From 319111b46905d6cf459a29b9ab24023622fbc991 Mon Sep 17 00:00:00 2001
From: UGA Innovation Factory <engr-ugaif@uga.edu>
Date: Thu, 18 Dec 2025 18:16:35 -0500
Subject: [PATCH] add keys to allow builder to work with ssh git refs

---
 sw/builders/programs.nix | 13 +++++++++++++
 sw/builders/services.nix | 21 +++++++++++++++++++--
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/sw/builders/programs.nix b/sw/builders/programs.nix
index 749d801..b6e9f78 100644
--- a/sw/builders/programs.nix
+++ b/sw/builders/programs.nix
@@ -16,4 +16,17 @@ let
 in
 {
   environment.systemPackages = subtractLists cfg.excludePackages (basePackages ++ cfg.extraPackages);
+
+  programs.ssh.knownHosts."factory.uga.edu" = {
+    hostNames = [ "factory.uga.edu" ];
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcrA7pAz+JGn7/7PqPR4aCZJB5c3aVMTvGXWjg/BqST
+    '';
+  };
+  programs.ssh.knownHosts."github.com" = {
+    hostNames = [ "github.com" ];
+    publicKey = ''
+      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+    '';
+  };
 }
diff --git a/sw/builders/services.nix b/sw/builders/services.nix
index 1eebba2..b34aa6e 100644
--- a/sw/builders/services.nix
+++ b/sw/builders/services.nix
@@ -18,6 +18,13 @@ mkIf builderCfg.giteaRunner.enable {
     tokenFile = builderCfg.giteaRunner.tokenFile;
     labels = builderCfg.giteaRunner.extraLabels;
     name = builderCfg.giteaRunner.name;
+    
+    # Run as engr-ugaif user to access SSH keys
+    settings = {
+      runner = {
+        user = "engr-ugaif";
+      };
+    };
   };
 
   # Configure the systemd service for better handling in LXC containers
@@ -28,29 +35,39 @@ mkIf builderCfg.giteaRunner.enable {
       ConditionPathExists = builderCfg.giteaRunner.tokenFile;
     };
     serviceConfig = {
+      # Run as engr-ugaif user
+      User = mkForce "engr-ugaif";
+      Group = mkForce "users";
+      
       # Give the service more time to stop cleanly
       TimeoutStopSec = mkForce 60;
 
       # Add Node.js and other tools to PATH for GitHub Actions compatibility
       Environment = [
         "PATH=${pkgs.nodejs}/bin:${pkgs.bash}/bin:${pkgs.coreutils}/bin:${pkgs.git}/bin:${pkgs.nix}/bin:/run/current-system/sw/bin"
+        "HOME=/home/engr-ugaif"
       ];
 
       # Disable all namespace isolation features that don't work in LXC containers
+      # Remove systemd security features that conflict with home directory access
+      DynamicUser = mkForce false;
       PrivateMounts = mkForce false;
       MountAPIVFS = mkForce false;
       BindPaths = mkForce [ ];
       BindReadOnlyPaths = mkForce [ ];
+      ReadWritePaths = mkForce [ ];
+      ReadOnlyPaths = mkForce [ ];
+      InaccessiblePaths = mkForce [ ];
       PrivateTmp = mkForce false;
       PrivateDevices = mkForce false;
       ProtectSystem = mkForce false;
       ProtectHome = mkForce false;
-      ReadOnlyPaths = mkForce [ ];
-      InaccessiblePaths = mkForce [ ];
       PrivateUsers = mkForce false;
       ProtectKernelTunables = mkForce false;
       ProtectKernelModules = mkForce false;
       ProtectControlGroups = mkForce false;
+      RestrictAddressFamilies = mkForce [ ];
+      SystemCallFilter = mkForce [ ];
     };
   };
 }
-- 
2.39.5