From 5e7b76bdcf7a373bb649295362aadf1d7a77ddbd Mon Sep 17 00:00:00 2001 From: DannyDannyDanny Date: Sat, 18 Apr 2026 17:29:11 +0200 Subject: [PATCH] =?UTF-8?q?fix(servers):=20declare=20safe.directory=20in?= =?UTF-8?q?=20/etc/gitconfig=20=F0=9F=94=92?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The dotfiles-rebuild service runs as root, but /etc/dotfiles is owned by `danny`. The GIT_CONFIG_* env vars in the service unit only affect the git CLI — nix/libgit2 reads safe.directory from /etc/gitconfig. After a recent nixpkgs bump libgit2 now enforces this strictly, so the service was failing to evaluate the flake. Enable programs.git and set programs.git.config.safe.directory = [ dotfilesDir ] on both sunken-ship and phantom-ship so the trust is persistent and Nix-managed. --- nixos/hosts/phantom-ship.nix | 6 ++++++ nixos/hosts/sunken-ship.nix | 6 ++++++ 2 files changed, 12 insertions(+) diff --git a/nixos/hosts/phantom-ship.nix b/nixos/hosts/phantom-ship.nix index 617b9e5..587ecee 100644 --- a/nixos/hosts/phantom-ship.nix +++ b/nixos/hosts/phantom-ship.nix @@ -134,6 +134,12 @@ in ReadWritePaths = [ "/var/lib/openclaw" "/etc/openclaw" ]; }; + # Trust /etc/dotfiles as root even though it's owned by `danny`. + # The GIT_CONFIG_* env vars below only affect the git CLI; nix/libgit2 + # reads safe.directory from /etc/gitconfig, so set it there too. + programs.git.enable = true; + programs.git.config.safe.directory = [ dotfilesDir ]; + # Pull dotfiles and rebuild if the repo has new commits. systemd.services.dotfiles-rebuild = { description = "Pull dotfiles and run nixos-rebuild if repo changed"; diff --git a/nixos/hosts/sunken-ship.nix b/nixos/hosts/sunken-ship.nix index 7099ae4..41c461b 100644 --- a/nixos/hosts/sunken-ship.nix +++ b/nixos/hosts/sunken-ship.nix @@ -185,6 +185,12 @@ in timerConfig.RandomizedDelaySec = "2min"; }; + # Trust /etc/dotfiles as root even though it's owned by `danny`. + # The GIT_CONFIG_* env vars below only affect the git CLI; nix/libgit2 + # reads safe.directory from /etc/gitconfig, so set it there too. + programs.git.enable = true; + programs.git.config.safe.directory = [ dotfilesDir ]; + # Pull dotfiles and rebuild if the repo has new commits. systemd.services.dotfiles-rebuild = { description = "Pull dotfiles and run nixos-rebuild if repo changed";