give gitea runner docker socket access
Create a persistent gitea-runner system user in the docker group instead of relying on DynamicUser — supplementary groups were silently ignored with DynamicUser=true, leaving the runner unable to reach the socket. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
eaa3a8625b
commit
8e9328e704
1 changed files with 20 additions and 0 deletions
|
|
@ -147,6 +147,26 @@ in {
|
|||
];
|
||||
};
|
||||
|
||||
users.users.gitea-runner = {
|
||||
isSystemUser = true;
|
||||
group = "gitea-runner";
|
||||
extraGroups = [ "docker" ];
|
||||
home = "/var/lib/gitea-runner";
|
||||
createHome = true;
|
||||
};
|
||||
users.groups.gitea-runner = {};
|
||||
|
||||
systemd.services.gitea-runner-ubuntu = {
|
||||
environment.PATH = lib.mkForce (
|
||||
"${pkgs.docker}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
|
||||
);
|
||||
serviceConfig = {
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = lib.mkForce "gitea-runner";
|
||||
Group = lib.mkForce "gitea-runner";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d /home/ironmagma/.config 0755 ${username} users"
|
||||
"d /root/.config 0755 ${username} users"
|
||||
|
|
|
|||
Loading…
Reference in a new issue