Compare commits

..

No commits in common. "d699087e20ca5fc99dd6476ec86e453df38ad154" and "7f01fe35a5179b700bd13a56c21d627c1286f04b" have entirely different histories.

4 changed files with 459 additions and 525 deletions

View file

@ -11,7 +11,7 @@ jobs:
- run: nix build -L .#nixos-runner
- run: nix run .#push-container -- result
env:
REGISTRY: https://ghcr.io/${{ github.repository_owner }}
REGISTRY: ghcr.io/${{ github.repository_owner }}
REPOSITORY: nixos-runner
USERNAME: ${{ github.actor }}
PASSWORD: ${{ github.token }}

View file

@ -5,11 +5,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"lastModified": 1692799911,
"narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
"type": "github"
},
"original": {
@ -18,81 +18,13 @@
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flakey-profile": {
"locked": {
"lastModified": 1712898590,
"narHash": "sha256-FhGIEU93VHAChKEXx905TSiPZKga69bWl1VB37FK//I=",
"owner": "lf-",
"repo": "flakey-profile",
"rev": "243c903fd8eadc0f63d205665a92d4df91d42d9d",
"type": "github"
},
"original": {
"owner": "lf-",
"repo": "flakey-profile",
"type": "github"
}
},
"lix": {
"flake": false,
"locked": {
"lastModified": 1723503926,
"narHash": "sha256-Rosl9iA9MybF5Bud4BTAQ9adbY81aGmPfV8dDBGl34s=",
"rev": "bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2.tar.gz?rev=bcaeb6388b8916ac6d1736e3aa2b13313e6a6bd2"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/2.91.0.tar.gz"
}
},
"lix-module": {
"inputs": {
"flake-utils": "flake-utils_2",
"flakey-profile": "flakey-profile",
"lix": "lix",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1723510904,
"narHash": "sha256-zNW/rqNJwhq2lYmQf19wJerRuNimjhxHKmzrWWFJYts=",
"rev": "622a2253a071a1fb97a4d3c8103a91114acc1140",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/622a2253a071a1fb97a4d3c8103a91114acc1140.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1725634671,
"narHash": "sha256-v3rIhsJBOMLR8e/RNWxr828tB+WywYIoajrZKFM+0Gg=",
"lastModified": 1693158576,
"narHash": "sha256-aRTTXkYvhXosGx535iAFUaoFboUrZSYb1Ooih/auGp0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "574d1eac1c200690e27b8eb4e24887f8df7ac27c",
"rev": "a999c1cc0c9eb2095729d5aa03e0d8f7ed256780",
"type": "github"
},
"original": {
@ -104,7 +36,6 @@
"root": {
"inputs": {
"flake-utils": "flake-utils",
"lix-module": "lix-module",
"nixpkgs": "nixpkgs"
}
},
@ -122,21 +53,6 @@
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",

265
flake.nix
View file

@ -8,66 +8,56 @@
flake-utils = {
url = "github:numtide/flake-utils";
};
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.91.0.tar.gz";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = {
self,
flake-utils,
lix-module,
nixpkgs,
}: (
flake-utils.lib.eachDefaultSystem
(
system: let
outputs = { self, nixpkgs, flake-utils }@inputs:
(flake-utils.lib.eachDefaultSystem
(system:
let
pkgs = import nixpkgs {
inherit system;
imports = [
lix-module.nixosModules.default
config.permittedInsecurePackages = [
"nodejs-16.20.2"
];
nix.package = pkgs.lix;
# config.permittedInsecurePackages = [
# "nodejs-16.20.2"
# ];
overlays = [
# (
# self: super: {
# regclient = let
# pname = "regclient";
# version = "0.5.1+";
# src = pkgs.fetchFromGitHub {
# owner = "regclient";
# repo = "regclient";
# rev = "72df49963a17092138854c5d9d7943deac1dde6b";
# hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
# };
# vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
# in
# super.buildGoModule {
# inherit pname version src vendorHash;
# inherit (super.regclient) meta outputs postInstall;
# ldflags = [
# "-s"
# "-w"
# "-X main.VCSTag=v${version}"
# ];
# doCheck = false;
# };
# }
# )
(
self: super: {
regclient =
let
pname = "regclient";
version = "0.5.1+";
src = pkgs.fetchFromGitHub {
owner = "regclient";
repo = "regclient";
rev = "72df49963a17092138854c5d9d7943deac1dde6b";
hash = "sha256-9k1VXtaHTF1GMIDs5qGzJkqPZa+ZKrWes+LakVKaQ38=";
};
vendorHash = "sha256-j+XidIgjJ5uw1d4OXRl3pjiW5Hvy7WqNM0KdVWMvWls=";
in
super.buildGoModule {
inherit pname version src vendorHash;
inherit (super.regclient) meta outputs postInstall;
ldflags = [
"-s"
"-w"
"-X main.VCSTag=v${version}"
];
doCheck = false;
};
}
)
];
};
lib = pkgs.lib;
docker-client = pkgs.docker_26.override {
docker-client = pkgs.docker_24.override {
clientOnly = true;
};
in {
in
{
packages = {
nixos-runner = let
nixos-runner =
let
bundleNixpkgs = true;
channelName = "nixpkgs";
channelURL = "https://nixos.org/channels/nixos-unstable";
@ -84,32 +74,29 @@
pkgs.gnused
pkgs.gzip
pkgs.iputils
pkgs.less
pkgs.lix
# pkgs.nix
pkgs.nodejs_20
pkgs.nix
pkgs.nodejs-16_x
pkgs.nushell
pkgs.more
pkgs.podman
pkgs.regctl
pkgs.stdenv.cc.cc.lib
pkgs.which
docker-client
# self.packages.${system}.podman-push-container
# self.packages.${system}.docker-push-container
self.packages.${system}.push-container
];
flake-registry = null;
users =
{
users = {
root = {
uid = 0;
shell = "${pkgs.bashInteractive}/bin/bash";
home = "/root";
gid = 0;
groups = ["root"];
groups = [ "root" ];
description = "System administrator";
};
nobody = {
@ -117,11 +104,10 @@
shell = "${pkgs.shadow}/bin/nologin";
home = "/var/empty";
gid = 65534;
groups = ["nobody"];
groups = [ "nobody" ];
description = "Unprivileged account (don't use!)";
};
}
// lib.listToAttrs (
} // lib.listToAttrs (
map
(
n: {
@ -129,7 +115,7 @@
value = {
uid = 30000 + n;
gid = 30000;
groups = ["nixbld"];
groups = [ "nixbld" ];
description = "Nix build user ${toString n}";
};
}
@ -144,14 +130,14 @@
};
userToPasswd = (
data: {
uid,
gid ? 65534,
home ? "/var/empty",
description ? "",
shell ? "/bin/false",
...
}: "${data}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
k:
{ uid
, gid ? 65534
, home ? "/var/empty"
, description ? ""
, shell ? "/bin/false"
, groups ? [ ]
}: "${k}:x:${toString uid}:${toString gid}:${description}:${home}:${shell}"
);
passwdContents = (
@ -159,7 +145,7 @@
(lib.attrValues (lib.mapAttrs userToPasswd users))
);
userToShadow = username: {...}: "${username}:!:1::::::";
userToShadow = k: { ... }: "${k}:!:1::::::";
shadowContents = (
lib.concatStringsSep "\n"
@ -172,36 +158,36 @@
mappings = (
builtins.foldl'
(
acc: user: let
groups = users.${user}.groups or [];
acc: user:
let
groups = users.${user}.groups or [ ];
in
acc
++ map
acc ++ map
(group: {
inherit user group;
})
groups
)
[]
[ ]
(lib.attrNames users)
);
in (
in
(
builtins.foldl'
(
acc: v:
acc
// {
${v.group} = acc.${v.group} or [] ++ [v.user];
acc: v: acc // {
${v.group} = acc.${v.group} or [ ] ++ [ v.user ];
}
)
{}
mappings
)
{ }
mappings)
);
groupToGroup = k: {gid}: let
members = groupMemberMap.${k} or [];
in "${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
groupToGroup = k: { gid }:
let
members = groupMemberMap.${k} or [ ];
in
"${k}:x:${toString gid}:${lib.concatStringsSep "," members}";
groupContents = (
lib.concatStringsSep "\n"
@ -220,19 +206,13 @@
];
};
nixConfContents =
(lib.concatStringsSep "\n" (
lib.attrsets.mapAttrsToList (
n: v: let
vStr =
if builtins.isList v
then lib.concatStringsSep " " v
else v;
in "${n} = ${vStr}"
)
defaultNixConf
))
+ "\n";
nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten
(n: v:
let
vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
in
"${n} = ${vStr}")
defaultNixConf)) + "\n";
containerSettings = ''
[engine]
@ -280,9 +260,10 @@
};
};
baseSystem = let
baseSystem =
let
nixpkgs = pkgs.path;
channel = pkgs.runCommand "channel-nixos" {inherit bundleNixpkgs;} ''
channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
mkdir $out
if [ "$bundleNixpkgs" ]; then
ln -s ${nixpkgs} $out/nixpkgs
@ -293,17 +274,16 @@
name = "root-profile-env";
paths = defaultPkgs;
};
manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
manifest = pkgs.buildPackages.runCommand "manifest.nix" { } ''
cat > $out <<EOF
[
${lib.concatStringsSep "\n" (builtins.map (drv: let
outputs = drv.outputsToInstall or ["out"];
outputs = drv.outputsToInstall or [ "out" ];
in ''
{
${lib.concatStringsSep "\n" (builtins.map (output: ''
${output} = { outPath = "${lib.getOutput output drv}"; };
'')
outputs)}
'') outputs)}
outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
name = "${drv.name}";
outPath = "${drv}";
@ -311,12 +291,11 @@
type = "derivation";
meta = { };
}
'')
defaultPkgs)}
'') defaultPkgs)}
]
EOF
'';
profile = pkgs.buildPackages.runCommand "user-environment" {} ''
profile = pkgs.buildPackages.runCommand "user-environment" { } ''
mkdir $out
cp -a ${rootEnv}/* $out/
ln -s ${manifest} $out/manifest.nix
@ -332,8 +311,7 @@
groupContents
nixConfContents
passwdContents
shadowContents
;
shadowContents;
passAsFile = [
"containerPolicy"
"containerRegistries"
@ -388,8 +366,7 @@
mkdir -p $out/bin $out/usr/bin
ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
''
+ (lib.optionalString (flake-registry != null) ''
'' + (lib.optionalString (flake-registry != null) ''
nixCacheDir="/root/.cache/nix"
mkdir -p $out$nixCacheDir
globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
@ -403,11 +380,9 @@
name = "nixos-runner";
tag = "latest";
maxLayers = 2;
contents =
[
contents = [
baseSystem
]
++ defaultPkgs;
] ++ defaultPkgs;
extraCommands = ''
rm -rf nix-support
ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
@ -417,7 +392,7 @@
chmod 1777 var/tmp
'';
config = {
Cmd = ["${pkgs.bashInteractive}/bin/bash"];
Cmd = [ "${pkgs.bashInteractive}/bin/bash" ];
Env = [
"USER=root"
"PATH=${lib.concatStringsSep ":" [
@ -437,21 +412,61 @@
];
};
};
# podman-push-container = pkgs.writeTextFile {
# name = "podman-push-container";
# destination = "/bin/podman-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${pkgs.podman}/bin/podman"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
# docker-push-container = pkgs.writeTextFile {
# name = "docker-push-container";
# destination = "/bin/docker-push-container";
# text = builtins.replaceStrings
# [
# "@nushell@"
# "@client@"
# ]
# [
# "${pkgs.nushell}/bin/nu"
# "${docker-client}/bin/docker"
# ]
# (builtins.readFile ./push-container.nu);
# executable = true;
# };
push-container = pkgs.writeTextFile {
name = "push-container";
destination = "/bin/push-container";
text = lib.concatStringsSep "\n" [
"#!${pkgs.nushell}/bin/nu"
""
"alias regctl = ^${pkgs.regctl}/bin/regctl --verbosity warning"
"alias gzip = ^${pkgs.gzip}/bin/gzip"
""
(builtins.readFile ./push-container.nu)
];
text = builtins.replaceStrings
[
"@nushell@"
"@regctl@"
]
[
"${pkgs.nushell}/bin/nu"
"${pkgs.regctl}/bin/regctl"
]
(builtins.readFile ./push-container.nu);
executable = true;
};
};
apps = {
# podman-push-container = {
# type = "app";
# program = "${self.packages.${system}.podman-push-container}/bin/podman-push-container";
# };
# docker-push-container = {
# type = "app";
# program = "${self.packages.${system}.docker-push-container}/bin/docker-push-container";
# };
push-container = {
type = "app";
program = "${self.packages.${system}.push-container}/bin/push-container";

View file

@ -1,3 +1,4 @@
#!@nushell@
def main [
input: string # tar.gz file containing container image to be pushed to repository
...tags: string # Tags to be added to pushed container image
@ -132,6 +133,8 @@ def main [
}
)
alias regctl = ^@regctl@ --verbosity warning
alias gzip = ^@gzip@
regctl registry login $registry --user $auth.username --pass $auth.password