refactor(nixery): expose launch script derivation

Simplifies reusing the launch script in other use-cases than the
"official" Nixery image.

Relates to nixery#166

Change-Id: Iaf1dff385ce270792253551081c1b2fca6400037
Reviewed-on: https://cl.tvl.fyi/c/depot/+/11046
Autosubmit: tazjin <tazjin@tvl.su>
Reviewed-by: flokli <flokli@flokli.de>
Tested-by: BuildkiteCI
This commit is contained in:
Vincent Ambo 2024-02-28 15:55:51 +03:00 committed by clbot
parent bc06e4d99c
commit a412791752

View file

@ -72,60 +72,58 @@ depot.nix.readTree.drvTargets rec {
}; };
}; };
# Wrapper script for the wrapper script (meta!) which configures
# the container environment appropriately.
#
# Most importantly, sandboxing is disabled to avoid privilege
# issues in containers.
nixery-launch-script = writeShellScriptBin "nixery" ''
set -e
export PATH=${coreutils}/bin:$PATH
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
mkdir -p /tmp
# Create the build user/group required by Nix
echo 'nixbld:x:30000:nixbld' >> /etc/group
echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
echo 'root:x:0:' >> /etc/group
# Disable sandboxing to avoid running into privilege issues
mkdir -p /etc/nix
echo 'sandbox = false' >> /etc/nix/nix.conf
# In some cases users building their own image might want to
# customise something on the inside (e.g. set up an environment
# for keys or whatever).
#
# This can be achieved by setting a 'preLaunch' script.
${preLaunch}
exec ${nixery}/bin/server
'';
# Container image containing Nixery and Nix itself. This image can # Container image containing Nixery and Nix itself. This image can
# be run on Kubernetes, published on AppEngine or whatever else is # be run on Kubernetes, published on AppEngine or whatever else is
# desired. # desired.
nixery-image = nixery-image = dockerTools.buildLayeredImage {
let name = "nixery";
# Wrapper script for the wrapper script (meta!) which configures config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
# the container environment appropriately.
#
# Most importantly, sandboxing is disabled to avoid privilege
# issues in containers.
nixery-launch-script = writeShellScriptBin "nixery" ''
set -e
export PATH=${coreutils}/bin:$PATH
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
mkdir -p /tmp
# Create the build user/group required by Nix inherit maxLayers;
echo 'nixbld:x:30000:nixbld' >> /etc/group contents = [
echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd bashInteractive
echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd cacert
echo 'root:x:0:' >> /etc/group coreutils
git
# Disable sandboxing to avoid running into privilege issues gnutar
mkdir -p /etc/nix gzip
echo 'sandbox = false' >> /etc/nix/nix.conf iana-etc
nix
# In some cases users building their own image might want to nixery-prepare-image
# customise something on the inside (e.g. set up an environment nixery-launch-script
# for keys or whatever). openssh
# zlib
# This can be achieved by setting a 'preLaunch' script. ] ++ extraPackages;
${preLaunch} };
exec ${nixery}/bin/server
'';
in
dockerTools.buildLayeredImage {
name = "nixery";
config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
inherit maxLayers;
contents = [
bashInteractive
cacert
coreutils
git
gnutar
gzip
iana-etc
nix
nixery-prepare-image
nixery-launch-script
openssh
zlib
] ++ extraPackages;
};
} }