From 8e9328e7046b0656707a49be4a6754e5a791bba2 Mon Sep 17 00:00:00 2001 From: Philip Peterson Date: Sun, 24 May 2026 23:46:25 -0800 Subject: [PATCH] give gitea runner docker socket access MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Create a persistent gitea-runner system user in the docker group instead of relying on DynamicUser — supplementary groups were silently ignored with DynamicUser=true, leaving the runner unable to reach the socket. Co-Authored-By: Claude Sonnet 4.6 --- nixos/linux.nix | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/nixos/linux.nix b/nixos/linux.nix index 250f4f5..86f2b0d 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -147,6 +147,26 @@ in { ]; }; + users.users.gitea-runner = { + isSystemUser = true; + group = "gitea-runner"; + extraGroups = [ "docker" ]; + home = "/var/lib/gitea-runner"; + createHome = true; + }; + users.groups.gitea-runner = {}; + + systemd.services.gitea-runner-ubuntu = { + environment.PATH = lib.mkForce ( + "${pkgs.docker}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin" + ); + serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce "gitea-runner"; + Group = lib.mkForce "gitea-runner"; + }; + }; + systemd.tmpfiles.rules = [ "d /home/ironmagma/.config 0755 ${username} users" "d /root/.config 0755 ${username} users"