Successful in 12s
Details

Browse Source 
Reviewed-on: #16
This commit was merged in pull request #16.
This commit is contained in:
Hunter David Halloran
2025-12-18 23:16:54 +00:00
parent 44e8a897ca 319111b469
commit 08802d3147
2 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
sw/builders/programs.nix
View File

@@ -16,4 +16,17 @@ let
in
{
environment.systemPackages = subtractLists cfg.excludePackages (basePackages ++ cfg.extraPackages);
programs.ssh.knownHosts."factory.uga.edu" = {
hostNames = [ "factory.uga.edu" ];
publicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcrA7pAz+JGn7/7PqPR4aCZJB5c3aVMTvGXWjg/BqST
'';
};
programs.ssh.knownHosts."github.com" = {
hostNames = [ "github.com" ];
publicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
'';
};
}

21
sw/builders/services.nix
View File

@@ -18,6 +18,13 @@ mkIf builderCfg.giteaRunner.enable {
tokenFile = builderCfg.giteaRunner.tokenFile;
labels = builderCfg.giteaRunner.extraLabels;
name = builderCfg.giteaRunner.name;
# Run as engr-ugaif user to access SSH keys
settings = {
runner = {
user = "engr-ugaif";
};
};
};
# Configure the systemd service for better handling in LXC containers
@@ -28,29 +35,39 @@ mkIf builderCfg.giteaRunner.enable {
ConditionPathExists = builderCfg.giteaRunner.tokenFile;
};
serviceConfig = {
# Run as engr-ugaif user
User = mkForce "engr-ugaif";
Group = mkForce "users";
# Give the service more time to stop cleanly
TimeoutStopSec = mkForce 60;
# Add Node.js and other tools to PATH for GitHub Actions compatibility
Environment = [
"PATH=${pkgs.nodejs}/bin:${pkgs.bash}/bin:${pkgs.coreutils}/bin:${pkgs.git}/bin:${pkgs.nix}/bin:/run/current-system/sw/bin"
"HOME=/home/engr-ugaif"
];
# Disable all namespace isolation features that don't work in LXC containers
# Remove systemd security features that conflict with home directory access
DynamicUser = mkForce false;
PrivateMounts = mkForce false;
MountAPIVFS = mkForce false;
BindPaths = mkForce [ ];
BindReadOnlyPaths = mkForce [ ];
ReadWritePaths = mkForce [ ];
ReadOnlyPaths = mkForce [ ];
InaccessiblePaths = mkForce [ ];
PrivateTmp = mkForce false;
PrivateDevices = mkForce false;
ProtectSystem = mkForce false;
ProtectHome = mkForce false;
ReadOnlyPaths = mkForce [ ];
InaccessiblePaths = mkForce [ ];
PrivateUsers = mkForce false;
ProtectKernelTunables = mkForce false;
ProtectKernelModules = mkForce false;
ProtectControlGroups = mkForce false;
RestrictAddressFamilies = mkForce [ ];
SystemCallFilter = mkForce [ ];
};
};
}