give gitea runner docker socket access
Create a persistent gitea-runner system user in the docker group instead of relying on DynamicUser — supplementary groups were silently ignored with DynamicUser=true, leaving the runner unable to reach the socket. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
eaa3a8625b
commit
8e9328e704
1 changed files with 20 additions and 0 deletions
|
|
@ -147,6 +147,26 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.users.gitea-runner = {
|
||||||
|
isSystemUser = true;
|
||||||
|
group = "gitea-runner";
|
||||||
|
extraGroups = [ "docker" ];
|
||||||
|
home = "/var/lib/gitea-runner";
|
||||||
|
createHome = true;
|
||||||
|
};
|
||||||
|
users.groups.gitea-runner = {};
|
||||||
|
|
||||||
|
systemd.services.gitea-runner-ubuntu = {
|
||||||
|
environment.PATH = lib.mkForce (
|
||||||
|
"${pkgs.docker}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
|
||||||
|
);
|
||||||
|
serviceConfig = {
|
||||||
|
DynamicUser = lib.mkForce false;
|
||||||
|
User = lib.mkForce "gitea-runner";
|
||||||
|
Group = lib.mkForce "gitea-runner";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d /home/ironmagma/.config 0755 ${username} users"
|
"d /home/ironmagma/.config 0755 ${username} users"
|
||||||
"d /root/.config 0755 ${username} users"
|
"d /root/.config 0755 ${username} users"
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue