From 9416c159c66fbe22453fff1f3813e2c85517e18f Mon Sep 17 00:00:00 2001 From: "Jeffrey C. Ollie" Date: Sat, 7 Sep 2024 22:01:37 -0500 Subject: [PATCH] update for 2024 --- flake.lock | 96 ++++- flake.nix | 871 +++++++++++++++++++++++----------------------- push-container.nu | 3 - 3 files changed, 518 insertions(+), 452 deletions(-) diff --git a/flake.lock b/flake.lock index 9fd7800..addd332 100644 --- a/flake.lock +++ b/flake.lock @@ -5,11 +5,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1692799911, - "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "owner": "numtide", "repo": "flake-utils", - "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "type": "github" }, "original": { @@ -18,13 +18,81 @@ "type": "github" } }, + "flake-utils_2": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flakey-profile": { + "locked": { + "lastModified": 1712898590, + "narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=", + "owner": "lf-", + "repo": "flakey-profile", + "rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d", + "type": "github" + }, + "original": { + "owner": "lf-", + "repo": "flakey-profile", + "type": "github" + } + }, + "lix": { + "flake": false, + "locked": { + "lastModified": 1723503926, + "narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=", + "rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz" + } + }, + "lix-module": { + "inputs": { + "flake-utils": "flake-utils_2", + "flakey-profile": "flakey-profile", + "lix": "lix", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1723510904, + "narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=", + "rev": "622a2253a071a1fb97a4d3c8103a91114acc1140", + "type": "tarball", + "url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz" + }, + "original": { + "type": "tarball", + "url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz" + } + }, "nixpkgs": { "locked": { - "lastModified": 1693158576, - "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=", + "lastModified": 1725634671, + "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780", + "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", "type": "github" }, "original": { @@ -36,6 +104,7 @@ "root": { "inputs": { "flake-utils": "flake-utils", + "lix-module": "lix-module", "nixpkgs": "nixpkgs" } }, @@ -53,6 +122,21 @@ "repo": "default", "type": "github" } + }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } } }, "root": "root", diff --git a/flake.nix b/flake.nix index f7d4079..bf68c52 100644 --- a/flake.nix +++ b/flake.nix @@ -8,471 +8,456 @@ flake-utils = { url = "github:numtide/flake-utils"; }; + lix-module = { + url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; - outputs = { self, nixpkgs, flake-utils }@inputs: - (flake-utils.lib.eachDefaultSystem - (system: - let - pkgs = import nixpkgs { - inherit system; - config.permittedInsecurePackages = [ - "nodejs-16.20.2" + outputs = { + self, + flake-utils, + lix-module, + nixpkgs, + }: ( + flake-utils.lib.eachDefaultSystem + ( + system: let + pkgs = import nixpkgs { + inherit system; + imports = [ + lix-module.nixosModules.default + ]; + nix.package = pkgs.lix; + + # config.permittedInsecurePackages = [ + # "nodejs-16.20.2" + # ]; + overlays = [ + # ( + # self: super: { + # regclient = let + # pname = "regclient"; + # version = "0.5.1+"; + # src = pkgs.fetchFromGitHub { + # owner = "regclient"; + # repo = "regclient"; + # rev = "72df49963a17092138854c5d9d7943deac1dde6b"; + # hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38="; + # }; + # vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls="; + # in + # super.buildGoModule { + # inherit pname version src vendorHash; + # inherit (super.regclient) meta outputs postInstall; + # ldflags = [ + # "-s" + # "-w" + # "-X main.VCSTag=v${version}" + # ]; + # doCheck = false; + # }; + # } + # ) + ]; + }; + lib = pkgs.lib; + docker-client = pkgs.docker_26.override { + clientOnly = true; + }; + in { + packages = { + nixos-runner = let + bundleNixpkgs = true; + channelName = "nixpkgs"; + channelURL = "https://nixos.org/channels/nixos-unstable"; + defaultPkgs = [ + pkgs.bashInteractive + pkgs.bind.dnsutils + pkgs.coreutils-full + pkgs.curl + pkgs.dogdns + pkgs.gawk + pkgs.git + pkgs.glibc + pkgs.gnugrep + pkgs.gnused + pkgs.gzip + pkgs.iputils + pkgs.less + pkgs.lix + # pkgs.nix + pkgs.nodejs_20 + pkgs.nushell + pkgs.more + pkgs.podman + pkgs.regctl + pkgs.stdenv.cc.cc.lib + pkgs.which + + docker-client + + self.packages.${system}.push-container ]; - overlays = [ - ( - self: super: { - regclient = - let - pname = "regclient"; - version = "0.5.1+"; - src = pkgs.fetchFromGitHub { - owner = "regclient"; - repo = "regclient"; - rev = "72df49963a17092138854c5d9d7943deac1dde6b"; - hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38="; - }; - vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls="; - in - super.buildGoModule { - inherit pname version src vendorHash; - inherit (super.regclient) meta outputs postInstall; - ldflags = [ - "-s" - "-w" - "-X main.VCSTag=v${version}" - ]; - doCheck = false; + + flake-registry = null; + + users = + { + root = { + uid = 0; + shell = "${pkgs.bashInteractive}/bin/bash"; + home = "/root"; + gid = 0; + groups = ["root"]; + description = "System administrator"; + }; + nobody = { + uid = 65534; + shell = "${pkgs.shadow}/bin/nologin"; + home = "/var/empty"; + gid = 65534; + groups = ["nobody"]; + description = "Unprivileged account (don't use!)"; + }; + } + // lib.listToAttrs ( + map + ( + n: { + name = "nixbld${toString n}"; + value = { + uid = 30000 + n; + gid = 30000; + groups = ["nixbld"]; + description = "Nix build user ${toString n}"; }; - } - ) - ]; - }; - lib = pkgs.lib; - docker-client = pkgs.docker_24.override { - clientOnly = true; - }; - in - { + } + ) + (lib.lists.range 1 32) + ); - packages = { - nixos-runner = + groups = { + root.gid = 0; + nixbld.gid = 30000; + nobody.gid = 65534; + }; + + userToPasswd = ( + data: { + uid, + gid ? 65534, + home ? "/var/empty", + description ? "", + shell ? "/bin/false", + ... + }: "${data}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}" + ); + + passwdContents = ( + lib.concatStringsSep "\n" + (lib.attrValues (lib.mapAttrs userToPasswd users)) + ); + + userToShadow = username: {...}: "${username}:!:1::::::"; + + shadowContents = ( + lib.concatStringsSep "\n" + (lib.attrValues (lib.mapAttrs userToShadow users)) + ); + + groupMemberMap = ( let - bundleNixpkgs = true; - channelName = "nixpkgs"; - channelURL = "https://nixos.org/channels/nixos-unstable"; - defaultPkgs = [ - pkgs.bashInteractive - pkgs.bind.dnsutils - pkgs.coreutils-full - pkgs.curl - pkgs.dogdns - pkgs.gawk - pkgs.git - pkgs.glibc - pkgs.gnugrep - pkgs.gnused - pkgs.gzip - pkgs.iputils - pkgs.nix - pkgs.nodejs-16_x - pkgs.nushell - pkgs.podman - pkgs.regctl - pkgs.stdenv.cc.cc.lib - - docker-client - - # self.packages.${system}.podman-push-container - # self.packages.${system}.docker-push-container - self.packages.${system}.push-container - ]; - - flake-registry = null; - - users = { - root = { - uid = 0; - shell = "${pkgs.bashInteractive}/bin/bash"; - home = "/root"; - gid = 0; - groups = [ "root" ]; - description = "System administrator"; - }; - nobody = { - uid = 65534; - shell = "${pkgs.shadow}/bin/nologin"; - home = "/var/empty"; - gid = 65534; - groups = [ "nobody" ]; - description = "Unprivileged account (don't use!)"; - }; - } // lib.listToAttrs ( - map - ( - n: { - name = "nixbld${toString n}"; - value = { - uid = 30000 + n; - gid = 30000; - groups = [ "nixbld" ]; - description = "Nix build user ${toString n}"; - }; - } - ) - (lib.lists.range 1 32) - ); - - groups = { - root.gid = 0; - nixbld.gid = 30000; - nobody.gid = 65534; - }; - - userToPasswd = ( - k: - { uid - , gid ? 65534 - , home ? "/var/empty" - , description ? "" - , shell ? "/bin/false" - , groups ? [ ] - }: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}" - ); - - passwdContents = ( - lib.concatStringsSep "\n" - (lib.attrValues (lib.mapAttrs userToPasswd users)) - ); - - userToShadow = k: { ... }: "${k}:!:1::::::"; - - shadowContents = ( - lib.concatStringsSep "\n" - (lib.attrValues (lib.mapAttrs userToShadow users)) - ); - - groupMemberMap = ( - let - # Create a flat list of user/group mappings - mappings = ( - builtins.foldl' - ( - acc: user: - let - groups = users.${user}.groups or [ ]; - in - acc ++ map - (group: { - inherit user group; - }) - groups - ) - [ ] - (lib.attrNames users) - ); - in + # Create a flat list of user/group mappings + mappings = ( + builtins.foldl' ( - builtins.foldl' - ( - acc: v: acc // { - ${v.group} = acc.${v.group} or [ ] ++ [ v.user ]; - } - ) - { } - mappings) - ); - - groupToGroup = k: { gid }: - let - members = groupMemberMap.${k} or [ ]; - in - "${k}:x:${toString gid}:${lib.concatStringsSep "," members}"; - - groupContents = ( - lib.concatStringsSep "\n" - (lib.attrValues (lib.mapAttrs groupToGroup groups)) - ); - - defaultNixConf = { - sandbox = "false"; - build-users-group = "nixbld"; - trusted-public-keys = [ - "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" - ]; - experimental-features = [ - "flakes" - "nix-command" - ]; - }; - - nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten - (n: v: - let - vStr = if builtins.isList v then lib.concatStringsSep " " v else v; + acc: user: let + groups = users.${user}.groups or []; in - "${n} = ${vStr}") - defaultNixConf)) + "\n"; + acc + ++ map + (group: { + inherit user group; + }) + groups + ) + [] + (lib.attrNames users) + ); + in ( + builtins.foldl' + ( + acc: v: + acc + // { + ${v.group} = acc.${v.group} or [] ++ [v.user]; + } + ) + {} + mappings + ) + ); - containerSettings = '' - [engine] - init_path = "${pkgs.catatonit}/bin/catatonit" - helper_binaries_dir = [ "${pkgs.podman}/libexec/podman" ] + groupToGroup = k: {gid}: let + members = groupMemberMap.${k} or []; + in "${k}:x:${toString gid}:${lib.concatStringsSep "," members}"; - [network] - cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin" ] - network_backend = "netavark" - ''; + groupContents = ( + lib.concatStringsSep "\n" + (lib.attrValues (lib.mapAttrs groupToGroup groups)) + ); - containerStorage = '' - [storage] - driver = "overlay" - graphroot = "/var/lib/containers/storage" - runroot = "/run/containers/storage" - ''; + defaultNixConf = { + sandbox = "false"; + build-users-group = "nixbld"; + trusted-public-keys = [ + "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + experimental-features = [ + "flakes" + "nix-command" + ]; + }; - containerRegistries = '' - [registries] - [registries.block] - registries = [ ] + nixConfContents = + (lib.concatStringsSep "\n" ( + lib.attrsets.mapAttrsToList ( + n: v: let + vStr = + if builtins.isList v + then lib.concatStringsSep " " v + else v; + in "${n} = ${vStr}" + ) + defaultNixConf + )) + + "\n"; - [registries.insecure] - registries = [ ] + containerSettings = '' + [engine] + init_path = "${pkgs.catatonit}/bin/catatonit" + helper_binaries_dir = [ "${pkgs.podman}/libexec/podman" ] - [registries.search] - registries = [ "docker.io", "quay.io" ] - ''; + [network] + cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin" ] + network_backend = "netavark" + ''; - containerPolicy = builtins.toJSON { - default = [ + containerStorage = '' + [storage] + driver = "overlay" + graphroot = "/var/lib/containers/storage" + runroot = "/run/containers/storage" + ''; + + containerRegistries = '' + [registries] + [registries.block] + registries = [ ] + + [registries.insecure] + registries = [ ] + + [registries.search] + registries = [ "docker.io", "quay.io" ] + ''; + + containerPolicy = builtins.toJSON { + default = [ + { + type = "insecureAcceptAnything"; + } + ]; + transports = { + docker-daemon = { + "" = [ { type = "insecureAcceptAnything"; } ]; - transports = { - docker-daemon = { - "" = [ - { - type = "insecureAcceptAnything"; - } - ]; - }; - }; - }; - - baseSystem = - let - nixpkgs = pkgs.path; - channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } '' - mkdir $out - if [ "$bundleNixpkgs" ]; then - ln -s ${nixpkgs} $out/nixpkgs - echo "[]" > $out/manifest.nix - fi - ''; - rootEnv = pkgs.buildPackages.buildEnv { - name = "root-profile-env"; - paths = defaultPkgs; - }; - manifest = pkgs.buildPackages.runCommand "manifest.nix" { } '' - cat > $out < $out/etc/passwd - echo "" >> $out/etc/passwd - cat $groupContentsPath > $out/etc/group - echo "" >> $out/etc/group - cat $shadowContentsPath > $out/etc/shadow - echo "" >> $out/etc/shadow - mkdir -p $out/usr - ln -s /nix/var/nix/profiles/share $out/usr/ - mkdir -p $out/nix/var/nix/gcroots - mkdir -p $out/tmp - mkdir -p $out/var/tmp - mkdir -p $out/etc/nix - cat $nixConfContentsPath > $out/etc/nix/nix.conf - mkdir -p $out/root - mkdir -p $out/nix/var/nix/profiles/per-user/root - - mkdir -p $out/etc/containers - mkdir -p $out/etc/containers/networks - mkdir -p $out/var/lib/containers/storage - mkdir -p $out/run/containers/storage - cat $containerSettingsPath > $out/etc/containers/containers.conf - cat $containerStoragePath > $out/etc/containers/storage.conf - cat $containerRegistriesPath > $out/etc/containers/registry.conf - cat $containerPolicyPath > $out/etc/containers/policy.json - - ln -s ${profile} $out/nix/var/nix/profiles/default-1-link - ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default - ln -s /nix/var/nix/profiles/default $out/root/.nix-profile - ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link - ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels - mkdir -p $out/root/.nix-defexpr - ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels - echo "${channelURL} ${channelName}" > $out/root/.nix-channels - mkdir -p $out/bin $out/usr/bin - ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env - ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh - '' + (lib.optionalString (flake-registry != null) '' - nixCacheDir="/root/.cache/nix" - mkdir -p $out$nixCacheDir - globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" - ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath - mkdir -p $out/nix/var/nix/gcroots/auto - rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath)) - ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName - ''); - in - pkgs.dockerTools.buildLayeredImageWithNixDb { - name = "nixos-runner"; - tag = "latest"; - maxLayers = 2; - contents = [ - baseSystem - ] ++ defaultPkgs; - extraCommands = '' - rm -rf nix-support - ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles - ''; - fakeRootCommands = '' - chmod 1777 tmp - chmod 1777 var/tmp - ''; - config = { - Cmd = [ "${pkgs.bashInteractive}/bin/bash" ]; - Env = [ - "USER=root" - "PATH=${lib.concatStringsSep ":" [ - "/root/.nix-profile/bin" - "/nix/var/nix/profiles/default/bin" - "/nix/var/nix/profiles/default/sbin" - ]}" - "MANPATH=${lib.concatStringsSep ":" [ - "/root/.nix-profile/share/man" - "/nix/var/nix/profiles/default/share/man" - ]}" - "LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath [pkgs.glibc pkgs.stdenv.cc.cc.lib]}" - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - "NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels" - ]; }; }; - # podman-push-container = pkgs.writeTextFile { - # name = "podman-push-container"; - # destination = "/bin/podman-push-container"; - # text = builtins.replaceStrings - # [ - # "@nushell@" - # "@client@" - # ] - # [ - # "${pkgs.nushell}/bin/nu" - # "${pkgs.podman}/bin/podman" - # ] - # (builtins.readFile ./push-container.nu); - # executable = true; - # }; - # docker-push-container = pkgs.writeTextFile { - # name = "docker-push-container"; - # destination = "/bin/docker-push-container"; - # text = builtins.replaceStrings - # [ - # "@nushell@" - # "@client@" - # ] - # [ - # "${pkgs.nushell}/bin/nu" - # "${docker-client}/bin/docker" - # ] - # (builtins.readFile ./push-container.nu); - # executable = true; - # }; - push-container = pkgs.writeTextFile { - name = "push-container"; - destination = "/bin/push-container"; - text = builtins.replaceStrings - [ - "@nushell@" - "@regctl@" - ] - [ - "${pkgs.nushell}/bin/nu" - "${pkgs.regctl}/bin/regctl" - ] - (builtins.readFile ./push-container.nu); - executable = true; }; - }; - apps = { - # podman-push-container = { - # type = "app"; - # program = "${self.packages.${system}.podman-push-container}/bin/podman-push-container"; - # }; - # docker-push-container = { - # type = "app"; - # program = "${self.packages.${system}.docker-push-container}/bin/docker-push-container"; - # }; - push-container = { - type = "app"; - program = "${self.packages.${system}.push-container}/bin/push-container"; + + baseSystem = let + nixpkgs = pkgs.path; + channel = pkgs.runCommand "channel-nixos" {inherit bundleNixpkgs;} '' + mkdir $out + if [ "$bundleNixpkgs" ]; then + ln -s ${nixpkgs} $out/nixpkgs + echo "[]" > $out/manifest.nix + fi + ''; + rootEnv = pkgs.buildPackages.buildEnv { + name = "root-profile-env"; + paths = defaultPkgs; + }; + manifest = pkgs.buildPackages.runCommand "manifest.nix" {} '' + cat > $out < $out/etc/passwd + echo "" >> $out/etc/passwd + cat $groupContentsPath > $out/etc/group + echo "" >> $out/etc/group + cat $shadowContentsPath > $out/etc/shadow + echo "" >> $out/etc/shadow + mkdir -p $out/usr + ln -s /nix/var/nix/profiles/share $out/usr/ + mkdir -p $out/nix/var/nix/gcroots + mkdir -p $out/tmp + mkdir -p $out/var/tmp + mkdir -p $out/etc/nix + cat $nixConfContentsPath > $out/etc/nix/nix.conf + mkdir -p $out/root + mkdir -p $out/nix/var/nix/profiles/per-user/root + + mkdir -p $out/etc/containers + mkdir -p $out/etc/containers/networks + mkdir -p $out/var/lib/containers/storage + mkdir -p $out/run/containers/storage + cat $containerSettingsPath > $out/etc/containers/containers.conf + cat $containerStoragePath > $out/etc/containers/storage.conf + cat $containerRegistriesPath > $out/etc/containers/registry.conf + cat $containerPolicyPath > $out/etc/containers/policy.json + + ln -s ${profile} $out/nix/var/nix/profiles/default-1-link + ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default + ln -s /nix/var/nix/profiles/default $out/root/.nix-profile + ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link + ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels + mkdir -p $out/root/.nix-defexpr + ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels + echo "${channelURL} ${channelName}" > $out/root/.nix-channels + mkdir -p $out/bin $out/usr/bin + ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env + ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh + '' + + (lib.optionalString (flake-registry != null) '' + nixCacheDir="/root/.cache/nix" + mkdir -p $out$nixCacheDir + globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" + ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath + mkdir -p $out/nix/var/nix/gcroots/auto + rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath)) + ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName + ''); + in + pkgs.dockerTools.buildLayeredImageWithNixDb { + name = "nixos-runner"; + tag = "latest"; + maxLayers = 2; + contents = + [ + baseSystem + ] + ++ defaultPkgs; + extraCommands = '' + rm -rf nix-support + ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles + ''; + fakeRootCommands = '' + chmod 1777 tmp + chmod 1777 var/tmp + ''; + config = { + Cmd = ["${pkgs.bashInteractive}/bin/bash"]; + Env = [ + "USER=root" + "PATH=${lib.concatStringsSep ":" [ + "/root/.nix-profile/bin" + "/nix/var/nix/profiles/default/bin" + "/nix/var/nix/profiles/default/sbin" + ]}" + "MANPATH=${lib.concatStringsSep ":" [ + "/root/.nix-profile/share/man" + "/nix/var/nix/profiles/default/share/man" + ]}" + "LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath [pkgs.glibc pkgs.stdenv.cc.cc.lib]}" + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels" + ]; + }; }; + push-container = pkgs.writeTextFile { + name = "push-container"; + destination = "/bin/push-container"; + text = lib.concatStringsSep "\n" [ + "#!${pkgs.nushell}/bin/nu" + "" + "alias regctl = ^${pkgs.regctl}/bin/regctl --verbosity warning" + "alias gzip = ^${pkgs.gzip}/bin/gzip" + "" + (builtins.readFile ./push-container.nu) + ]; + executable = true; }; - } - ) - ); + }; + apps = { + push-container = { + type = "app"; + program = "${self.packages.${system}.push-container}/bin/push-container"; + }; + }; + } + ) + ); } diff --git a/push-container.nu b/push-container.nu index 8cd605c..a752aa3 100644 --- a/push-container.nu +++ b/push-container.nu @@ -1,4 +1,3 @@ -#!@nushell@ def main [ input: string # tar.gz file containing container image to be pushed to repository ...tags: string # Tags to be added to pushed container image @@ -133,8 +132,6 @@ def main [ } ) - alias regctl = ^@regctl@ --verbosity warning - alias gzip = ^@gzip@ regctl registry login $registry --user $auth.username --pass $auth.password