jeff/nixos-runner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Compare commits

base: jeff:7f01fe35a5179b700bd13a56c21d627c1286f04b
Branches Tags
jeff:main
...
compare: jeff:d699087e20ca5fc99dd6476ec86e453df38ad154
Branches Tags
jeff:main

2 commits
7f01fe35a5 ... d699087e20

Author SHA1 Message Date
Jeffrey C. Ollie
d699087e20
test fix for ghcr
All checks were successful
continuous-integration/drone/push Build is passing
Details
2024-09-07 22:18:25 -05:00
Jeffrey C. Ollie
9416c159c6
update for 2024 2024-09-07 22:01:37 -05:00
4 changed files with 519 additions and 453 deletions
Show stats Expand all files Collapse all files

2
.github/workflows/build.yaml vendored
View file

@ -11,7 +11,7 @@ jobs:
- run: nix build -L .#nixos-runner
- run: nix run .#push-container -- result
env:
REGISTRY: ghcr.io/${{ github.repository_owner }}
REGISTRY: https://ghcr.io/${{ github.repository_owner }}
REPOSITORY: nixos-runner
USERNAME: ${{ github.actor }}
PASSWORD: ${{ github.token }}

96
flake.lock
View file

@ -5,11 +5,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1692799911,
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
@ -18,13 +18,81 @@
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1693158576,
"narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
"lastModified": 1725634671,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"type": "github"
},
"original": {
@ -36,6 +104,7 @@
"root": {
"inputs": {
"flake-utils": "flake-utils",
"lix-module": "lix-module",
"nixpkgs": "nixpkgs"
}
},
@ -53,6 +122,21 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

871
flake.nix
View file

@ -8,471 +8,456 @@
flake-utils = {
url = "github:numtide/flake-utils";
};
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, flake-utils }@inputs:
(flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = import nixpkgs {
inherit system;
config.permittedInsecurePackages = [
"nodejs-16.20.2"
outputs = {
self,
flake-utils,
lix-module,
nixpkgs,
}: (
flake-utils.lib.eachDefaultSystem
(
system: let
pkgs = import nixpkgs {
inherit system;
imports = [
lix-module.nixosModules.default
];
nix.package = pkgs.lix;
# config.permittedInsecurePackages = [
# "nodejs-16.20.2"
# ];
overlays = [
# (
# self: super: {
# regclient = let
# pname = "regclient";
# version = "0.5.1+";
# src = pkgs.fetchFromGitHub {
# owner = "regclient";
# repo = "regclient";
# rev = "72df49963a17092138854c5d9d7943deac1dde6b";
# hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
# };
# vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
# in
# super.buildGoModule {
# inherit pname version src vendorHash;
# inherit (super.regclient) meta outputs postInstall;
# ldflags = [
# "-s"
# "-w"
# "-X main.VCSTag=v${version}"
# ];
# doCheck = false;
# };
# }
# )
];
};
lib = pkgs.lib;
docker-client = pkgs.docker_26.override {
clientOnly = true;
};
in {
packages = {
nixos-runner = let
bundleNixpkgs = true;
channelName = "nixpkgs";
channelURL = "https://nixos.org/channels/nixos-unstable";
defaultPkgs = [
pkgs.bashInteractive
pkgs.bind.dnsutils
pkgs.coreutils-full
pkgs.curl
pkgs.dogdns
pkgs.gawk
pkgs.git
pkgs.glibc
pkgs.gnugrep
pkgs.gnused
pkgs.gzip
pkgs.iputils
pkgs.less
pkgs.lix
# pkgs.nix
pkgs.nodejs_20
pkgs.nushell
pkgs.more
pkgs.podman
pkgs.regctl
pkgs.stdenv.cc.cc.lib
pkgs.which
docker-client
self.packages.${system}.push-container
];
overlays = [
(
self: super: {
regclient =
let
pname = "regclient";
version = "0.5.1+";
src = pkgs.fetchFromGitHub {
owner = "regclient";
repo = "regclient";
rev = "72df49963a17092138854c5d9d7943deac1dde6b";
hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
};
vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
in
super.buildGoModule {
inherit pname version src vendorHash;
inherit (super.regclient) meta outputs postInstall;
ldflags = [
"-s"
"-w"
"-X main.VCSTag=v${version}"
];
doCheck = false;
flake-registry = null;
users =
{
root = {
uid = 0;
shell = "${pkgs.bashInteractive}/bin/bash";
home = "/root";
gid = 0;
groups = ["root"];
description = "System administrator";
};
nobody = {
uid = 65534;
shell = "${pkgs.shadow}/bin/nologin";
home = "/var/empty";
gid = 65534;
groups = ["nobody"];
description = "Unprivileged account (don't use!)";
};
}
// lib.listToAttrs (
map
(
n: {
name = "nixbld${toString n}";
value = {
uid = 30000 + n;
gid = 30000;
groups = ["nixbld"];
description = "Nix build user ${toString n}";
};
}
)
];
};
lib = pkgs.lib;
docker-client = pkgs.docker_24.override {
clientOnly = true;
};
in
{
}
)
(lib.lists.range 1 32)
);
packages = {
nixos-runner =
groups = {
root.gid = 0;
nixbld.gid = 30000;
nobody.gid = 65534;
};
userToPasswd = (
data: {
uid,
gid ? 65534,
home ? "/var/empty",
description ? "",
shell ? "/bin/false",
...
}: "${data}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
);
passwdContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs userToPasswd users))
);
userToShadow = username: {...}: "${username}:!:1::::::";
shadowContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs userToShadow users))
);
groupMemberMap = (
let
bundleNixpkgs = true;
channelName = "nixpkgs";
channelURL = "https://nixos.org/channels/nixos-unstable";
defaultPkgs = [
pkgs.bashInteractive
pkgs.bind.dnsutils
pkgs.coreutils-full
pkgs.curl
pkgs.dogdns
pkgs.gawk
pkgs.git
pkgs.glibc
pkgs.gnugrep
pkgs.gnused
pkgs.gzip
pkgs.iputils
pkgs.nix
pkgs.nodejs-16_x
pkgs.nushell
pkgs.podman
pkgs.regctl
pkgs.stdenv.cc.cc.lib
docker-client
# self.packages.${system}.podman-push-container
# self.packages.${system}.docker-push-container
self.packages.${system}.push-container
];
flake-registry = null;
users = {
root = {
uid = 0;
shell = "${pkgs.bashInteractive}/bin/bash";
home = "/root";
gid = 0;
groups = [ "root" ];
description = "System administrator";
};
nobody = {
uid = 65534;
shell = "${pkgs.shadow}/bin/nologin";
home = "/var/empty";
gid = 65534;
groups = [ "nobody" ];
description = "Unprivileged account (don't use!)";
};
} // lib.listToAttrs (
map
(
n: {
name = "nixbld${toString n}";
value = {
uid = 30000 + n;
gid = 30000;
groups = [ "nixbld" ];
description = "Nix build user ${toString n}";
};
}
)
(lib.lists.range 1 32)
);
groups = {
root.gid = 0;
nixbld.gid = 30000;
nobody.gid = 65534;
};
userToPasswd = (
k:
{ uid
, gid ? 65534
, home ? "/var/empty"
, description ? ""
, shell ? "/bin/false"
, groups ? [ ]
}: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
);
passwdContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs userToPasswd users))
);
userToShadow = k: { ... }: "${k}:!:1::::::";
shadowContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs userToShadow users))
);
groupMemberMap = (
let
# Create a flat list of user/group mappings
mappings = (
builtins.foldl'
(
acc: user:
let
groups = users.${user}.groups or [ ];
in
acc ++ map
(group: {
inherit user group;
})
groups
)
[ ]
(lib.attrNames users)
);
in
# Create a flat list of user/group mappings
mappings = (
builtins.foldl'
(
builtins.foldl'
(
acc: v: acc // {
${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
}
)
{ }
mappings)
);
groupToGroup = k: { gid }:
let
members = groupMemberMap.${k} or [ ];
in
"${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
groupContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs groupToGroup groups))
);
defaultNixConf = {
sandbox = "false";
build-users-group = "nixbld";
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
experimental-features = [
"flakes"
"nix-command"
];
};
nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten
(n: v:
let
vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
acc: user: let
groups = users.${user}.groups or [];
in
"${n} = ${vStr}")
defaultNixConf)) + "\n";
acc
++ map
(group: {
inherit user group;
})
groups
)
[]
(lib.attrNames users)
);
in (
builtins.foldl'
(
acc: v:
acc
// {
${v.group} = acc.${v.group} or [] ++ [v.user];
}
)
{}
mappings
)
);
containerSettings = ''
[engine]
init_path = "${pkgs.catatonit}/bin/catatonit"
helper_binaries_dir = [ "${pkgs.podman}/libexec/podman" ]
groupToGroup = k: {gid}: let
members = groupMemberMap.${k} or [];
in "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
[network]
cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin" ]
network_backend = "netavark"
'';
groupContents = (
lib.concatStringsSep "\n"
(lib.attrValues (lib.mapAttrs groupToGroup groups))
);
containerStorage = ''
[storage]
driver = "overlay"
graphroot = "/var/lib/containers/storage"
runroot = "/run/containers/storage"
'';
defaultNixConf = {
sandbox = "false";
build-users-group = "nixbld";
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
experimental-features = [
"flakes"
"nix-command"
];
};
containerRegistries = ''
[registries]
[registries.block]
registries = [ ]
nixConfContents =
(lib.concatStringsSep "\n" (
lib.attrsets.mapAttrsToList (
n: v: let
vStr =
if builtins.isList v
then lib.concatStringsSep " " v
else v;
in "${n} = ${vStr}"
)
defaultNixConf
))
+ "\n";
[registries.insecure]
registries = [ ]
containerSettings = ''
[engine]
init_path = "${pkgs.catatonit}/bin/catatonit"
helper_binaries_dir = [ "${pkgs.podman}/libexec/podman" ]
[registries.search]
registries = [ "docker.io", "quay.io" ]
'';
[network]
cni_plugin_dirs = [ "${pkgs.cni-plugins}/bin" ]
network_backend = "netavark"
'';
containerPolicy = builtins.toJSON {
default = [
containerStorage = ''
[storage]
driver = "overlay"
graphroot = "/var/lib/containers/storage"
runroot = "/run/containers/storage"
'';
containerRegistries = ''
[registries]
[registries.block]
registries = [ ]
[registries.insecure]
registries = [ ]
[registries.search]
registries = [ "docker.io", "quay.io" ]
'';
containerPolicy = builtins.toJSON {
default = [
{
type = "insecureAcceptAnything";
}
];
transports = {
docker-daemon = {
"" = [
{
type = "insecureAcceptAnything";
}
];
transports = {
docker-daemon = {
"" = [
{
type = "insecureAcceptAnything";
}
];
};
};
};
baseSystem =
let
nixpkgs = pkgs.path;
channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
mkdir $out
if [ "$bundleNixpkgs" ]; then
ln -s ${nixpkgs} $out/nixpkgs
echo "[]" > $out/manifest.nix
fi
'';
rootEnv = pkgs.buildPackages.buildEnv {
name = "root-profile-env";
paths = defaultPkgs;
};
manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
cat > $out <<EOF
[
${lib.concatStringsSep "\n" (builtins.map (drv: let
outputs = drv.outputsToInstall or [ "out" ];
in ''
{
${lib.concatStringsSep "\n" (builtins.map (output: ''
${output} = { outPath = "${lib.getOutput output drv}"; };
'') outputs)}
outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
name = "${drv.name}";
outPath = "${drv}";
system = "${drv.system}";
type = "derivation";
meta = { };
}
'') defaultPkgs)}
]
EOF
'';
profile = pkgs.buildPackages.runCommand "user-environment" { } ''
mkdir $out
cp -a ${rootEnv}/* $out/
ln -s ${manifest} $out/manifest.nix
'';
in
pkgs.runCommand "base-system"
{
inherit
containerPolicy
containerRegistries
containerSettings
containerStorage
groupContents
nixConfContents
passwdContents
shadowContents;
passAsFile = [
"containerPolicy"
"containerRegistries"
"containerSettings"
"containerStorage"
"groupContents"
"nixConfContents"
"passwdContents"
"shadowContents"
];
allowSubstitutes = false;
preferLocalBuild = true;
} ''
env
set -x
mkdir -p $out/etc
mkdir -p $out/etc/ssl/certs
ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
cat $passwdContentsPath > $out/etc/passwd
echo "" >> $out/etc/passwd
cat $groupContentsPath > $out/etc/group
echo "" >> $out/etc/group
cat $shadowContentsPath > $out/etc/shadow
echo "" >> $out/etc/shadow
mkdir -p $out/usr
ln -s /nix/var/nix/profiles/share $out/usr/
mkdir -p $out/nix/var/nix/gcroots
mkdir -p $out/tmp
mkdir -p $out/var/tmp
mkdir -p $out/etc/nix
cat $nixConfContentsPath > $out/etc/nix/nix.conf
mkdir -p $out/root
mkdir -p $out/nix/var/nix/profiles/per-user/root
mkdir -p $out/etc/containers
mkdir -p $out/etc/containers/networks
mkdir -p $out/var/lib/containers/storage
mkdir -p $out/run/containers/storage
cat $containerSettingsPath > $out/etc/containers/containers.conf
cat $containerStoragePath > $out/etc/containers/storage.conf
cat $containerRegistriesPath > $out/etc/containers/registry.conf
cat $containerPolicyPath > $out/etc/containers/policy.json
ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
ln -s /nix/var/nix/profiles/default $out/root/.nix-profile
ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link
ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels
mkdir -p $out/root/.nix-defexpr
ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels
echo "${channelURL} ${channelName}" > $out/root/.nix-channels
mkdir -p $out/bin $out/usr/bin
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
'' + (lib.optionalString (flake-registry != null) ''
nixCacheDir="/root/.cache/nix"
mkdir -p $out$nixCacheDir
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath
mkdir -p $out/nix/var/nix/gcroots/auto
rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
'');
in
pkgs.dockerTools.buildLayeredImageWithNixDb {
name = "nixos-runner";
tag = "latest";
maxLayers = 2;
contents = [
baseSystem
] ++ defaultPkgs;
extraCommands = ''
rm -rf nix-support
ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
'';
fakeRootCommands = ''
chmod 1777 tmp
chmod 1777 var/tmp
'';
config = {
Cmd = [ "${pkgs.bashInteractive}/bin/bash" ];
Env = [
"USER=root"
"PATH=${lib.concatStringsSep ":" [
"/root/.nix-profile/bin"
"/nix/var/nix/profiles/default/bin"
"/nix/var/nix/profiles/default/sbin"
]}"
"MANPATH=${lib.concatStringsSep ":" [
"/root/.nix-profile/share/man"
"/nix/var/nix/profiles/default/share/man"
]}"
"LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath [pkgs.glibc pkgs.stdenv.cc.cc.lib]}"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels"
];
};
};
# podman-push-container = pkgs.writeTextFile {
# name = "podman-push-container";
# destination = "/bin/podman-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${pkgs.podman}/bin/podman"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
# docker-push-container = pkgs.writeTextFile {
# name = "docker-push-container";
# destination = "/bin/docker-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${docker-client}/bin/docker"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
push-container = pkgs.writeTextFile {
name = "push-container";
destination = "/bin/push-container";
text = builtins.replaceStrings
[
"@nushell@"
"@regctl@"
]
[
"${pkgs.nushell}/bin/nu"
"${pkgs.regctl}/bin/regctl"
]
(builtins.readFile ./push-container.nu);
executable = true;
};
};
apps = {
# podman-push-container = {
# type = "app";
# program = "${self.packages.${system}.podman-push-container}/bin/podman-push-container";
# };
# docker-push-container = {
# type = "app";
# program = "${self.packages.${system}.docker-push-container}/bin/docker-push-container";
# };
push-container = {
type = "app";
program = "${self.packages.${system}.push-container}/bin/push-container";
baseSystem = let
nixpkgs = pkgs.path;
channel = pkgs.runCommand "channel-nixos" {inherit bundleNixpkgs;} ''
mkdir $out
if [ "$bundleNixpkgs" ]; then
ln -s ${nixpkgs} $out/nixpkgs
echo "[]" > $out/manifest.nix
fi
'';
rootEnv = pkgs.buildPackages.buildEnv {
name = "root-profile-env";
paths = defaultPkgs;
};
manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
cat > $out <<EOF
[
${lib.concatStringsSep "\n" (builtins.map (drv: let
outputs = drv.outputsToInstall or ["out"];
in ''
{
${lib.concatStringsSep "\n" (builtins.map (output: ''
${output} = { outPath = "${lib.getOutput output drv}"; };
'')
outputs)}
outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
name = "${drv.name}";
outPath = "${drv}";
system = "${drv.system}";
type = "derivation";
meta = { };
}
'')
defaultPkgs)}
]
EOF
'';
profile = pkgs.buildPackages.runCommand "user-environment" {} ''
mkdir $out
cp -a ${rootEnv}/* $out/
ln -s ${manifest} $out/manifest.nix
'';
in
pkgs.runCommand "base-system"
{
inherit
containerPolicy
containerRegistries
containerSettings
containerStorage
groupContents
nixConfContents
passwdContents
shadowContents
;
passAsFile = [
"containerPolicy"
"containerRegistries"
"containerSettings"
"containerStorage"
"groupContents"
"nixConfContents"
"passwdContents"
"shadowContents"
];
allowSubstitutes = false;
preferLocalBuild = true;
} ''
env
set -x
mkdir -p $out/etc
mkdir -p $out/etc/ssl/certs
ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
cat $passwdContentsPath > $out/etc/passwd
echo "" >> $out/etc/passwd
cat $groupContentsPath > $out/etc/group
echo "" >> $out/etc/group
cat $shadowContentsPath > $out/etc/shadow
echo "" >> $out/etc/shadow
mkdir -p $out/usr
ln -s /nix/var/nix/profiles/share $out/usr/
mkdir -p $out/nix/var/nix/gcroots
mkdir -p $out/tmp
mkdir -p $out/var/tmp
mkdir -p $out/etc/nix
cat $nixConfContentsPath > $out/etc/nix/nix.conf
mkdir -p $out/root
mkdir -p $out/nix/var/nix/profiles/per-user/root
mkdir -p $out/etc/containers
mkdir -p $out/etc/containers/networks
mkdir -p $out/var/lib/containers/storage
mkdir -p $out/run/containers/storage
cat $containerSettingsPath > $out/etc/containers/containers.conf
cat $containerStoragePath > $out/etc/containers/storage.conf
cat $containerRegistriesPath > $out/etc/containers/registry.conf
cat $containerPolicyPath > $out/etc/containers/policy.json
ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
ln -s /nix/var/nix/profiles/default $out/root/.nix-profile
ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link
ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels
mkdir -p $out/root/.nix-defexpr
ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels
echo "${channelURL} ${channelName}" > $out/root/.nix-channels
mkdir -p $out/bin $out/usr/bin
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
''
+ (lib.optionalString (flake-registry != null) ''
nixCacheDir="/root/.cache/nix"
mkdir -p $out$nixCacheDir
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath
mkdir -p $out/nix/var/nix/gcroots/auto
rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
'');
in
pkgs.dockerTools.buildLayeredImageWithNixDb {
name = "nixos-runner";
tag = "latest";
maxLayers = 2;
contents =
[
baseSystem
]
++ defaultPkgs;
extraCommands = ''
rm -rf nix-support
ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
'';
fakeRootCommands = ''
chmod 1777 tmp
chmod 1777 var/tmp
'';
config = {
Cmd = ["${pkgs.bashInteractive}/bin/bash"];
Env = [
"USER=root"
"PATH=${lib.concatStringsSep ":" [
"/root/.nix-profile/bin"
"/nix/var/nix/profiles/default/bin"
"/nix/var/nix/profiles/default/sbin"
]}"
"MANPATH=${lib.concatStringsSep ":" [
"/root/.nix-profile/share/man"
"/nix/var/nix/profiles/default/share/man"
]}"
"LD_LIBRARY_PATH=${pkgs.lib.makeLibraryPath [pkgs.glibc pkgs.stdenv.cc.cc.lib]}"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"NIX_PATH=/nix/var/nix/profiles/per-user/root/channels:/root/.nix-defexpr/channels"
];
};
};
push-container = pkgs.writeTextFile {
name = "push-container";
destination = "/bin/push-container";
text = lib.concatStringsSep "\n" [
"#!${pkgs.nushell}/bin/nu"
""
"alias regctl = ^${pkgs.regctl}/bin/regctl --verbosity warning"
"alias gzip = ^${pkgs.gzip}/bin/gzip"
""
(builtins.readFile ./push-container.nu)
];
executable = true;
};
}
)
);
};
apps = {
push-container = {
type = "app";
program = "${self.packages.${system}.push-container}/bin/push-container";
};
};
}
)
);
}

3
push-container.nu
View file

@ -1,4 +1,3 @@
#!@nushell@
def main [
input: string # tar.gz file containing container image to be pushed to repository
...tags: string # Tags to be added to pushed container image
@ -133,8 +132,6 @@ def main [
}
)
alias regctl = ^@regctl@ --verbosity warning
alias gzip = ^@gzip@
regctl registry login $registry --user $auth.username --pass $auth.password