feat: Add docker compose runner for usda-dash

2025-12-18 15:22:32 -05:00
parent a06525f6fa
commit b329ec8066
3 changed files with 33 additions and 3 deletions
--- a/inventory.nix
+++ b/inventory.nix
@@ -122,7 +122,7 @@
      };
      "usda-dash" = builtins.fetchGit {
        url = "https://git.factory.uga.edu/MODEL/usda-dash-config.git";
-        rev = "98f19ed8f8a6fed29d0947604bc14b403547a10d";
+        rev = "6c0029057aa50d0b4d6a0205c3ded890eb08979c";
      };
    };
    overrides = {
--- a/sw/builders/programs.nix
+++ b/sw/builders/programs.nix
@@ -16,4 +16,17 @@ let
 in
 {
  environment.systemPackages = subtractLists cfg.excludePackages (basePackages ++ cfg.extraPackages);
+
+  programs.ssh.knownHosts."factory.uga.edu" = {
+    hostNames = [ "factory.uga.edu" ];
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcrA7pAz+JGn7/7PqPR4aCZJB5c3aVMTvGXWjg/BqST
+    '';
+  };
+  programs.ssh.knownHosts."github.com" = {
+    hostNames = [ "github.com" ];
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    '';
+  };
 }
--- a/sw/builders/services.nix
+++ b/sw/builders/services.nix
@@ -18,6 +18,13 @@ mkIf builderCfg.giteaRunner.enable {
    tokenFile = builderCfg.giteaRunner.tokenFile;
    labels = builderCfg.giteaRunner.extraLabels;
    name = builderCfg.giteaRunner.name;
+    
+    # Run as engr-ugaif user to access SSH keys
+    settings = {
+      runner = {
+        user = "engr-ugaif";
+      };
+    };
  };

  # Configure the systemd service for better handling in LXC containers
@@ -28,29 +35,39 @@ mkIf builderCfg.giteaRunner.enable {
      ConditionPathExists = builderCfg.giteaRunner.tokenFile;
    };
    serviceConfig = {
+      # Run as engr-ugaif user
+      User = mkForce "engr-ugaif";
+      Group = mkForce "users";
+      
      # Give the service more time to stop cleanly
      TimeoutStopSec = mkForce 60;

      # Add Node.js and other tools to PATH for GitHub Actions compatibility
      Environment = [
        "PATH=${pkgs.nodejs}/bin:${pkgs.bash}/bin:${pkgs.coreutils}/bin:${pkgs.git}/bin:${pkgs.nix}/bin:/run/current-system/sw/bin"
+        "HOME=/home/engr-ugaif"
      ];

      # Disable all namespace isolation features that don't work in LXC containers
+      # Remove systemd security features that conflict with home directory access
+      DynamicUser = mkForce false;
      PrivateMounts = mkForce false;
      MountAPIVFS = mkForce false;
      BindPaths = mkForce [ ];
      BindReadOnlyPaths = mkForce [ ];
+      ReadWritePaths = mkForce [ ];
+      ReadOnlyPaths = mkForce [ ];
+      InaccessiblePaths = mkForce [ ];
      PrivateTmp = mkForce false;
      PrivateDevices = mkForce false;
      ProtectSystem = mkForce false;
      ProtectHome = mkForce false;
-      ReadOnlyPaths = mkForce [ ];
-      InaccessiblePaths = mkForce [ ];
      PrivateUsers = mkForce false;
      ProtectKernelTunables = mkForce false;
      ProtectKernelModules = mkForce false;
      ProtectControlGroups = mkForce false;
+      RestrictAddressFamilies = mkForce [ ];
+      SystemCallFilter = mkForce [ ];
    };
  };
 }