thegeneralist01/config
1
Fork 0
mirror of https://github.com/thegeneralist01/config.git synced 2026-03-07 10:59:55 +01:00
Code Issues Activity

docs: note forgejo runner perms and token

Browse source
This commit is contained in:
TheGeneralist 2026-01-24 17:57:41 +01:00
parent 0a948d53f5
commit 4826f1fe64
Signed by: thegeneralist01
SSH key fingerprint: SHA256:pp9qddbCNmVNoSjevdvQvM5z0DHN7LTa8qBMbcMq/R4
1 changed files with 2 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
AGENTS.md
View file

@ -159,6 +159,8 @@ lib: inputs: self: lib.mkSystem "<os>" ./configuration.nix
1. `DynamicUser` conflicts require `lib.mkForce` if overriding module defaults. 1. `DynamicUser` conflicts require `lib.mkForce` if overriding module defaults.
2. Runner state dir should be `/var/lib/gitea-runner/<instance>`; set `StateDirectory = "gitea-runner"` and let the instance name append. 2. Runner state dir should be `/var/lib/gitea-runner/<instance>`; set `StateDirectory = "gitea-runner"` and let the instance name append.
3. If the register script fails with `permission denied`, ensure `/var/lib/gitea-runner` exists and is owned by `gitea-runner`. 3. If the register script fails with `permission denied`, ensure `/var/lib/gitea-runner` exists and is owned by `gitea-runner`.
4. If workflows need to read a home symlink target, `/home/<user>` must be `0750` (group traverse) and the runner user must be in that group.
5. A Forgejo deploy token for HTTPS pulls should be stored in agenix and owned by `gitea-runner`; use env-file format (`TOKEN=...`) and read it at runtime.
### Nushell Warnings ### Nushell Warnings
1. Deprecated `get -i` warning from direnv integration is a short-term workaround in `modules/common/shell/direnv.nix` (custom Nushell hook with `get -o` and HM integration disabled) until upstream home-manager updates. 1. Deprecated `get -i` warning from direnv integration is a short-term workaround in `modules/common/shell/direnv.nix` (custom Nushell hook with `get -o` and HM integration disabled) until upstream home-manager updates.