Richie/dotfiles
1
0
Fork 0
mirror of https://github.com/RichieCahill/dotfiles.git synced 2026-04-17 13:08:19 -04:00
Code Issues Packages Projects Releases Wiki Activity

harding nix_builder.nix

Browse Source
This commit is contained in:
Richie Cahill
2025-12-22 18:07:57 -05:00
parent 6472f07a88
commit a9a6e1f932
1 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
systems/jeeves/runners/nix_builder.nix
View File

@@ -28,6 +28,8 @@ in
name: cfg: name: cfg:
mkIf cfg.enable { mkIf cfg.enable {
autoStart = true; autoStart = true;
privateNetwork = true;
ephemeral = true;
bindMounts = { bindMounts = {
storage = { storage = {
mountPoint = "/zfs/media/github-runners/${name}"; mountPoint = "/zfs/media/github-runners/${name}";
@@ -38,7 +40,10 @@ in
hostPath = "/nix/var/nix/daemon-socket"; hostPath = "/nix/var/nix/daemon-socket";
isReadOnly = false; isReadOnly = false;
}; };
secrets.mountPoint = "${vars.secrets}/services/github-runners/${name}"; secrets = {
mountPoint = "${vars.secrets}/services/github-runners/${name}";
isReadOnly = true;
};
}; };
config = config =
{ {
@@ -68,6 +73,12 @@ in
"flakes" "flakes"
"nix-command" "nix-command"
]; ];
sandbox = true;
allowed-users = [ "github-runners" ];
trusted-users = [
"root"
"github-runners"
];
}; };
nixpkgs = { nixpkgs = {
overlays = builtins.attrValues outputs.overlays; overlays = builtins.attrValues outputs.overlays;