runner: reproducible nix-built job image + compose-based act_runner
This commit is contained in:
96
runner/flake.nix
Normal file
96
runner/flake.nix
Normal file
@@ -0,0 +1,96 @@
|
||||
{
|
||||
description = "OCI image for cargoxx-pkgs CI jobs: nix + tea + git + jq";
|
||||
|
||||
inputs = {
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, flake-utils }:
|
||||
flake-utils.lib.eachDefaultSystem (system:
|
||||
let
|
||||
pkgs = import nixpkgs { inherit system; };
|
||||
|
||||
# Single-user nix config — same defaults used by the cargoxx
|
||||
# distribution wrapper. Avoids the multi-user nixbld group
|
||||
# requirement; sandbox disabled because the runner container
|
||||
# itself doesn't usually have user-namespace support.
|
||||
nixConfig = ''
|
||||
experimental-features = nix-command flakes
|
||||
build-users-group =
|
||||
sandbox = false
|
||||
accept-flake-config = true
|
||||
'';
|
||||
in {
|
||||
packages.default = pkgs.dockerTools.buildLayeredImage {
|
||||
name = "cargoxx-runner-job";
|
||||
tag = "latest";
|
||||
|
||||
contents = with pkgs; [
|
||||
bashInteractive
|
||||
coreutils
|
||||
findutils
|
||||
gawk
|
||||
gnugrep
|
||||
gnused
|
||||
gnutar
|
||||
gzip
|
||||
xz
|
||||
|
||||
nix
|
||||
git
|
||||
curl
|
||||
jq
|
||||
tea
|
||||
|
||||
cacert
|
||||
iana-etc
|
||||
];
|
||||
|
||||
# Skeleton filesystem layout: /tmp, /etc/passwd for nix,
|
||||
# writable nix store, cacert pointer.
|
||||
extraCommands = ''
|
||||
mkdir -p tmp etc nix/var/{nix,log/nix} root
|
||||
chmod 1777 tmp
|
||||
|
||||
cat > etc/passwd <<'EOF'
|
||||
root:x:0:0:root:/root:/bin/bash
|
||||
nobody:x:65534:65534:nobody:/var/empty:/bin/false
|
||||
EOF
|
||||
cat > etc/group <<'EOF'
|
||||
root:x:0:
|
||||
nobody:x:65534:
|
||||
EOF
|
||||
cat > etc/nix/nix.conf <<'EOF'
|
||||
${nixConfig}
|
||||
EOF
|
||||
'';
|
||||
|
||||
config = {
|
||||
Env = [
|
||||
"PATH=/bin:/usr/bin"
|
||||
"NIX_CONFIG=${nixConfig}"
|
||||
"NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
|
||||
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
|
||||
"HOME=/root"
|
||||
"USER=root"
|
||||
];
|
||||
Cmd = [ "/bin/bash" ];
|
||||
WorkingDir = "/root";
|
||||
};
|
||||
};
|
||||
|
||||
# `nix run .#load-image` builds the image and pipes it into the
|
||||
# local Docker daemon — no registry needed for single-host
|
||||
# deployments.
|
||||
apps.load-image = {
|
||||
type = "app";
|
||||
program = toString (pkgs.writeShellScript "load-image" ''
|
||||
set -euo pipefail
|
||||
img=$(nix build --no-link --print-out-paths .#default)
|
||||
echo "loading $img into docker…"
|
||||
${pkgs.docker}/bin/docker load < "$img"
|
||||
'');
|
||||
};
|
||||
});
|
||||
}
|
||||
Reference in New Issue
Block a user