Hi I’m quite new to Nix and NixOS, I’m going a bit crazy trying to implement a CI/CD workflow to deploy a simple Go Fiber API to a VM running NixOS. The VM has a self hosted github runner installed with the following config:
fel-master-api-01 = {
user = "some-user";
workDir = "/home/some-user/fel-master-api-runner";
enable = true;
name = "fel-master-api-runner";
tokenFile = "/root/api.github.token";
url = "https://github.com/private-repo-url";
extraLabels = ["fel-master-api-runner" "160"];
replace = true;
extraPackages = [
pkgs.go
pkgs.sudo
pkgs.nixos-rebuild
];
serviceOverrides = {
ProtectHome = false;
NoNewPrivileges = false;
};
};
Most steps execute properly, including building the go binary, which I then I have defined as a the ExecStart
to a service
systemd.services.fel-master-api = {
description = "FEL Master API Service";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "/home/some-user/fel-master-api-runner/fel-master-api/fel_master_api";
Restart = "always";
User = "some-user";
EnvironmentFile = "/home/some-user/fel-master-api-runner/fel-master-api/.env";
WorkingDirectory = "/home/some-user/fel-master-api-runner/fel-master-api";
};
};
However to get this working theoretically, the final step of my workflow should be
- name: Rebuild
run: echo ${{ secrets.SUDO_PASSWORD }} | sudo -S nixos-rebuild switch
env:
NIX_PATH: nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixos:nixos-config=/etc/nixos/configuration.nix
but I’ve run into a thousand errors, first of all the sudo and nixos-rebuild commands were not available from the shell the runner is running on apparently, so I added them as extraPackages in the config above. But now I’m getting "no new privileges" flag is set
error.
I feel like im approaching this the wrong way or over/under complicating things, any suggestions?