give gitea runner docker socket access

Create a persistent gitea-runner system user in the docker group instead
of relying on DynamicUser — supplementary groups were silently ignored
with DynamicUser=true, leaving the runner unable to reach the socket.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Philip Peterson 2026-05-24 23:46:25 -08:00
parent eaa3a8625b
commit 8e9328e704

View file

@ -147,6 +147,26 @@ in {
];
};
users.users.gitea-runner = {
isSystemUser = true;
group = "gitea-runner";
extraGroups = [ "docker" ];
home = "/var/lib/gitea-runner";
createHome = true;
};
users.groups.gitea-runner = {};
systemd.services.gitea-runner-ubuntu = {
environment.PATH = lib.mkForce (
"${pkgs.docker}/bin:${pkgs.git}/bin:${pkgs.nodejs}/bin:/run/current-system/sw/bin:/run/wrappers/bin"
);
serviceConfig = {
DynamicUser = lib.mkForce false;
User = lib.mkForce "gitea-runner";
Group = lib.mkForce "gitea-runner";
};
};
systemd.tmpfiles.rules = [
"d /home/ironmagma/.config 0755 ${username} users"
"d /root/.config 0755 ${username} users"