rip: docker container image #27
41
flake.lock
41
flake.lock
|
@ -40,46 +40,6 @@
|
||||||
"type": "github"
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"lowdown-src": {
|
|
||||||
"flake": false,
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1633514407,
|
|
||||||
"narHash": "sha256-Dw32tiMjdK9t3ETl5fzGrutQTzh2rufgZV4A/BbxuD4=",
|
|
||||||
"owner": "kristapsdz",
|
|
||||||
"repo": "lowdown",
|
|
||||||
"rev": "d2c2b44ff6c27b936ec27358a2653caaef8f73b8",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "kristapsdz",
|
|
||||||
"repo": "lowdown",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nix": {
|
|
||||||
"inputs": {
|
|
||||||
"flake-compat": [],
|
|
||||||
"lowdown-src": "lowdown-src",
|
|
||||||
"nixpkgs": [
|
|
||||||
"nixpkgs"
|
|
||||||
],
|
|
||||||
"nixpkgs-regression": []
|
|
||||||
},
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1686048923,
|
|
||||||
"narHash": "sha256-/XCWa2osNFIpPC5MkxlX6qTZf/DaTLwS3LWN0SRFiuU=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nix",
|
|
||||||
"rev": "84050709ea18f3285a85d729f40c8f8eddf5008e",
|
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"ref": "2.16.1",
|
|
||||||
"repo": "nix",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1689846894,
|
"lastModified": 1689846894,
|
||||||
|
@ -100,7 +60,6 @@
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"disko": "disko",
|
"disko": "disko",
|
||||||
"flake-parts": "flake-parts",
|
"flake-parts": "flake-parts",
|
||||||
"nix": "nix",
|
|
||||||
"nixpkgs": "nixpkgs",
|
"nixpkgs": "nixpkgs",
|
||||||
"sops-nix": "sops-nix",
|
"sops-nix": "sops-nix",
|
||||||
"srvos": "srvos",
|
"srvos": "srvos",
|
||||||
|
|
|
@ -24,11 +24,6 @@
|
||||||
srvos.url = "github:numtide/srvos";
|
srvos.url = "github:numtide/srvos";
|
||||||
# Use the version of nixpkgs that has been tested to work with SrvOS
|
# Use the version of nixpkgs that has been tested to work with SrvOS
|
||||||
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
srvos.inputs.nixpkgs.follows = "nixpkgs";
|
||||||
|
|
||||||
nix.url = "github:/nixos/nix?ref=2.16.1";
|
|
||||||
nix.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
nix.inputs.nixpkgs-regression.follows = "";
|
|
||||||
nix.inputs.flake-compat.follows = "";
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ flake-parts, ... }:
|
outputs = inputs@{ flake-parts, ... }:
|
||||||
|
|
|
@ -1,12 +1,55 @@
|
||||||
{ config, self, pkgs, lib, ... }:
|
{ config, self, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
bin = pkgs.runCommand "extra-bins" { } ''
|
||||||
|
mkdir -p $out
|
||||||
|
for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs ]}; do
|
||||||
|
for bin in "$dir"/bin/*; do
|
||||||
|
ln -s "$bin" "$out/$(basename "$bin")"
|
||||||
|
done
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
etc = pkgs.runCommand "etc" { } ''
|
||||||
|
mkdir -p $out/etc/nix
|
||||||
|
|
||||||
|
cat <<NIX_CONFIG > $out/etc/nix/nix.conf
|
||||||
|
accept-flake-config = true
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
NIX_CONFIG
|
||||||
|
|
||||||
|
cat <<NSSWITCH > $out/etc/nsswitch.conf
|
||||||
|
passwd: files mymachines systemd
|
||||||
|
group: files mymachines systemd
|
||||||
|
shadow: files
|
||||||
|
|
||||||
|
hosts: files mymachines dns myhostname
|
||||||
|
networks: files
|
||||||
|
|
||||||
|
ethers: files
|
||||||
|
services: files
|
||||||
|
protocols: files
|
||||||
|
rpc: files
|
||||||
|
NSSWITCH
|
||||||
|
|
||||||
|
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
||||||
|
touch $out/etc/passwd $out/etc/group
|
||||||
|
${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
|
||||||
|
${pkgs.buildPackages.shadow}/bin/useradd --prefix $out -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
|
||||||
|
|
||||||
|
# Add SSL CA certs
|
||||||
|
mkdir -p $out/etc/ssl/certs
|
||||||
|
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
||||||
|
'';
|
||||||
|
in
|
||||||
{
|
{
|
||||||
systemd.services.gitea-runner-nix-image = {
|
systemd.services.gitea-runner-nix-image = {
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
after = [ "podman.service" ];
|
after = [ "podman.service" ];
|
||||||
requires = [ "podman.service" ];
|
requires = [ "podman.service" ];
|
||||||
path = [ pkgs.podman pkgs.gnutar ];
|
path = [ pkgs.podman pkgs.gnutar ];
|
||||||
|
# we also include etc here because the cleanup job also wants the nixuser to be present
|
||||||
script = ''
|
script = ''
|
||||||
tar cv --files-from /dev/null | podman import - scratch
|
set -eux
|
||||||
|
tar -C ${etc} -cv . | podman import - almost-scratch
|
||||||
'';
|
'';
|
||||||
serviceConfig = {
|
serviceConfig = {
|
||||||
Type = "oneshot";
|
Type = "oneshot";
|
||||||
|
@ -38,6 +81,10 @@
|
||||||
|
|
||||||
# Format of the token file:
|
# Format of the token file:
|
||||||
virtualisation.podman.enable = true;
|
virtualisation.podman.enable = true;
|
||||||
|
virtualisation.containers.containersConf.settings = {
|
||||||
|
# podman seems to not work with systemd-resolved
|
||||||
|
containers.dns_servers = [ "8.8.8.8" "8.8.4.4" ];
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.gitea-runner-nix = {
|
systemd.services.gitea-runner-nix = {
|
||||||
after = [
|
after = [
|
||||||
|
@ -116,52 +163,26 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.gitea-actions-runner.instances.nix =
|
services.gitea-actions-runner.instances.nix = {
|
||||||
let
|
enable = true;
|
||||||
bin = pkgs.runCommand "extra-bins" { } ''
|
name = "nix-runner";
|
||||||
mkdir -p $out
|
# take the git root url from the gitea config
|
||||||
for dir in ${toString [ pkgs.coreutils pkgs.git pkgs.nix pkgs.bash pkgs.jq pkgs.nodejs]}; do
|
# only possible if you've also configured your gitea though the same nix config
|
||||||
for bin in "$dir"/bin/*; do
|
# otherwise you need to set it manually
|
||||||
ln -s "$bin" "$out/$(basename "$bin")"
|
url = config.services.gitea.settings.server.ROOT_URL;
|
||||||
done
|
# use your favourite nix secret manager to get a path for this
|
||||||
done
|
tokenFile = "/var/lib/gitea-registration/token";
|
||||||
'';
|
labels = [ "nix:docker://almost-scratch" ];
|
||||||
etc = pkgs.runCommand "etc" { } ''
|
settings = {
|
||||||
mkdir -p $out/etc/nix
|
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
|
||||||
|
# the default network that also respects our dns server settings
|
||||||
cat <<NIX_CONFIG > $out/etc/nix.conf
|
container.network = "podman";
|
||||||
accept-flake-config = true
|
container.valid_volumes = [
|
||||||
experimental-features = nix-command flakes
|
"/nix"
|
||||||
NIX_CONFIG
|
"/tmp"
|
||||||
|
bin
|
||||||
# Create an unpriveleged user that we can use also without the run-as-user.sh script
|
"${etc}/etc"
|
||||||
touch $out/etc/passwd $out/etc/group
|
];
|
||||||
${pkgs.buildPackages.shadow}/bin/groupadd --prefix $out -g 9000 nixuser
|
|
||||||
${pkgs.buildPackages.shadow}/bin/useradd --prefix $out -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
|
|
||||||
|
|
||||||
# Add SSL CA certs
|
|
||||||
mkdir -p $out/etc/ssl/certs
|
|
||||||
cp -a "${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" $out/etc/ssl/certs/ca-bundle.crt
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
{
|
|
||||||
enable = true;
|
|
||||||
name = "nix-runner";
|
|
||||||
# take the git root url from the gitea config
|
|
||||||
# only possible if you've also configured your gitea though the same nix config
|
|
||||||
# otherwise you need to set it manually
|
|
||||||
url = config.services.gitea.settings.server.ROOT_URL;
|
|
||||||
# use your favourite nix secret manager to get a path for this
|
|
||||||
tokenFile = "/var/lib/gitea-registration/token";
|
|
||||||
labels = [ "nix:docker://scratch" ];
|
|
||||||
settings = {
|
|
||||||
container.options = "-e NIX_BUILD_SHELL=/bin/bash -e PAGER=cat -e PATH=/bin -e SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt -v /tmp:/tmp -v /nix:/nix -v ${etc}/etc:/etc -v ${bin}:/bin --user nixuser";
|
|
||||||
container.valid_volumes = [
|
|
||||||
"/nix"
|
|
||||||
"/tmp"
|
|
||||||
bin
|
|
||||||
"${etc}/etc"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -1,43 +0,0 @@
|
||||||
{ pkgs, inputs }:
|
|
||||||
let
|
|
||||||
# FIXME get rid of nix input?
|
|
||||||
base = import (inputs.nix + "/docker.nix") {
|
|
||||||
inherit pkgs;
|
|
||||||
name = "nix-ci-base";
|
|
||||||
maxLayers = 10;
|
|
||||||
extraPkgs = with pkgs; [
|
|
||||||
nodejs_20 # nodejs is needed for running most 3rdparty actions
|
|
||||||
# add any other pre-installed packages here
|
|
||||||
];
|
|
||||||
# do we want this at all?
|
|
||||||
channelURL = "https://nixos.org/channels/nixpkgs-unstable";
|
|
||||||
nixConf = {
|
|
||||||
substituters = [
|
|
||||||
"https://cache.nixos.org/"
|
|
||||||
"https://nix-community.cachix.org"
|
|
||||||
# insert any other binary caches here
|
|
||||||
];
|
|
||||||
trusted-public-keys = [
|
|
||||||
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
|
|
||||||
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
|
|
||||||
# insert the public keys for those binary caches here
|
|
||||||
];
|
|
||||||
# allow using the new flake commands in our workflows
|
|
||||||
experimental-features = [ "nix-command" "flakes" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
pkgs.dockerTools.buildImage {
|
|
||||||
name = "nix-runner";
|
|
||||||
tag = "latest";
|
|
||||||
|
|
||||||
fromImage = base;
|
|
||||||
fromImageName = null;
|
|
||||||
fromImageTag = "latest";
|
|
||||||
|
|
||||||
copyToRoot = pkgs.buildEnv {
|
|
||||||
name = "image-root";
|
|
||||||
paths = [ pkgs.coreutils-full ];
|
|
||||||
pathsToLink = [ "/bin" ]; # add coreutuls (which includes sleep) to /bin
|
|
||||||
};
|
|
||||||
}
|
|
|
@ -1,12 +1,9 @@
|
||||||
{ lib, inputs, ... }: {
|
{ lib, ... }: {
|
||||||
perSystem = { pkgs, inputs', ... }: {
|
perSystem = { pkgs, inputs', ... }: {
|
||||||
packages = {
|
packages = {
|
||||||
inherit (pkgs.callPackage ./renovate { }) renovate;
|
inherit (pkgs.callPackage ./renovate { }) renovate;
|
||||||
} // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
|
} // lib.optionalAttrs (!pkgs.stdenv.isDarwin) {
|
||||||
gitea = pkgs.callPackage ./gitea { };
|
gitea = pkgs.callPackage ./gitea { };
|
||||||
actions-runner = pkgs.callPackage ./actions-runner.nix {
|
|
||||||
inherit inputs;
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user