oci-images/nixos-runner
1
0
Fork 0
Code Issues 1 Pull requests Packages 1 Wiki Activity Actions

Flake: build nix containers

Browse source 
* Add flake for building nixos containers for forgejo actions
This commit is contained in:
Julian Stiller 2025-02-06 14:49:20 +01:00
parent 74b4cf63fe
commit 50181d9e57
3 changed files with 275 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
fake_nixpkgs/default.nix Normal file
View file

@ -0,0 +1,10 @@
_:
throw ''
This container doesn't include nixpkgs.
The best way to work around that is to pin your dependencies. See
https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html
Or if you must, override the NIX_PATH environment variable with eg:
"NIX_PATH=nixpkgs=channel:nixos-unstable"
''

78
flake.lock generated Normal file
View file

@ -0,0 +1,78 @@
{
"nodes": {
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1738702386,
"narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-24.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1738680400,
"narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "799ba5bffed04ced7067a91798353d360788b30d",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-unstable": "nixpkgs-unstable"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

187
flake.nix Normal file
View file

@ -0,0 +1,187 @@
{
description = "Nix-based oci images for actions";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs =
{
self,
nixpkgs,
nixpkgs-unstable,
flake-utils,
}:
flake-utils.lib.eachDefaultSystem (
system:
let
inherit (nixpkgs) lib;
imagePackages =
pkgs: with pkgs; [
bashInteractive
cacert
coreutils
curl
docker
findutils
gawk
gitFull
gnugrep
gnutar
gzip
jq
nodejs
openssl
openssh
rsync
sudo
wget
xz
makeWrapper
bats
shellcheck
reuse
lix
sops
nvd
];
containerLambda =
name: tag: pkgs':
let
pkgs = import pkgs' { inherit system; };
in
pkgs.dockerTools.buildImageWithNixDb {
name = "git.flyinggecko.org/oci-images/nixos-runner/${name}";
tag = tag;
copyToRoot =
with pkgs;
(imagePackages pkgs)
++ [
(pkgs.writeTextFile {
name = "passwd";
destination = "/etc/passwd";
text = builtins.concatStringsSep "\n" [
"root:x:0:0:System administrator:/root:/bin/bash"
"nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin"
"nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin"
];
})
(pkgs.writeTextFile {
name = "group";
destination = "/etc/group";
text = builtins.concatStringsSep "\n" [
"root:x:0:"
"wheel:x:1:"
"kmem:x:2:"
"tty:x:3:"
"messagebus:x:4:"
"disk:x:6:"
"audio:x:17:"
"floppy:x:18:"
"uucp:x:19:"
"lp:x:20:"
"cdrom:x:24:"
"tape:x:25:"
"video:x:26:"
"dialout:x:27:"
"utmp:x:29:"
"adm:x:55:"
"keys:x:96:"
"users:x:100:"
"input:x:174:"
"nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9"
"nogroup:x:65534:"
];
})
(pkgs.writeTextFile {
name = "nsswitch.conf";
destination = "/etc/nsswitch.conf";
text = builtins.concatStringsSep "\n" [
"passwd: files mymachines systemd"
"group: files mymachines systemd"
"shadow: files"
"hosts: files mymachines dns myhostname"
"networks: files"
"ethers: files"
"services: files"
"protocols: files"
"rpc: files"
];
})
(pkgs.writeTextFile {
name = "nix.conf";
destination = "/etc/nix/nix.conf";
text = builtins.concatStringsSep "\n" [
"accept-flake-config = true"
"experimental-features = nix-command flakes"
"substituters = https://cache.nixos.org"
"trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
})
];
extraCommands = builtins.concatStringsSep "\n" [
# /usr/bin/env
"mkdir usr"
"ln -s ../bin usr/bin"
# create /tmp
"mkdir -m 1777 tmp"
# root needs a home
"mkdir -vp root"
];
config = {
Cmd = [ "/bin/bash" ];
Env = [
"LANG=en_GB.UTF-8"
"ENV=/etc/profile.d/nix.sh"
"BASH_ENV=/etc/profile.d/nix.sh"
"NIX_BUILD_SHELL=/bin/bash"
"NIX_PATH=nixpkgs=${./fake_nixpkgs}"
"PAGER=cat"
"PATH=/usr/bin:/bin"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"USER=root"
];
};
};
in
{
packages = {
nixos-2411 = containerLambda "nixos" "24.11" nixpkgs;
nixos-unstable = containerLambda "nixos" "unstable" nixpkgs-unstable;
};
}
);
}