jeff/nixos-runner
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

Compare commits

base: jeff:d699087e20ca5fc99dd6476ec86e453df38ad154
Branches Tags
jeff:main
..
compare: jeff:7f01fe35a5179b700bd13a56c21d627c1286f04b
Branches Tags
jeff:main

No commits in common. "d699087e20ca5fc99dd6476ec86e453df38ad154" and "7f01fe35a5179b700bd13a56c21d627c1286f04b" have entirely different histories.
d699087e20 ... 7f01fe35a5

4 changed files with 459 additions and 525 deletions
Show stats Expand all files Collapse all files

2
.github/workflows/build.yaml vendored
View file

@ -11,7 +11,7 @@ jobs:
- run: nix build -L .#nixos-runner - run: nix build -L .#nixos-runner
- run: nix run .#push-container -- result - run: nix run .#push-container -- result
env: env:
REGISTRY: https://ghcr.io/${{ github.repository_owner }} REGISTRY: ghcr.io/${{ github.repository_owner }}
REPOSITORY: nixos-runner REPOSITORY: nixos-runner
USERNAME: ${{ github.actor }} USERNAME: ${{ github.actor }}
PASSWORD: ${{ github.token }} PASSWORD: ${{ github.token }}

96
flake.lock
View file

@ -5,11 +5,11 @@
"systems": "systems" "systems": "systems"
}, },
"locked": { "locked": {
"lastModified": 1710146030, "lastModified": 1692799911,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"owner": "numtide", "owner": "numtide",
"repo": "flake-utils", "repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -18,81 +18,13 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1725634671, "lastModified": 1693158576,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=", "narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c", "rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -104,7 +36,6 @@
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"lix-module": "lix-module",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
}, },
@ -122,21 +53,6 @@
"repo": "default", "repo": "default",
"type": "github" "type": "github"
} }
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
} }
}, },
"root": "root", "root": "root",

239
flake.nix
View file

@ -8,66 +8,56 @@
flake-utils = { flake-utils = {
url = "github:numtide/flake-utils"; url = "github:numtide/flake-utils";
}; };
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { outputs = { self, nixpkgs, flake-utils }@inputs:
self, (flake-utils.lib.eachDefaultSystem
flake-utils, (system:
lix-module, let
nixpkgs,
}: (
flake-utils.lib.eachDefaultSystem
(
system: let
pkgs = import nixpkgs { pkgs = import nixpkgs {
inherit system; inherit system;
imports = [ config.permittedInsecurePackages = [
lix-module.nixosModules.default "nodejs-16.20.2"
]; ];
nix.package = pkgs.lix;
# config.permittedInsecurePackages = [
# "nodejs-16.20.2"
# ];
overlays = [ overlays = [
# ( (
# self: super: { self: super: {
# regclient = let regclient =
# pname = "regclient"; let
# version = "0.5.1+"; pname = "regclient";
# src = pkgs.fetchFromGitHub { version = "0.5.1+";
# owner = "regclient"; src = pkgs.fetchFromGitHub {
# repo = "regclient"; owner = "regclient";
# rev = "72df49963a17092138854c5d9d7943deac1dde6b"; repo = "regclient";
# hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38="; rev = "72df49963a17092138854c5d9d7943deac1dde6b";
# }; hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
# vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls="; };
# in vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
# super.buildGoModule { in
# inherit pname version src vendorHash; super.buildGoModule {
# inherit (super.regclient) meta outputs postInstall; inherit pname version src vendorHash;
# ldflags = [ inherit (super.regclient) meta outputs postInstall;
# "-s" ldflags = [
# "-w" "-s"
# "-X main.VCSTag=v${version}" "-w"
# ]; "-X main.VCSTag=v${version}"
# doCheck = false; ];
# }; doCheck = false;
# } };
# ) }
)
]; ];
}; };
lib = pkgs.lib; lib = pkgs.lib;
docker-client = pkgs.docker_26.override { docker-client = pkgs.docker_24.override {
clientOnly = true; clientOnly = true;
}; };
in { in
{
packages = { packages = {
nixos-runner = let nixos-runner =
let
bundleNixpkgs = true; bundleNixpkgs = true;
channelName = "nixpkgs"; channelName = "nixpkgs";
channelURL = "https://nixos.org/channels/nixos-unstable"; channelURL = "https://nixos.org/channels/nixos-unstable";
@ -84,26 +74,23 @@
pkgs.gnused pkgs.gnused
pkgs.gzip pkgs.gzip
pkgs.iputils pkgs.iputils
pkgs.less pkgs.nix
pkgs.lix pkgs.nodejs-16_x
# pkgs.nix
pkgs.nodejs_20
pkgs.nushell pkgs.nushell
pkgs.more
pkgs.podman pkgs.podman
pkgs.regctl pkgs.regctl
pkgs.stdenv.cc.cc.lib pkgs.stdenv.cc.cc.lib
pkgs.which
docker-client docker-client
# self.packages.${system}.podman-push-container
# self.packages.${system}.docker-push-container
self.packages.${system}.push-container self.packages.${system}.push-container
]; ];
flake-registry = null; flake-registry = null;
users = users = {
{
root = { root = {
uid = 0; uid = 0;
shell = "${pkgs.bashInteractive}/bin/bash"; shell = "${pkgs.bashInteractive}/bin/bash";
@ -120,8 +107,7 @@
groups = [ "nobody" ]; groups = [ "nobody" ];
description = "Unprivileged account (don't use!)"; description = "Unprivileged account (don't use!)";
}; };
} } // lib.listToAttrs (
// lib.listToAttrs (
map map
( (
n: { n: {
@ -144,14 +130,14 @@
}; };
userToPasswd = ( userToPasswd = (
data: { k:
uid, { uid
gid ? 65534, , gid ? 65534
home ? "/var/empty", , home ? "/var/empty"
description ? "", , description ? ""
shell ? "/bin/false", , shell ? "/bin/false"
... , groups ? [ ]
}: "${data}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}" }: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
); );
passwdContents = ( passwdContents = (
@ -159,7 +145,7 @@
(lib.attrValues (lib.mapAttrs userToPasswd users)) (lib.attrValues (lib.mapAttrs userToPasswd users))
); );
userToShadow = username: {...}: "${username}:!:1::::::"; userToShadow = k: { ... }: "${k}:!:1::::::";
shadowContents = ( shadowContents = (
lib.concatStringsSep "\n" lib.concatStringsSep "\n"
@ -172,11 +158,11 @@
mappings = ( mappings = (
builtins.foldl' builtins.foldl'
( (
acc: user: let acc: user:
let
groups = users.${user}.groups or [ ]; groups = users.${user}.groups or [ ];
in in
acc acc ++ map
++ map
(group: { (group: {
inherit user group; inherit user group;
}) })
@ -185,23 +171,23 @@
[ ] [ ]
(lib.attrNames users) (lib.attrNames users)
); );
in ( in
(
builtins.foldl' builtins.foldl'
( (
acc: v: acc: v: acc // {
acc
// {
${v.group} = acc.${v.group} or [ ] ++ [ v.user ]; ${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
} }
) )
{ } { }
mappings mappings)
)
); );
groupToGroup = k: {gid}: let groupToGroup = k: { gid }:
let
members = groupMemberMap.${k} or [ ]; members = groupMemberMap.${k} or [ ];
in "${k}:x:${toString gid}:${lib.concatStringsSep "," members}"; in
"${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
groupContents = ( groupContents = (
lib.concatStringsSep "\n" lib.concatStringsSep "\n"
@ -220,19 +206,13 @@
]; ];
}; };
nixConfContents = nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten
(lib.concatStringsSep "\n" ( (n: v:
lib.attrsets.mapAttrsToList ( let
n: v: let vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
vStr = in
if builtins.isList v "${n} = ${vStr}")
then lib.concatStringsSep " " v defaultNixConf)) + "\n";
else v;
in "${n} = ${vStr}"
)
defaultNixConf
))
+ "\n";
containerSettings = '' containerSettings = ''
[engine] [engine]
@ -280,7 +260,8 @@
}; };
}; };
baseSystem = let baseSystem =
let
nixpkgs = pkgs.path; nixpkgs = pkgs.path;
channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } '' channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
mkdir $out mkdir $out
@ -302,8 +283,7 @@
{ {
${lib.concatStringsSep "\n" (builtins.map (output: '' ${lib.concatStringsSep "\n" (builtins.map (output: ''
${output} = { outPath = "${lib.getOutput output drv}"; }; ${output} = { outPath = "${lib.getOutput output drv}"; };
'') '') outputs)}
outputs)}
outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ]; outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
name = "${drv.name}"; name = "${drv.name}";
outPath = "${drv}"; outPath = "${drv}";
@ -311,8 +291,7 @@
type = "derivation"; type = "derivation";
meta = { }; meta = { };
} }
'') '') defaultPkgs)}
defaultPkgs)}
] ]
EOF EOF
''; '';
@ -332,8 +311,7 @@
groupContents groupContents
nixConfContents nixConfContents
passwdContents passwdContents
shadowContents shadowContents;
;
passAsFile = [ passAsFile = [
"containerPolicy" "containerPolicy"
"containerRegistries" "containerRegistries"
@ -388,8 +366,7 @@
mkdir -p $out/bin $out/usr/bin mkdir -p $out/bin $out/usr/bin
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
'' '' + (lib.optionalString (flake-registry != null) ''
+ (lib.optionalString (flake-registry != null) ''
nixCacheDir="/root/.cache/nix" nixCacheDir="/root/.cache/nix"
mkdir -p $out$nixCacheDir mkdir -p $out$nixCacheDir
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
@ -403,11 +380,9 @@
name = "nixos-runner"; name = "nixos-runner";
tag = "latest"; tag = "latest";
maxLayers = 2; maxLayers = 2;
contents = contents = [
[
baseSystem baseSystem
] ] ++ defaultPkgs;
++ defaultPkgs;
extraCommands = '' extraCommands = ''
rm -rf nix-support rm -rf nix-support
ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
@ -437,21 +412,61 @@
]; ];
}; };
}; };
# podman-push-container = pkgs.writeTextFile {
# name = "podman-push-container";
# destination = "/bin/podman-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${pkgs.podman}/bin/podman"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
# docker-push-container = pkgs.writeTextFile {
# name = "docker-push-container";
# destination = "/bin/docker-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${docker-client}/bin/docker"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
push-container = pkgs.writeTextFile { push-container = pkgs.writeTextFile {
name = "push-container"; name = "push-container";
destination = "/bin/push-container"; destination = "/bin/push-container";
text = lib.concatStringsSep "\n" [ text = builtins.replaceStrings
"#!${pkgs.nushell}/bin/nu" [
"" "@nushell@"
"alias regctl = ^${pkgs.regctl}/bin/regctl --verbosity warning" "@regctl@"
"alias gzip = ^${pkgs.gzip}/bin/gzip" ]
"" [
(builtins.readFile ./push-container.nu) "${pkgs.nushell}/bin/nu"
]; "${pkgs.regctl}/bin/regctl"
]
(builtins.readFile ./push-container.nu);
executable = true; executable = true;
}; };
}; };
apps = { apps = {
# podman-push-container = {
# type = "app";
# program = "${self.packages.${system}.podman-push-container}/bin/podman-push-container";
# };
# docker-push-container = {
# type = "app";
# program = "${self.packages.${system}.docker-push-container}/bin/docker-push-container";
# };
push-container = { push-container = {
type = "app"; type = "app";
program = "${self.packages.${system}.push-container}/bin/push-container"; program = "${self.packages.${system}.push-container}/bin/push-container";

3
push-container.nu
View file

@ -1,3 +1,4 @@
#!@nushell@
def main [ def main [
input: string # tar.gz file containing container image to be pushed to repository input: string # tar.gz file containing container image to be pushed to repository
...tags: string # Tags to be added to pushed container image ...tags: string # Tags to be added to pushed container image
@ -132,6 +133,8 @@ def main [
} }
) )
alias regctl = ^@regctl@ --verbosity warning
alias gzip = ^@gzip@
regctl registry login $registry --user $auth.username --pass $auth.password regctl registry login $registry --user $auth.username --pass $auth.password