security: harden CI pipeline (pin host keys, suppress ntfy topic, restrict secrets)

2026-03-31 11:03:07 -04:00
parent c556b82f9a
commit 40fa8147e6
4 changed files with 16 additions and 8 deletions
--- a/services/gitea-actions-runner.nix
+++ b/services/gitea-actions-runner.nix
@@ -41,6 +41,6 @@
      User = "gitea-runner";
      Group = "gitea-runner";
    };
-    environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=no";
+    environment.GIT_SSH_COMMAND = "ssh -i /run/agenix/ci-deploy-key -o StrictHostKeyChecking=yes -o UserKnownHostsFile=/etc/ci-known-hosts";
  };
 }