rip: docker container image #27
41
flake.lock
41
flake.lock
|
|
@ -40,46 +40,6 @@
|
|||
"type": "github"
|
||||
}
|
||||
},
|
||||
"lowdown-src": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1633514407,
|
||||
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "kristapsdz",
|
||||
"repo": "lowdown",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix": {
|
||||
"inputs": {
|
||||
"flake-compat": [],
|
||||
"lowdown-src": "lowdown-src",
|
||||
"nixpkgs": [
|
||||
"nixpkgs"
|
||||
],
|
||||
"nixpkgs-regression": []
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1686048923,
|
||||
"narHash": "sha256-/XCWa2osNFIpPC5MkxlX6qTZf/DaTLwS3LWN0SRFiuU=",
|
||||
"owner": "nixos",
|
||||
"repo": "nix",
|
||||
"rev": "84050709ea18f3285a85d729f40c8f8eddf5008e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"ref": "2.16.1",
|
||||
"repo": "nix",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1689846894,
|
||||
|
|
@ -100,7 +60,6 @@
|
|||
"inputs": {
|
||||
"disko": "disko",
|
||||
"flake-parts": "flake-parts",
|
||||
"nix": "nix",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"sops-nix": "sops-nix",
|
||||
"srvos": "srvos",
|
||||
|
|
|
|||
|
|
@ -24,11 +24,6 @@
|
|||
srvos.url = "github:numtide/srvos";
|
||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||
|
||||
nix.url = "github:/nixos/nix?ref=2.16.1";
|
||||
nix.inputs.nixpkgs.follows = "nixpkgs";
|
||||
nix.inputs.nixpkgs-regression.follows = "";
|
||||
nix.inputs.flake-compat.follows = "";
|
||||
};
|
||||
|
||||
outputs = inputs@{ flake-parts, ... }:
|
||||
|
|
|
|||
|
|
@ -38,6 +38,10 @@
|
|||
|
||||
# Format of the token file:
|
||||
virtualisation.podman.enable = true;
|
||||
virtualisation.containers.containersConf.settings = {
|
||||
# podman seems to not work with systemd-resolved
|
||||
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
|
||||
};
|
||||
|
||||
systemd.services.gitea-runner-nix = {
|
||||
after = [
|
||||
|
|
@ -120,7 +124,7 @@
|
|||
let
|
||||
bin = pkgs.runCommand "extra-bins" { } ''
|
||||
mkdir -p $out
|
||||
for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs]}; do
|
||||
for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do
|
||||
for bin in "$dir"/bin/*; do
|
||||
ln -s "$bin" "$out/$(basename "$bin")"
|
||||
done
|
||||
|
|
@ -129,11 +133,25 @@
|
|||
etc = pkgs.runCommand "etc" { } ''
|
||||
mkdir -p $out/etc/nix
|
||||
|
||||
cat <<NIX_CONFIG > $out/etc/nix.conf
|
||||
cat <<NIX_CONFIG > $out/etc/nix/nix.conf
|
||||
accept-flake-config = true
|
||||
experimental-features = nix-command flakes
|
||||
NIX_CONFIG
|
||||
|
||||
cat <<NSSWITCH > $out/etc/nsswitch.conf
|
||||
passwd: files mymachines systemd
|
||||
group: files mymachines systemd
|
||||
shadow: files
|
||||
|
||||
hosts: files mymachines dns myhostname
|
||||
networks: files
|
||||
|
||||
ethers: files
|
||||
services: files
|
||||
protocols: files
|
||||
rpc: files
|
||||
NSSWITCH
|
||||
|
||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||
touch $out/etc/passwd $out/etc/group
|
||||
${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
|
||||
|
|
@ -156,6 +174,8 @@
|
|||
labels = [ "nix:docker://scratch" ];
|
||||
settings = {
|
||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
|
||||
# the default network that also respects our dns server settings
|
||||
container.network = "podman";
|
||||
container.valid_volumes = [
|
||||
"/nix"
|
||||
"/tmp"
|
||||
|
|
|
|||
|
|
@ -1,43 +0,0 @@
|
|||
{ pkgs, inputs }:
|
||||
let
|
||||
# FIXME get rid of nix input?
|
||||
base = import (inputs.nix + "/docker.nix") {
|
||||
inherit pkgs;
|
||||
name = "nix-ci-base";
|
||||
maxLayers = 10;
|
||||
extraPkgs = with pkgs; [
|
||||
nodejs_20 # nodejs is needed for running most 3rdparty actions
|
||||
# add any other pre-installed packages here
|
||||
];
|
||||
# do we want this at all?
|
||||
channelURL = "https://nixos.org/channels/nixpkgs-unstable";
|
||||
nixConf = {
|
||||
substituters = [
|
||||
"https://cache.nixos.org/"
|
||||
"https://nix-community.cachix.org"
|
||||
# insert any other binary caches here
|
||||
];
|
||||
trusted-public-keys = [
|
||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
||||
# insert the public keys for those binary caches here
|
||||
];
|
||||
# allow using the new flake commands in our workflows
|
||||
experimental-features = [ "nix-command" "flakes" ];
|
||||
};
|
||||
};
|
||||
in
|
||||
pkgs.dockerTools.buildImage {
|
||||
name = "nix-runner";
|
||||
tag = "latest";
|
||||
|
||||
fromImage = base;
|
||||
fromImageName = null;
|
||||
fromImageTag = "latest";
|
||||
|
||||
copyToRoot = pkgs.buildEnv {
|
||||
name = "image-root";
|
||||
paths = [ pkgs.coreutils-full ];
|
||||
pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
|
||||
};
|
||||
}
|
||||
|
|
@ -1,12 +1,9 @@
|
|||
{ lib, inputs, ... }: {
|
||||
{ lib, ... }: {
|
||||
perSystem = { pkgs, inputs', ... }: {
|
||||
packages = {
|
||||
inherit (pkgs.callPackage ./renovate { }) renovate;
|
||||
} // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
|
||||
gitea = pkgs.callPackage ./gitea { };
|
||||
actions-runner = pkgs.callPackage ./actions-runner.nix {
|
||||
inherit inputs;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user