UGA-Innovation-Factory/athenix
3
1
Fork 0
Code Issues Pull Requests Actions Projects Releases Activity

add keys to allow builder to work with ssh git refs #16

Merged
hdh20267 merged 1 commits from builder-ci into main 2025-12-18 23:16:55 +00:00
Conversation 0 Commits 1 Files Changed 2 +32 -2
2 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
sw/builders/programs.nix
View File

@@ -16,4 +16,17 @@ let
in in
{ {
environment.systemPackages = subtractLists cfg.excludePackages (basePackages ++ cfg.extraPackages); environment.systemPackages = subtractLists cfg.excludePackages (basePackages ++ cfg.extraPackages);
programs.ssh.knownHosts."factory.uga.edu" = {
hostNames = [ "factory.uga.edu" ];
publicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGcrA7pAz+JGn7/7PqPR4aCZJB5c3aVMTvGXWjg/BqST
'';
};
programs.ssh.knownHosts."github.com" = {
hostNames = [ "github.com" ];
publicKey = ''
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
'';
};
} }

21
sw/builders/services.nix
View File

@@ -18,6 +18,13 @@ mkIf builderCfg.giteaRunner.enable {
tokenFile = builderCfg.giteaRunner.tokenFile; tokenFile = builderCfg.giteaRunner.tokenFile;
labels = builderCfg.giteaRunner.extraLabels; labels = builderCfg.giteaRunner.extraLabels;
name = builderCfg.giteaRunner.name; name = builderCfg.giteaRunner.name;
# Run as engr-ugaif user to access SSH keys
settings = {
runner = {
user = "engr-ugaif";
};
};
}; };
# Configure the systemd service for better handling in LXC containers # Configure the systemd service for better handling in LXC containers
@@ -28,29 +35,39 @@ mkIf builderCfg.giteaRunner.enable {
ConditionPathExists = builderCfg.giteaRunner.tokenFile; ConditionPathExists = builderCfg.giteaRunner.tokenFile;
}; };
serviceConfig = { serviceConfig = {
# Run as engr-ugaif user
User = mkForce "engr-ugaif";
Group = mkForce "users";
# Give the service more time to stop cleanly # Give the service more time to stop cleanly
TimeoutStopSec = mkForce 60; TimeoutStopSec = mkForce 60;
# Add Node.js and other tools to PATH for GitHub Actions compatibility # Add Node.js and other tools to PATH for GitHub Actions compatibility
Environment = [ Environment = [
"PATH=${pkgs.nodejs}/bin:${pkgs.bash}/bin:${pkgs.coreutils}/bin:${pkgs.git}/bin:${pkgs.nix}/bin:/run/current-system/sw/bin" "PATH=${pkgs.nodejs}/bin:${pkgs.bash}/bin:${pkgs.coreutils}/bin:${pkgs.git}/bin:${pkgs.nix}/bin:/run/current-system/sw/bin"
"HOME=/home/engr-ugaif"
]; ];
# Disable all namespace isolation features that don't work in LXC containers # Disable all namespace isolation features that don't work in LXC containers
# Remove systemd security features that conflict with home directory access
DynamicUser = mkForce false;
PrivateMounts = mkForce false; PrivateMounts = mkForce false;
MountAPIVFS = mkForce false; MountAPIVFS = mkForce false;
BindPaths = mkForce [ ]; BindPaths = mkForce [ ];
BindReadOnlyPaths = mkForce [ ]; BindReadOnlyPaths = mkForce [ ];
ReadWritePaths = mkForce [ ];
ReadOnlyPaths = mkForce [ ];
InaccessiblePaths = mkForce [ ];
PrivateTmp = mkForce false; PrivateTmp = mkForce false;
PrivateDevices = mkForce false; PrivateDevices = mkForce false;
ProtectSystem = mkForce false; ProtectSystem = mkForce false;
ProtectHome = mkForce false; ProtectHome = mkForce false;
ReadOnlyPaths = mkForce [ ];
InaccessiblePaths = mkForce [ ];
PrivateUsers = mkForce false; PrivateUsers = mkForce false;
ProtectKernelTunables = mkForce false; ProtectKernelTunables = mkForce false;
ProtectKernelModules = mkForce false; ProtectKernelModules = mkForce false;
ProtectControlGroups = mkForce false; ProtectControlGroups = mkForce false;
RestrictAddressFamilies = mkForce [ ];
SystemCallFilter = mkForce [ ];
}; };
}; };
} }