Commit f1d4b72
Changed files (2)
flake.nix
@@ -15,233 +15,13 @@
];
perSystem = {
- inputs',
pkgs,
+ inputs',
...
- }: let
- nix2container = inputs'.nix2container.packages.nix2container;
-
- fakeNss = pkgs.dockerTools.fakeNss.override {
- extraPasswdLines = [
- "podman:x:1000:1000:Podman user:/home/podman:/bin/bash"
- "nixbld1:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld2:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld3:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld4:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld5:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld6:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld7:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld8:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld9:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- "nixbld10:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
- ];
- extraGroupLines = [
- "podman:x:1000:podman"
- "nixbld:x:999:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10"
- ];
- };
-
- mkNixConf = pkgs.runCommand "nix-act-image-etc" {} ''
- mkdir -p $out/etc/nix
- echo "experimental-features = nix-command flakes" > $out/etc/nix/nix.conf
- '';
- mkTmp = pkgs.runCommand "nix-act-image-tmp" {} ''
- mkdir -p $out/tmp
- mkdir -p $out/var/tmp
- '';
-
- mkPodmanConfig = pkgs.runCommand "podman-config" {} ''
- mkdir -p $out/etc/containers
- mkdir -p $out/home/podman
- mkdir -p $out/var/lib/containers
- mkdir -p $out/var/lib/shared/overlay-images
- mkdir -p $out/var/lib/shared/overlay-layers
- mkdir -p $out/var/lib/shared/vfs-images
- mkdir -p $out/var/lib/shared/vfs-layers
- mkdir -p $out/run
-
- touch $out/var/lib/shared/overlay-images/images.lock
- touch $out/var/lib/shared/overlay-layers/layers.lock
- touch $out/var/lib/shared/vfs-images/images.lock
- touch $out/var/lib/shared/vfs-layers/layers.lock
-
- cat > $out/etc/containers/containers.conf << 'EOF'
- [containers]
- netns="host"
- userns="host"
- ipcns="host"
- utsns="host"
- cgroupns="host"
- cgroups="disabled"
- log_driver = "k8s-file"
- [engine]
- cgroup_manager = "cgroupfs"
- events_logger="file"
- runtime="crun"
- EOF
-
- cat > $out/etc/containers/containers.conf.rootless << 'EOF'
- [containers]
- volumes = [
- "/proc:/proc",
- ]
- default_sysctls = []
- EOF
-
- cat > $out/etc/containers/storage.conf << 'EOF'
- [storage]
- driver = "overlay"
- runroot = "/run/containers/storage"
- graphroot = "/var/lib/containers/storage"
- [storage.options]
- mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
- mountopt = "nodev,fsync=0"
- additionalimagestores = [
- "/var/lib/shared",
- ]
- [storage.options.overlay]
- ignore_chown_errors = "true"
- EOF
-
- cat > $out/etc/containers/mounts.conf << 'EOF'
- /run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement
- /run/secrets/rhsm:/run/secrets/rhsm
- EOF
-
- cat > $out/etc/containers/policy.json << 'EOF'
- {"default":[{"type":"insecureAcceptAnything"}]}
- EOF
- '';
-
- mkSubugid = pkgs.runCommand "subugid" {} ''
- mkdir -p $out/etc
- cat > $out/etc/subuid << 'EOF'
- root:1:999
- root:1001:64535
- podman:1:999
- podman:1001:64535
- EOF
- cat > $out/etc/subgid << 'EOF'
- root:1:999
- root:1001:64535
- podman:1:999
- podman:1001:64535
- EOF
- '';
- in {
- packages.default = nix2container.buildImage {
+ }: {
+ packages.default = pkgs.callPackage ./package.nix {
+ nix2container = inputs'.nix2container.packages.nix2container;
name = "repo.hpcesia.com/HPCesia/nix-act-image";
- tag = "latest";
- initializeNixDatabase = true;
- maxLayers = 42;
-
- copyToRoot = [
- (pkgs.buildEnv {
- name = "root";
- paths = with pkgs; [
- # Basic
- bash
- coreutils
- docker-client
- pkgs.dockerTools.caCertificates
- pkgs.dockerTools.usrBinEnv
- fakeNss
- mkNixConf
- mkTmp
- nix
- nodejs_24
-
- # Network
- aria2
- cacert
- curl
- dnsutils
- openssh
- wget
-
- # Git
- gitMinimal
- git-lfs
-
- # Archive
- gnutar
- gzip
- p7zip
- unzip
- xz
- zip
- zstd
-
- # Build
- autoconf
- automake
- gcc
- gnumake
- m4
- patchelf
-
- # Misc
- binutils
- file
- findutils
- gawk
- gnugrep
- gnupg
- gnused
- jq
- parallel
- python3
- rsync
- sqlite
- sudo
- tree
- yq
-
- # Podman in Podman
- fuse-overlayfs
- mkPodmanConfig
- podman
- shadow
- ];
- })
- mkSubugid
- ];
- perms = [
- {
- path = mkTmp;
- regex = ".*";
- mode = "1777";
- }
- {
- path = mkPodmanConfig;
- regex = "home/podman";
- mode = "0777";
- }
- {
- path = pkgs.shadow;
- regex = "bin/new[ug]idmap";
- mode = "4555";
- }
- ];
- config = {
- Entrypoint = ["/bin/bash"];
- Env = [
- "USER=root"
- "HOME=/"
- "PATH=/bin"
- "NIX_PAGER=cat"
- "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
- "DOCKER_HOST=unix:///run/user/1000/podman/podman.sock"
- "CONTAINERS_STORAGE=/var/lib/containers/storage"
- "_CONTAINERS_USERNS_CONFIGURED="
- "BUILDAH_ISOLATION=chroot"
- ];
- Labels = {
- "org.opencontainers.image.source" = "https://codeberg.org/HPCesia/nix-act-image";
- "org.opencontainers.image.description" = "A Nix based container for Forgejo Actions";
- "org.opencontainers.image.licenses" = pkgs.lib.licenses.mit.spdxId;
- };
- };
};
};
});
package.nix
@@ -0,0 +1,221 @@
+{
+ pkgs,
+ nix2container,
+ name,
+}: let
+ fakeNss = pkgs.dockerTools.fakeNss.override {
+ extraPasswdLines = [
+ "podman:x:1000:1000:Podman user:/home/podman:/bin/bash"
+ "nixbld1:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld2:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld3:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld4:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld5:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld6:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld7:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld8:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld9:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ "nixbld10:!:999:999:Nix build user 1:/var/empty:/sbin/nologin"
+ ];
+ extraGroupLines = [
+ "podman:x:1000:podman"
+ "nixbld:x:999:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10"
+ ];
+ };
+
+ mkNixConf = pkgs.runCommand "nix-act-image-etc" {} ''
+ mkdir -p $out/etc/nix
+ echo "experimental-features = nix-command flakes" > $out/etc/nix/nix.conf
+ '';
+
+ mkTmp = pkgs.runCommand "nix-act-image-tmp" {} ''
+ mkdir -p $out/tmp
+ mkdir -p $out/var/tmp
+ '';
+
+ mkPodmanConfig = pkgs.runCommand "podman-config" {} ''
+ mkdir -p $out/etc/containers
+ mkdir -p $out/home/podman
+ mkdir -p $out/var/lib/containers
+ mkdir -p $out/var/lib/shared/overlay-images
+ mkdir -p $out/var/lib/shared/overlay-layers
+ mkdir -p $out/var/lib/shared/vfs-images
+ mkdir -p $out/var/lib/shared/vfs-layers
+ mkdir -p $out/run
+
+ touch $out/var/lib/shared/overlay-images/images.lock
+ touch $out/var/lib/shared/overlay-layers/layers.lock
+ touch $out/var/lib/shared/vfs-images/images.lock
+ touch $out/var/lib/shared/vfs-layers/layers.lock
+
+ cat > $out/etc/containers/containers.conf << 'EOF'
+ [containers]
+ netns="host"
+ userns="host"
+ ipcns="host"
+ utsns="host"
+ cgroupns="host"
+ cgroups="disabled"
+ log_driver = "k8s-file"
+ [engine]
+ cgroup_manager = "cgroupfs"
+ events_logger="file"
+ runtime="crun"
+ EOF
+
+ cat > $out/etc/containers/containers.conf.rootless << 'EOF'
+ [containers]
+ volumes = [
+ "/proc:/proc",
+ ]
+ default_sysctls = []
+ EOF
+
+ cat > $out/etc/containers/storage.conf << 'EOF'
+ [storage]
+ driver = "overlay"
+ runroot = "/run/containers/storage"
+ graphroot = "/var/lib/containers/storage"
+ [storage.options]
+ mount_program = "${pkgs.fuse-overlayfs}/bin/fuse-overlayfs"
+ mountopt = "nodev,fsync=0"
+ additionalimagestores = [
+ "/var/lib/shared",
+ ]
+ [storage.options.overlay]
+ ignore_chown_errors = "true"
+ EOF
+
+ cat > $out/etc/containers/mounts.conf << 'EOF'
+ /run/secrets/etc-pki-entitlement:/run/secrets/etc-pki-entitlement
+ /run/secrets/rhsm:/run/secrets/rhsm
+ EOF
+
+ cat > $out/etc/containers/policy.json << 'EOF'
+ {"default":[{"type":"insecureAcceptAnything"}]}
+ EOF
+ '';
+
+ mkSubugid = pkgs.runCommand "subugid" {} ''
+ mkdir -p $out/etc
+ cat > $out/etc/subuid << 'EOF'
+ root:1:999
+ root:1001:64535
+ podman:1:999
+ podman:1001:64535
+ EOF
+ cat > $out/etc/subgid << 'EOF'
+ root:1:999
+ root:1001:64535
+ podman:1:999
+ podman:1001:64535
+ EOF
+ '';
+in
+ nix2container.buildImage {
+ inherit name;
+ tag = "latest";
+ initializeNixDatabase = true;
+ maxLayers = 42;
+
+ copyToRoot = [
+ (pkgs.buildEnv {
+ name = "root";
+ paths = with pkgs; [
+ bash
+ coreutils
+ docker-client
+ dockerTools.caCertificates
+ dockerTools.usrBinEnv
+ fakeNss
+ mkNixConf
+ mkTmp
+ nix
+ nodejs_24
+
+ aria2
+ cacert
+ curl
+ dnsutils
+ openssh
+ wget
+
+ gitMinimal
+ git-lfs
+
+ gnutar
+ gzip
+ p7zip
+ unzip
+ xz
+ zip
+ zstd
+
+ autoconf
+ automake
+ gcc
+ gnumake
+ m4
+ patchelf
+
+ binutils
+ file
+ findutils
+ gawk
+ gnugrep
+ gnupg
+ gnused
+ jq
+ parallel
+ python3
+ rsync
+ sqlite
+ sudo
+ tree
+ yq
+
+ fuse-overlayfs
+ mkPodmanConfig
+ podman
+ shadow
+ ];
+ })
+ mkSubugid
+ ];
+ perms = [
+ {
+ path = mkTmp;
+ regex = ".*";
+ mode = "1777";
+ }
+ {
+ path = mkPodmanConfig;
+ regex = "home/podman";
+ mode = "0777";
+ }
+ {
+ path = pkgs.shadow;
+ regex = "bin/new[ug]idmap";
+ mode = "4555";
+ }
+ ];
+ config = {
+ Entrypoint = ["/bin/bash"];
+ Env = [
+ "USER=root"
+ "HOME=/"
+ "PATH=/bin"
+ "NIX_PAGER=cat"
+ "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+ "DOCKER_HOST=unix:///run/user/1000/podman/podman.sock"
+ "CONTAINERS_STORAGE=/var/lib/containers/storage"
+ "_CONTAINERS_USERNS_CONFIGURED="
+ "BUILDAH_ISOLATION=chroot"
+ ];
+ Labels = {
+ "org.opencontainers.image.source" = "https://codeberg.org/HPCesia/nix-act-image";
+ "org.opencontainers.image.description" = "A Nix based container for Forgejo Actions";
+ "org.opencontainers.image.licenses" = pkgs.lib.licenses.mit.spdxId;
+ };
+ };
+ }