From b2b68603f7d0c646a4c63e38ebb071a078c7c6d5 Mon Sep 17 00:00:00 2001
From: ediblerope <fredrik@nordhammer.it>
Date: Fri, 1 May 2026 19:14:20 +0100
Subject: [PATCH] workflow: pre-create nixbld group so the Nix install can run
 as root
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The catthehacker runner image runs jobs as root and Nix's install script
refuses to do a clean root install without the nixbld group + build users
already in place — even with --no-daemon. Adding them inline keeps the
workflow self-contained without swapping to a Nix-prebuilt container image.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .forgejo/workflows/update.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.forgejo/workflows/update.yml b/.forgejo/workflows/update.yml
index 6958942..ce19b27 100644
--- a/.forgejo/workflows/update.yml
+++ b/.forgejo/workflows/update.yml
@@ -18,6 +18,14 @@ jobs:
       - name: Install Nix
         run: |
           set -euxo pipefail
+          # The Nix install script refuses to run cleanly as root unless the
+          # nixbld group + users exist, even with --no-daemon. The runner's
+          # catthehacker image runs jobs as root, so create them first.
+          groupadd -r nixbld || true
+          for i in $(seq 1 10); do
+            useradd -r -g nixbld -G nixbld -d /var/empty -s /sbin/nologin \
+              -c "Nix build user $i" "nixbld$i" || true
+          done
           curl --proto '=https' --tlsv1.2 -sSfL https://nixos.org/nix/install | sh -s -- --no-daemon
           echo "$HOME/.nix-profile/bin" >> "$GITHUB_PATH"
           mkdir -p ~/.config/nix