jeff/nixos-runner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

update for 2024

Browse source
This commit is contained in:
Jeffrey C. Ollie 2024-09-07 22:01:37 -05:00
parent 7f01fe35a5
commit 9416c159c6
Signed by: jeff
GPG key ID: 6F86035A6D97044E
3 changed files with 518 additions and 452 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
flake.lock
View file

@ -5,11 +5,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1692799911, "lastModified": 1710146030,
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -18,13 +18,81 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1693158576, "lastModified": 1725634671,
"narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=", "narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780", "rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -36,6 +104,7 @@
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"lix-module": "lix-module",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
}, },
@ -53,6 +122,21 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

265
flake.nix
View file

@ -8,56 +8,66 @@
flake-utils = { flake-utils = {
url = "github:numtide/flake-utils"; url = "github:numtide/flake-utils";
}; };
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { self, nixpkgs, flake-utils }@inputs: outputs = {
(flake-utils.lib.eachDefaultSystem self,
(system: flake-utils,
let lix-module,
nixpkgs,
}: (
flake-utils.lib.eachDefaultSystem
(
system: let
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
config.permittedInsecurePackages = [ imports = [
"nodejs-16.20.2" lix-module.nixosModules.default
]; ];
nix.package = pkgs.lix;
# config.permittedInsecurePackages = [
# "nodejs-16.20.2"
# ];
overlays = [ overlays = [
( # (
self: super: { # self: super: {
regclient = # regclient = let
let # pname = "regclient";
pname = "regclient"; # version = "0.5.1+";
version = "0.5.1+"; # src = pkgs.fetchFromGitHub {
src = pkgs.fetchFromGitHub { # owner = "regclient";
owner = "regclient"; # repo = "regclient";
repo = "regclient"; # rev = "72df49963a17092138854c5d9d7943deac1dde6b";
rev = "72df49963a17092138854c5d9d7943deac1dde6b"; # hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38="; # };
}; # vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls="; # in
in # super.buildGoModule {
super.buildGoModule { # inherit pname version src vendorHash;
inherit pname version src vendorHash; # inherit (super.regclient) meta outputs postInstall;
inherit (super.regclient) meta outputs postInstall; # ldflags = [
ldflags = [ # "-s"
"-s" # "-w"
"-w" # "-X main.VCSTag=v${version}"
"-X main.VCSTag=v${version}" # ];
]; # doCheck = false;
doCheck = false; # };
}; # }
} # )
)
]; ];
}; };
lib = pkgs.lib; lib = pkgs.lib;
docker-client = pkgs.docker_24.override { docker-client = pkgs.docker_26.override {
clientOnly = true; clientOnly = true;
}; };
in in {
{
packages = { packages = {
nixos-runner = nixos-runner = let
let
bundleNixpkgs = true; bundleNixpkgs = true;
channelName = "nixpkgs"; channelName = "nixpkgs";
channelURL = "https://nixos.org/channels/nixos-unstable"; channelURL = "https://nixos.org/channels/nixos-unstable";
@ -74,29 +84,32 @@
pkgs.gnused pkgs.gnused
pkgs.gzip pkgs.gzip
pkgs.iputils pkgs.iputils
pkgs.nix pkgs.less
pkgs.nodejs-16_x pkgs.lix
# pkgs.nix
pkgs.nodejs_20
pkgs.nushell pkgs.nushell
pkgs.more
pkgs.podman pkgs.podman
pkgs.regctl pkgs.regctl
pkgs.stdenv.cc.cc.lib pkgs.stdenv.cc.cc.lib
pkgs.which
docker-client docker-client
# self.packages.${system}.podman-push-container
# self.packages.${system}.docker-push-container
self.packages.${system}.push-container self.packages.${system}.push-container
]; ];
flake-registry = null; flake-registry = null;
users = { users =
{
root = { root = {
uid = 0; uid = 0;
shell = "${pkgs.bashInteractive}/bin/bash"; shell = "${pkgs.bashInteractive}/bin/bash";
home = "/root"; home = "/root";
gid = 0; gid = 0;
groups = [ "root" ]; groups = ["root"];
description = "System administrator"; description = "System administrator";
}; };
nobody = { nobody = {
@ -104,10 +117,11 @@
shell = "${pkgs.shadow}/bin/nologin"; shell = "${pkgs.shadow}/bin/nologin";
home = "/var/empty"; home = "/var/empty";
gid = 65534; gid = 65534;
groups = [ "nobody" ]; groups = ["nobody"];
description = "Unprivileged account (don't use!)"; description = "Unprivileged account (don't use!)";
}; };
} // lib.listToAttrs ( }
// lib.listToAttrs (
map map
( (
n: { n: {
@ -115,7 +129,7 @@
value = { value = {
uid = 30000 + n; uid = 30000 + n;
gid = 30000; gid = 30000;
groups = [ "nixbld" ]; groups = ["nixbld"];
description = "Nix build user ${toString n}"; description = "Nix build user ${toString n}";
}; };
} }
@ -130,14 +144,14 @@
}; };
userToPasswd = ( userToPasswd = (
k: data: {
{ uid uid,
, gid ? 65534 gid ? 65534,
, home ? "/var/empty" home ? "/var/empty",
, description ? "" description ? "",
, shell ? "/bin/false" shell ? "/bin/false",
, groups ? [ ] ...
}: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}" }: "${data}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
); );
passwdContents = ( passwdContents = (
@ -145,7 +159,7 @@
(lib.attrValues (lib.mapAttrs userToPasswd users)) (lib.attrValues (lib.mapAttrs userToPasswd users))
); );
userToShadow = k: { ... }: "${k}:!:1::::::"; userToShadow = username: {...}: "${username}:!:1::::::";
shadowContents = ( shadowContents = (
lib.concatStringsSep "\n" lib.concatStringsSep "\n"
@ -158,36 +172,36 @@
mappings = ( mappings = (
builtins.foldl' builtins.foldl'
( (
acc: user: acc: user: let
let groups = users.${user}.groups or [];
groups = users.${user}.groups or [ ];
in in
acc ++ map acc
++ map
(group: { (group: {
inherit user group; inherit user group;
}) })
groups groups
) )
[ ] []
(lib.attrNames users) (lib.attrNames users)
); );
in in (
(
builtins.foldl' builtins.foldl'
( (
acc: v: acc // { acc: v:
${v.group} = acc.${v.group} or [ ] ++ [ v.user ]; acc
// {
${v.group} = acc.${v.group} or [] ++ [v.user];
} }
) )
{ } {}
mappings) mappings
)
); );
groupToGroup = k: { gid }: groupToGroup = k: {gid}: let
let members = groupMemberMap.${k} or [];
members = groupMemberMap.${k} or [ ]; in "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
in
"${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
groupContents = ( groupContents = (
lib.concatStringsSep "\n" lib.concatStringsSep "\n"
@ -206,13 +220,19 @@
]; ];
}; };
nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten nixConfContents =
(n: v: (lib.concatStringsSep "\n" (
let lib.attrsets.mapAttrsToList (
vStr = if builtins.isList v then lib.concatStringsSep " " v else v; n: v: let
in vStr =
"${n} = ${vStr}") if builtins.isList v
defaultNixConf)) + "\n"; then lib.concatStringsSep " " v
else v;
in "${n} = ${vStr}"
)
defaultNixConf
))
+ "\n";
containerSettings = '' containerSettings = ''
[engine] [engine]
@ -260,10 +280,9 @@
}; };
}; };
baseSystem = baseSystem = let
let
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } '' channel = pkgs.runCommand "channel-nixos" {inherit bundleNixpkgs;} ''
mkdir $out mkdir $out
if [ "$bundleNixpkgs" ]; then if [ "$bundleNixpkgs" ]; then
ln -s ${nixpkgs} $out/nixpkgs ln -s ${nixpkgs} $out/nixpkgs
@ -274,16 +293,17 @@
name = "root-profile-env"; name = "root-profile-env";
paths = defaultPkgs; paths = defaultPkgs;
}; };
manifest = pkgs.buildPackages.runCommand "manifest.nix" { } '' manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
cat > $out <<EOF cat > $out <<EOF
[ [
${lib.concatStringsSep "\n" (builtins.map (drv: let ${lib.concatStringsSep "\n" (builtins.map (drv: let
outputs = drv.outputsToInstall or [ "out" ]; outputs = drv.outputsToInstall or ["out"];
in '' in ''
{ {
${lib.concatStringsSep "\n" (builtins.map (output: '' ${lib.concatStringsSep "\n" (builtins.map (output: ''
${output} = { outPath = "${lib.getOutput output drv}"; }; ${output} = { outPath = "${lib.getOutput output drv}"; };
'') outputs)} '')
outputs)}
outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ]; outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
name = "${drv.name}"; name = "${drv.name}";
outPath = "${drv}"; outPath = "${drv}";
@ -291,11 +311,12 @@
type = "derivation"; type = "derivation";
meta = { }; meta = { };
} }
'') defaultPkgs)} '')
defaultPkgs)}
] ]
EOF EOF
''; '';
profile = pkgs.buildPackages.runCommand "user-environment" { } '' profile = pkgs.buildPackages.runCommand "user-environment" {} ''
mkdir $out mkdir $out
cp -a ${rootEnv}/* $out/ cp -a ${rootEnv}/* $out/
ln -s ${manifest} $out/manifest.nix ln -s ${manifest} $out/manifest.nix
@ -311,7 +332,8 @@
groupContents groupContents
nixConfContents nixConfContents
passwdContents passwdContents
shadowContents; shadowContents
;
passAsFile = [ passAsFile = [
"containerPolicy" "containerPolicy"
"containerRegistries" "containerRegistries"
@ -366,7 +388,8 @@
mkdir -p $out/bin $out/usr/bin mkdir -p $out/bin $out/usr/bin
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
'' + (lib.optionalString (flake-registry != null) '' ''
+ (lib.optionalString (flake-registry != null) ''
nixCacheDir="/root/.cache/nix" nixCacheDir="/root/.cache/nix"
mkdir -p $out$nixCacheDir mkdir -p $out$nixCacheDir
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
@ -380,9 +403,11 @@
name = "nixos-runner"; name = "nixos-runner";
tag = "latest"; tag = "latest";
maxLayers = 2; maxLayers = 2;
contents = [ contents =
[
baseSystem baseSystem
] ++ defaultPkgs; ]
++ defaultPkgs;
extraCommands = '' extraCommands = ''
rm -rf nix-support rm -rf nix-support
ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
@ -392,7 +417,7 @@
chmod 1777 var/tmp chmod 1777 var/tmp
''; '';
config = { config = {
Cmd = [ "${pkgs.bashInteractive}/bin/bash" ]; Cmd = ["${pkgs.bashInteractive}/bin/bash"];
Env = [ Env = [
"USER=root" "USER=root"
"PATH=${lib.concatStringsSep ":" [ "PATH=${lib.concatStringsSep ":" [
@ -412,61 +437,21 @@
]; ];
}; };
}; };
# podman-push-container = pkgs.writeTextFile {
# name = "podman-push-container";
# destination = "/bin/podman-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${pkgs.podman}/bin/podman"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
# docker-push-container = pkgs.writeTextFile {
# name = "docker-push-container";
# destination = "/bin/docker-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${docker-client}/bin/docker"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
push-container = pkgs.writeTextFile { push-container = pkgs.writeTextFile {
name = "push-container"; name = "push-container";
destination = "/bin/push-container"; destination = "/bin/push-container";
text = builtins.replaceStrings text = lib.concatStringsSep "\n" [
[ "#!${pkgs.nushell}/bin/nu"
"@nushell@" ""
"@regctl@" "alias regctl = ^${pkgs.regctl}/bin/regctl --verbosity warning"
] "alias gzip = ^${pkgs.gzip}/bin/gzip"
[ ""
"${pkgs.nushell}/bin/nu" (builtins.readFile ./push-container.nu)
"${pkgs.regctl}/bin/regctl" ];
]
(builtins.readFile ./push-container.nu);
executable = true; executable = true;
}; };
}; };
apps = { apps = {
# podman-push-container = {
# type = "app";
# program = "${self.packages.${system}.podman-push-container}/bin/podman-push-container";
# };
# docker-push-container = {
# type = "app";
# program = "${self.packages.${system}.docker-push-container}/bin/docker-push-container";
# };
push-container = { push-container = {
type = "app"; type = "app";
program = "${self.packages.${system}.push-container}/bin/push-container"; program = "${self.packages.${system}.push-container}/bin/push-container";

3
push-container.nu
View file

@ -1,4 +1,3 @@
#!@nushell@
def main [ def main [
input: string # tar.gz file containing container image to be pushed to repository input: string # tar.gz file containing container image to be pushed to repository
...tags: string # Tags to be added to pushed container image ...tags: string # Tags to be added to pushed container image
@ -133,8 +132,6 @@ def main [
} }
) )
alias regctl = ^@regctl@ --verbosity warning
alias gzip = ^@gzip@
regctl registry login $registry --user $auth.username --pass $auth.password regctl registry login $registry --user $auth.username --pass $auth.password