refactor(nixery): expose launch script derivation
Simplifies reusing the launch script in other use-cases than the "official" Nixery image. Relates to nixery#166 Change-Id: Iaf1dff385ce270792253551081c1b2fca6400037 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11046 Autosubmit: tazjin <tazjin@tvl.su> Reviewed-by: flokli <flokli@flokli.de> Tested-by: BuildkiteCI
This commit is contained in:
parent
bc06e4d99c
commit
a412791752
1 changed files with 50 additions and 52 deletions
|
@ -72,60 +72,58 @@ depot.nix.readTree.drvTargets rec {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
# Wrapper script for the wrapper script (meta!) which configures
|
||||||
|
# the container environment appropriately.
|
||||||
|
#
|
||||||
|
# Most importantly, sandboxing is disabled to avoid privilege
|
||||||
|
# issues in containers.
|
||||||
|
nixery-launch-script = writeShellScriptBin "nixery" ''
|
||||||
|
set -e
|
||||||
|
export PATH=${coreutils}/bin:$PATH
|
||||||
|
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
|
||||||
|
mkdir -p /tmp
|
||||||
|
|
||||||
|
# Create the build user/group required by Nix
|
||||||
|
echo 'nixbld:x:30000:nixbld' >> /etc/group
|
||||||
|
echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
|
||||||
|
echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
|
||||||
|
echo 'root:x:0:' >> /etc/group
|
||||||
|
|
||||||
|
# Disable sandboxing to avoid running into privilege issues
|
||||||
|
mkdir -p /etc/nix
|
||||||
|
echo 'sandbox = false' >> /etc/nix/nix.conf
|
||||||
|
|
||||||
|
# In some cases users building their own image might want to
|
||||||
|
# customise something on the inside (e.g. set up an environment
|
||||||
|
# for keys or whatever).
|
||||||
|
#
|
||||||
|
# This can be achieved by setting a 'preLaunch' script.
|
||||||
|
${preLaunch}
|
||||||
|
|
||||||
|
exec ${nixery}/bin/server
|
||||||
|
'';
|
||||||
|
|
||||||
# Container image containing Nixery and Nix itself. This image can
|
# Container image containing Nixery and Nix itself. This image can
|
||||||
# be run on Kubernetes, published on AppEngine or whatever else is
|
# be run on Kubernetes, published on AppEngine or whatever else is
|
||||||
# desired.
|
# desired.
|
||||||
nixery-image =
|
nixery-image = dockerTools.buildLayeredImage {
|
||||||
let
|
name = "nixery";
|
||||||
# Wrapper script for the wrapper script (meta!) which configures
|
config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
|
||||||
# the container environment appropriately.
|
|
||||||
#
|
|
||||||
# Most importantly, sandboxing is disabled to avoid privilege
|
|
||||||
# issues in containers.
|
|
||||||
nixery-launch-script = writeShellScriptBin "nixery" ''
|
|
||||||
set -e
|
|
||||||
export PATH=${coreutils}/bin:$PATH
|
|
||||||
export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
|
|
||||||
mkdir -p /tmp
|
|
||||||
|
|
||||||
# Create the build user/group required by Nix
|
inherit maxLayers;
|
||||||
echo 'nixbld:x:30000:nixbld' >> /etc/group
|
contents = [
|
||||||
echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
|
bashInteractive
|
||||||
echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
|
cacert
|
||||||
echo 'root:x:0:' >> /etc/group
|
coreutils
|
||||||
|
git
|
||||||
# Disable sandboxing to avoid running into privilege issues
|
gnutar
|
||||||
mkdir -p /etc/nix
|
gzip
|
||||||
echo 'sandbox = false' >> /etc/nix/nix.conf
|
iana-etc
|
||||||
|
nix
|
||||||
# In some cases users building their own image might want to
|
nixery-prepare-image
|
||||||
# customise something on the inside (e.g. set up an environment
|
nixery-launch-script
|
||||||
# for keys or whatever).
|
openssh
|
||||||
#
|
zlib
|
||||||
# This can be achieved by setting a 'preLaunch' script.
|
] ++ extraPackages;
|
||||||
${preLaunch}
|
};
|
||||||
|
|
||||||
exec ${nixery}/bin/server
|
|
||||||
'';
|
|
||||||
in
|
|
||||||
dockerTools.buildLayeredImage {
|
|
||||||
name = "nixery";
|
|
||||||
config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
|
|
||||||
|
|
||||||
inherit maxLayers;
|
|
||||||
contents = [
|
|
||||||
bashInteractive
|
|
||||||
cacert
|
|
||||||
coreutils
|
|
||||||
git
|
|
||||||
gnutar
|
|
||||||
gzip
|
|
||||||
iana-etc
|
|
||||||
nix
|
|
||||||
nixery-prepare-image
|
|
||||||
nixery-launch-script
|
|
||||||
openssh
|
|
||||||
zlib
|
|
||||||
] ++ extraPackages;
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue