harding nix_builder.nix

2026-04-17 04:58:19 -04:00 · 2025-12-22 18:07:57 -05:00
parent 6472f07a88
commit a9a6e1f932
1 changed files with 12 additions and 1 deletions
--- a/systems/jeeves/runners/nix_builder.nix
+++ b/systems/jeeves/runners/nix_builder.nix
@@ -28,6 +28,8 @@ in
    name: cfg:
    mkIf cfg.enable {
      autoStart = true;
+      privateNetwork = true;
+      ephemeral = true;
      bindMounts = {
        storage = {
          mountPoint = "/zfs/media/github-runners/${name}";
@@ -38,7 +40,10 @@ in
          hostPath = "/nix/var/nix/daemon-socket";
          isReadOnly = false;
        };
-        secrets.mountPoint = "${vars.secrets}/services/github-runners/${name}";
+        secrets = {
+          mountPoint = "${vars.secrets}/services/github-runners/${name}";
+          isReadOnly = true;
+        };
      };
      config =
        {
@@ -68,6 +73,12 @@ in
              "flakes"
              "nix-command"
            ];
+            sandbox = true;
+            allowed-users = [ "github-runners" ];
+            trusted-users = [
+              "root"
+              "github-runners"
+            ];
          };
          nixpkgs = {
            overlays = builtins.attrValues outputs.overlays;