Compare commits
12 Commits
29222f17c8
...
master
| Author | SHA1 | Date | |
|---|---|---|---|
| 2e228f137b | |||
| 3da73147dc | |||
| fcecc1e5b0 | |||
| bbae941a36 | |||
| 7aa6e4d200 | |||
| 8f3053b5e7 | |||
| 133df762ab | |||
| 031d943979 | |||
| 202f6389bc | |||
| abbc16cdc0 | |||
| b9a1ac623d | |||
| 9701b09cb9 |
@@ -68,9 +68,7 @@ jobs:
|
||||
done
|
||||
done
|
||||
|
||||
# 4. Build smoke — every changed package must build. Cache push
|
||||
# is intentionally absent for now (no shared binary cache);
|
||||
# add a step here once cache infra is decided.
|
||||
# 4. Build smoke — every changed package must build.
|
||||
- name: build smoke
|
||||
if: steps.changed.outputs.packages != ''
|
||||
run: |
|
||||
@@ -79,6 +77,18 @@ jobs:
|
||||
.#${pkg} --no-link --print-out-paths
|
||||
done
|
||||
|
||||
# 4b. Push the validated outputs to the binary cache. The runner's
|
||||
# config.yaml bind-mounts /srv/cargoxx-cache and the signing
|
||||
# key into every job container.
|
||||
- name: push to binary cache
|
||||
if: steps.changed.outputs.packages != ''
|
||||
run: |
|
||||
for pkg in ${{ steps.changed.outputs.packages }}; do
|
||||
nix copy --extra-experimental-features 'nix-command flakes' \
|
||||
--to "file:///srv/cargoxx-cache/store?secret-key=/srv/cargoxx-cache/keys/cache.sec" \
|
||||
.#${pkg}
|
||||
done
|
||||
|
||||
# 5. Maintainer check — PR must come from someone listed in
|
||||
# recipes/<pkg>/maintainers.txt (auto-pass for new packages,
|
||||
# since the PR introduces the file in the same commit).
|
||||
|
||||
1
.gitignore
vendored
1
.gitignore
vendored
@@ -1,3 +1,2 @@
|
||||
/result
|
||||
/result-*
|
||||
flake.lock
|
||||
|
||||
333
flake.lock
generated
Normal file
333
flake.lock
generated
Normal file
@@ -0,0 +1,333 @@
|
||||
{
|
||||
"nodes": {
|
||||
"bundlers": {
|
||||
"inputs": {
|
||||
"nix-appimage": "nix-appimage",
|
||||
"nix-bundle": "nix-bundle",
|
||||
"nix-utils": "nix-utils",
|
||||
"nixpkgs": [
|
||||
"cargoxx",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1777842037,
|
||||
"narHash": "sha256-E6kwkFsKnU5k/QAX1aNOPfh69G6Im8/EwdRcZR4J0QE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "bundlers",
|
||||
"rev": "7bb70086c2dad3eecae4805f4d758c80e3cba960",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"repo": "bundlers",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"cargoxx": {
|
||||
"inputs": {
|
||||
"bundlers": "bundlers",
|
||||
"flake-utils": "flake-utils_3",
|
||||
"nixpkgs": "nixpkgs_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1779130481,
|
||||
"narHash": "sha256-RLeNukl/4X828SipqJib9sNJhSvcSy8Cck4TVZDgIkY=",
|
||||
"ref": "refs/heads/master",
|
||||
"rev": "f9932a3ad9ecdcdf5ea2906f1d8698b02b8b3e30",
|
||||
"revCount": 65,
|
||||
"type": "git",
|
||||
"url": "https://git.amadey.xyz/mozart/cargoxx"
|
||||
},
|
||||
"original": {
|
||||
"type": "git",
|
||||
"url": "https://git.amadey.xyz/mozart/cargoxx"
|
||||
}
|
||||
},
|
||||
"flake-compat": {
|
||||
"flake": false,
|
||||
"locked": {
|
||||
"lastModified": 1733328505,
|
||||
"narHash": "sha256-NeCCThCEP3eCl2l/+27kNNK7QrwZB1IJCrXfrbv5oqU=",
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"rev": "ff81ac966bb2cae68946d5ed5fc4994f96d0ffec",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "edolstra",
|
||||
"repo": "flake-compat",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_2": {
|
||||
"locked": {
|
||||
"lastModified": 1623875721,
|
||||
"narHash": "sha256-A8BU7bjS5GirpAUv4QA+QnJ4CceLHkcXdRp4xITDB0s=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "f7e004a55b120c02ecb6219596820fcd32ca8772",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_3": {
|
||||
"inputs": {
|
||||
"systems": "systems_3"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"flake-utils_4": {
|
||||
"inputs": {
|
||||
"systems": "systems_4"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-appimage": {
|
||||
"inputs": {
|
||||
"flake-compat": "flake-compat",
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": [
|
||||
"cargoxx",
|
||||
"bundlers",
|
||||
"nixpkgs"
|
||||
]
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1757920913,
|
||||
"narHash": "sha256-jd0QwCVz4O1sHHkeaZILD/7D6oyalceEJ4EFnWCgm0k=",
|
||||
"owner": "ralismark",
|
||||
"repo": "nix-appimage",
|
||||
"rev": "7946addbc0d97e358a6d7aefe5e82310f0fe6b18",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "ralismark",
|
||||
"repo": "nix-appimage",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-bundle": {
|
||||
"inputs": {
|
||||
"nixpkgs": [
|
||||
"cargoxx",
|
||||
"bundlers",
|
||||
"nixpkgs"
|
||||
],
|
||||
"utils": "utils"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1756736056,
|
||||
"narHash": "sha256-8YFhvulVX3iS4TYnKisA9zSImJeFN21G75HOUUFjzuE=",
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-bundle",
|
||||
"rev": "eff01593f62794d458ec714090091419194ab64d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-community",
|
||||
"repo": "nix-bundle",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nix-utils": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils_2",
|
||||
"nixpkgs": "nixpkgs"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1744222205,
|
||||
"narHash": "sha256-di1eNHQdpvvyXv6i7Z+S79KF7cQyhTs7AdFHp7q1e3Q=",
|
||||
"owner": "juliosueiras-nix",
|
||||
"repo": "nix-utils",
|
||||
"rev": "53282197ad090c8cf47c96e99bf6c6c3b2cdc7c0",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "juliosueiras-nix",
|
||||
"repo": "nix-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1629252929,
|
||||
"narHash": "sha256-Aj20gmGBs8TG7pyaQqgbsqAQ6cB+TVuL18Pk3DPBxcQ=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "3788c68def67ca7949e0864c27638d484389363d",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_2": {
|
||||
"locked": {
|
||||
"lastModified": 1777954456,
|
||||
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1778869304,
|
||||
"narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"cargoxx": "cargoxx",
|
||||
"flake-utils": "flake-utils_4",
|
||||
"nixpkgs": "nixpkgs_3"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_2": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_3": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"systems_4": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"utils": {
|
||||
"inputs": {
|
||||
"systems": "systems_2"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
||||
11
flake.nix
11
flake.nix
@@ -5,13 +5,10 @@
|
||||
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
||||
flake-utils.url = "github:numtide/flake-utils";
|
||||
|
||||
# During local development we point at the sibling cargoxx checkout
|
||||
# via an absolute `git+file://` URL. Once the registry lives on Gitea
|
||||
# this becomes a Gitea URL pinned to a specific cargoxx revision —
|
||||
# that pin, alongside `lock.cargoxx_rev` in each recipe, is what
|
||||
# makes registry derivations deterministic across consumers (see
|
||||
# docs/library-reuse-and-publish.md in the cargoxx repo).
|
||||
cargoxx.url = "git+file:///home/mozart/cargoxx";
|
||||
# Gitea-hosted cargoxx. flake.lock pins the exact rev — bump it
|
||||
# explicitly via `nix flake update cargoxx` when the registry should
|
||||
# adopt a newer cargoxx codegen.
|
||||
cargoxx.url = "git+https://git.amadey.xyz/mozart/cargoxx";
|
||||
};
|
||||
|
||||
outputs = { self, nixpkgs, flake-utils, cargoxx }:
|
||||
|
||||
17
recipes/greeter/versions/0.1.1.toml
Normal file
17
recipes/greeter/versions/0.1.1.toml
Normal file
@@ -0,0 +1,17 @@
|
||||
schema = 1
|
||||
name = "greeter"
|
||||
version = "0.1.1"
|
||||
|
||||
[source]
|
||||
type = "git"
|
||||
url = "https://git.amadey.xyz/mozart/greeter"
|
||||
commit = "d79a99468a158e2b37739404073dcfaab8c12308"
|
||||
sha256 = "sha256-1IV9HrdYoQOFcI3bP280/CYsdmuYvuMFK9hvjdanNto="
|
||||
|
||||
[lock]
|
||||
nixpkgs_rev = "d233902339c02a9c334e7e593de68855ad26c4cb"
|
||||
flake_utils_rev = "11707dc2f618dd54ca8739b309ec4fc024de578b"
|
||||
|
||||
[meta]
|
||||
description = "minimal cargoxx demo library — greets you"
|
||||
license = "MIT"
|
||||
9
runner/.gitignore
vendored
9
runner/.gitignore
vendored
@@ -1,4 +1,11 @@
|
||||
.env
|
||||
data/
|
||||
flake.lock
|
||||
result
|
||||
|
||||
# Binary cache state + signing keys. The cache.sec must never be
|
||||
# committed; the public key is regenerated per deployment too
|
||||
# (`nix-store --generate-binary-cache-key`).
|
||||
cache/
|
||||
|
||||
# Caddy state: ACME account + issued certs + on-disk config tree.
|
||||
caddy/
|
||||
|
||||
43
runner/Caddyfile
Normal file
43
runner/Caddyfile
Normal file
@@ -0,0 +1,43 @@
|
||||
# Caddy config for the cargoxx binary cache.
|
||||
#
|
||||
# The router does PAT (port forwarding) so the *external* world reaches
|
||||
# us at the standard 80/443 but the *internal* ports are different.
|
||||
# `http_port` and `https_port` below must match the internal ports the
|
||||
# router forwards to. Override via runner/.env:
|
||||
#
|
||||
# CADDY_HTTP_PORT=8080
|
||||
# CADDY_HTTPS_PORT=8443
|
||||
#
|
||||
# (Those env vars are picked up by compose.yml to publish the ports
|
||||
# AND injected into this Caddyfile via the {$VAR:default} substitution
|
||||
# below — Caddy expands env vars natively.)
|
||||
{
|
||||
# Internal ports — must equal whatever the router forwards 80/443 to.
|
||||
http_port {$CADDY_HTTP_PORT:8080}
|
||||
https_port {$CADDY_HTTPS_PORT:8443}
|
||||
# ACME's HTTP-01 challenge probe still arrives at host:80 → router
|
||||
# → :8080; Caddy answers it on the internal port. Auto cert works
|
||||
# as long as the PAT maps 80 → CADDY_HTTP_PORT and 443 → CADDY_HTTPS_PORT.
|
||||
email vorontsov@amadey.xyz
|
||||
}
|
||||
|
||||
cache.cargoxx.amadey.xyz {
|
||||
root * /srv/cache
|
||||
file_server
|
||||
|
||||
# narinfo / nar are immutable per content hash → cache aggressively.
|
||||
@cache_immutable path *.narinfo *.nar.xz *.nar
|
||||
header @cache_immutable Cache-Control "public, immutable, max-age=31536000"
|
||||
|
||||
# Substituter probe; short cache so new entries land quickly.
|
||||
@cache_info path /nix-cache-info
|
||||
header @cache_info Cache-Control "public, max-age=300"
|
||||
|
||||
log {
|
||||
output file /data/access.log {
|
||||
roll_size 50MiB
|
||||
roll_keep 5
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -46,7 +46,45 @@ Self-hosted Gitea Actions runner that validates package PRs.
|
||||
GITEA_RUNNER_LABELS=self-hosted
|
||||
```
|
||||
|
||||
4. **Start the runner**:
|
||||
4. **Generate the binary-cache signing key** + cache directory. The
|
||||
workflow's "push to binary cache" step writes here; nginx (or
|
||||
anything you point at it) serves it back over HTTPS to consumers.
|
||||
|
||||
```sh
|
||||
mkdir -p cache/store
|
||||
nix-store --generate-binary-cache-key \
|
||||
cache.cargoxx.<your-domain> \
|
||||
cache/cache.sec cache/cache.pub
|
||||
chmod 600 cache/cache.sec
|
||||
```
|
||||
|
||||
The `cache/` directory is gitignored. Both keys live alongside
|
||||
`compose.yml`; the named volume binds use `${PWD}/cache/...`.
|
||||
|
||||
5. **Pick the Caddy ports.** `compose.yml` runs Caddy alongside the
|
||||
runner to HTTPS-front the cache. Because the router does PAT, the
|
||||
*internal* ports Caddy listens on must equal whatever 80/443 are
|
||||
forwarded to. Add to `.env`:
|
||||
|
||||
```env
|
||||
CADDY_HTTP_PORT=8080
|
||||
CADDY_HTTPS_PORT=8443
|
||||
```
|
||||
|
||||
Both compose.yml and the Caddyfile pick those up. The Caddyfile
|
||||
already targets `cache.cargoxx.amadey.xyz` and the e-mail
|
||||
`vorontsov@amadey.xyz`; edit if you're deploying somewhere else.
|
||||
|
||||
ACME provisioning works as long as the router forwards 80 →
|
||||
CADDY_HTTP_PORT and 443 → CADDY_HTTPS_PORT, so Let's Encrypt's
|
||||
HTTP-01 challenge reaches Caddy.
|
||||
|
||||
Consumers' substituter config (`substituters = https://cache.<domain>`,
|
||||
`trusted-public-keys = <cache.pub>`) is baked into cargoxx's own
|
||||
wrapper (`cargoxx/flake.nix:cargoxxNixConfig`), so any installed
|
||||
`cargoxx` binary picks them up — no per-user setup needed.
|
||||
|
||||
6. **Start the runner**:
|
||||
|
||||
```sh
|
||||
docker compose up -d
|
||||
|
||||
@@ -1,9 +1,11 @@
|
||||
# Runs the act_runner that listens to Gitea and spawns one job
|
||||
# container per workflow run. The job image (cargoxx-runner-job:latest)
|
||||
# is built reproducibly from runner/flake.nix — run `nix run .#load-image`
|
||||
# in this directory to load it into the host's Docker daemon before
|
||||
# starting the runner.
|
||||
version: "3.8"
|
||||
# Runs two services on the host:
|
||||
# - act_runner — polls Gitea, spawns one job container per workflow
|
||||
# run via the host docker socket. Job image built reproducibly from
|
||||
# runner/flake.nix (`nix run .#load-image`).
|
||||
# - caddy — HTTPS-fronts the binary cache (./cache/store) so
|
||||
# consumers' substituter config can read it. Custom ports because
|
||||
# the router does PAT (port-forwarding 80→CADDY_HTTP_PORT,
|
||||
# 443→CADDY_HTTPS_PORT). Set those in .env.
|
||||
services:
|
||||
runner:
|
||||
image: docker.io/gitea/act_runner:nightly
|
||||
@@ -18,3 +20,59 @@ services:
|
||||
- ./config.yaml:/config.yaml:ro
|
||||
- ./data:/data
|
||||
- /var/run/docker.sock:/var/run/docker.sock
|
||||
# Binary cache — `validate-pr.yml`'s push step writes `$out` NAR
|
||||
# archives here. Named volumes (defined below) make the same
|
||||
# storage reachable from this runner container AND every job
|
||||
# container act_runner spawns AND the caddy frontend below.
|
||||
- cargoxx-cache-store:/srv/cargoxx-cache/store
|
||||
- cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro
|
||||
|
||||
caddy:
|
||||
image: docker.io/caddy:2
|
||||
restart: unless-stopped
|
||||
ports:
|
||||
- "${CADDY_HTTP_PORT:-8080}:${CADDY_HTTP_PORT:-8080}"
|
||||
- "${CADDY_HTTPS_PORT:-8443}:${CADDY_HTTPS_PORT:-8443}"
|
||||
environment:
|
||||
CADDY_HTTP_PORT: "${CADDY_HTTP_PORT:-8080}"
|
||||
CADDY_HTTPS_PORT: "${CADDY_HTTPS_PORT:-8443}"
|
||||
volumes:
|
||||
- ./Caddyfile:/etc/caddy/Caddyfile:ro
|
||||
- cargoxx-cache-store:/srv/cache:ro
|
||||
- caddy-data:/data
|
||||
- caddy-config:/config
|
||||
|
||||
volumes:
|
||||
cargoxx-cache-store:
|
||||
# Explicit name disables compose's project-prefix so spawned job
|
||||
# containers (which don't know about compose) can reference the
|
||||
# same volume by the same name.
|
||||
name: cargoxx-cache-store
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/cache/store"
|
||||
cargoxx-cache-keys:
|
||||
name: cargoxx-cache-keys
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/cache/keys"
|
||||
caddy-data:
|
||||
# Caddy's own state: ACME account, issued certificates, OCSP
|
||||
# staples. Persist so we don't re-issue certs every restart.
|
||||
name: caddy-data
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/caddy/data"
|
||||
caddy-config:
|
||||
name: caddy-config
|
||||
driver: local
|
||||
driver_opts:
|
||||
type: none
|
||||
o: bind
|
||||
device: "${PWD}/caddy/config"
|
||||
|
||||
@@ -18,9 +18,19 @@ cache:
|
||||
container:
|
||||
network: bridge
|
||||
privileged: false
|
||||
options: ""
|
||||
# Bind the binary cache into every job container by referencing the
|
||||
# named volumes defined in compose.yml — those, in turn, are bound
|
||||
# to ./cache/{store,cache.sec} via `${PWD}` so the path is
|
||||
# deployment-relative, not absolute.
|
||||
options: "-v cargoxx-cache-store:/srv/cargoxx-cache/store
|
||||
-v cargoxx-cache-keys:/srv/cargoxx-cache/keys:ro"
|
||||
workdir_parent: /workspace
|
||||
valid_volumes: []
|
||||
# Whitelist regex of bind specs act_runner forwards to spawned job
|
||||
# containers. The regex matches the full `source:target[:opts]`
|
||||
# string, so a permissive prefix is enough.
|
||||
valid_volumes:
|
||||
- "cargoxx-cache-store"
|
||||
- "cargoxx-cache-keys"
|
||||
docker_host: "unix:///var/run/docker.sock"
|
||||
force_pull: false
|
||||
|
||||
|
||||
61
runner/flake.lock
generated
Normal file
61
runner/flake.lock
generated
Normal file
@@ -0,0 +1,61 @@
|
||||
{
|
||||
"nodes": {
|
||||
"flake-utils": {
|
||||
"inputs": {
|
||||
"systems": "systems"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1731533236,
|
||||
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "numtide",
|
||||
"repo": "flake-utils",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1778869304,
|
||||
"narHash": "sha256-30sZNZoA1cqF5JNO9fVX+wgiQYjB7HJqqJ4ztCDeBZE=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "d233902339c02a9c334e7e593de68855ad26c4cb",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "NixOS",
|
||||
"ref": "nixos-unstable",
|
||||
"repo": "nixpkgs",
|
||||
"type": "github"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"flake-utils": "flake-utils",
|
||||
"nixpkgs": "nixpkgs"
|
||||
}
|
||||
},
|
||||
"systems": {
|
||||
"locked": {
|
||||
"lastModified": 1681028828,
|
||||
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"owner": "nix-systems",
|
||||
"repo": "default",
|
||||
"type": "github"
|
||||
}
|
||||
}
|
||||
},
|
||||
"root": "root",
|
||||
"version": 7
|
||||
}
|
||||
Reference in New Issue
Block a user