98 lines
2.8 KiB
Nix
98 lines
2.8 KiB
Nix
{
|
|
description = "OCI image for cargoxx-pkgs CI jobs: nix + tea + git + jq";
|
|
|
|
inputs = {
|
|
nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
|
|
flake-utils.url = "github:numtide/flake-utils";
|
|
};
|
|
|
|
outputs = { self, nixpkgs, flake-utils }:
|
|
flake-utils.lib.eachDefaultSystem (system:
|
|
let
|
|
pkgs = import nixpkgs { inherit system; };
|
|
|
|
# Single-user nix config — same defaults used by the cargoxx
|
|
# distribution wrapper. Avoids the multi-user nixbld group
|
|
# requirement; sandbox disabled because the runner container
|
|
# itself doesn't usually have user-namespace support.
|
|
nixConfig = ''
|
|
experimental-features = nix-command flakes
|
|
build-users-group =
|
|
sandbox = false
|
|
accept-flake-config = true
|
|
'';
|
|
in {
|
|
packages.default = pkgs.dockerTools.buildLayeredImage {
|
|
name = "cargoxx-runner-job";
|
|
tag = "latest";
|
|
|
|
contents = with pkgs; [
|
|
bashInteractive
|
|
coreutils
|
|
findutils
|
|
gawk
|
|
gnugrep
|
|
gnused
|
|
gnutar
|
|
gzip
|
|
xz
|
|
|
|
nix
|
|
git
|
|
curl
|
|
jq
|
|
tea
|
|
nodejs_20 # JS-based actions/checkout@v4 etc. need `node` on PATH
|
|
|
|
cacert
|
|
iana-etc
|
|
];
|
|
|
|
# Skeleton filesystem layout: /tmp, /etc/passwd for nix,
|
|
# writable nix store, cacert pointer.
|
|
extraCommands = ''
|
|
mkdir -p tmp etc/nix nix/var/{nix,log/nix} root
|
|
chmod 1777 tmp
|
|
|
|
cat > etc/passwd <<'EOF'
|
|
root:x:0:0:root:/root:/bin/bash
|
|
nobody:x:65534:65534:nobody:/var/empty:/bin/false
|
|
EOF
|
|
cat > etc/group <<'EOF'
|
|
root:x:0:
|
|
nobody:x:65534:
|
|
EOF
|
|
cat > etc/nix/nix.conf <<'EOF'
|
|
${nixConfig}
|
|
EOF
|
|
'';
|
|
|
|
config = {
|
|
Env = [
|
|
"PATH=/bin:/usr/bin"
|
|
"NIX_CONFIG=${nixConfig}"
|
|
"NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
|
|
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
|
|
"HOME=/root"
|
|
"USER=root"
|
|
];
|
|
Cmd = [ "/bin/bash" ];
|
|
WorkingDir = "/root";
|
|
};
|
|
};
|
|
|
|
# `nix run .#load-image` builds the image and pipes it into the
|
|
# local Docker daemon — no registry needed for single-host
|
|
# deployments.
|
|
apps.load-image = {
|
|
type = "app";
|
|
program = toString (pkgs.writeShellScript "load-image" ''
|
|
set -euo pipefail
|
|
img=$(nix build --no-link --print-out-paths .#default)
|
|
echo "loading $img into docker…"
|
|
${pkgs.docker}/bin/docker load < "$img"
|
|
'');
|
|
};
|
|
});
|
|
}
|