diff options
Diffstat (limited to 'tools/nixery/default.nix')
| -rw-r--r-- | tools/nixery/default.nix | 169 |
1 files changed, 87 insertions, 82 deletions
diff --git a/tools/nixery/default.nix b/tools/nixery/default.nix index b5575be507..91eabca960 100644 --- a/tools/nixery/default.nix +++ b/tools/nixery/default.nix @@ -19,106 +19,111 @@ with pkgs; let - inherit (pkgs) buildGoModule; + inherit (pkgs) buildGoModule lib; # Avoid extracting this from git until we have a way to plumb # through revision numbers. nixery-commit-hash = "depot"; +in +depot.nix.readTree.drvTargets rec { + # Implementation of the Nix image building logic + nixery-prepare-image = import ./prepare-image { inherit pkgs; }; + + # Include the Nixery website into the Nix store, unless its being + # overridden to something else. Nixery will serve this as its front + # page when visited from a browser. + nixery-web = ./web; - # Go implementation of the Nixery server which implements the - # container registry interface. + nixery-popcount = callPackage ./popcount { }; + + # Build Nixery's Go code, resulting in the binaries used for various + # bits of functionality. # - # Users should use the nixery-bin derivation below instead as it - # provides the paths of files needed at runtime. - nixery-server = buildGoModule rec { - name = "nixery-server"; + # The server binary is wrapped to ensure that required environment + # variables are set at runtime. + nixery = buildGoModule rec { + name = "nixery"; src = ./.; doCheck = true; # Needs to be updated after every modification of go.mod/go.sum - vendorSha256 = "1xnmyz2a5s5sck0fzhcz51nds4s80p0jw82dhkf4v2c4yzga83yk"; + vendorHash = "sha256-io9NCeZmjCZPLmII3ajXIsBWbT40XiW8ncXOuUDabbo="; - buildFlagsArray = [ - "-ldflags=-s -w -X main.version=${nixery-commit-hash}" + ldflags = [ + "-s" + "-w" + "-X" + "main.version=${nixery-commit-hash}" ]; - }; -in -depot.nix.readTree.drvTargets rec { - # Implementation of the Nix image building logic - nixery-prepare-image = import ./prepare-image { inherit pkgs; }; - # Use mdBook to build a static asset page which Nixery can then - # serve. This is primarily used for the public instance at - # nixery.dev. - nixery-book = callPackage ./docs { }; + nativeBuildInputs = [ makeWrapper ]; + postInstall = '' + wrapProgram $out/bin/server \ + --set-default WEB_DIR "${nixery-web}" \ + --prefix PATH : ${nixery-prepare-image}/bin + ''; + + # Nixery is mirrored to Github at tazjin/nixery; this is + # automatically updated from CI for canon builds. + passthru.meta.ci.extraSteps.github = depot.tools.releases.filteredGitPush { + filter = ":/tools/nixery"; + remote = "git@github.com:tazjin/nixery.git"; + ref = "refs/heads/master"; + }; + }; - # Wrapper script running the Nixery server with the above two data - # dependencies configured. + # Wrapper script for the wrapper script (meta!) which configures + # the container environment appropriately. # - # In most cases, this will be the derivation a user wants if they - # are installing Nixery directly. - nixery-bin = writeShellScriptBin "nixery" '' - export WEB_DIR="${nixery-book}" - export PATH="${nixery-prepare-image}/bin:$PATH" - exec ${nixery-server}/bin/nixery + # Most importantly, sandboxing is disabled to avoid privilege + # issues in containers. + nixery-launch-script = writeShellScriptBin "nixery" '' + set -e + export PATH=${coreutils}/bin:$PATH + export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt + mkdir -p /tmp + + # Create the build user/group required by Nix + echo 'nixbld:x:30000:nixbld' >> /etc/group + echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd + echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd + echo 'root:x:0:' >> /etc/group + + # Disable sandboxing to avoid running into privilege issues + mkdir -p /etc/nix + echo 'sandbox = false' >> /etc/nix/nix.conf + + # In some cases users building their own image might want to + # customise something on the inside (e.g. set up an environment + # for keys or whatever). + # + # This can be achieved by setting a 'preLaunch' script. + ${preLaunch} + + exec ${nixery}/bin/server ''; - nixery-popcount = callPackage ./popcount { }; - # Container image containing Nixery and Nix itself. This image can # be run on Kubernetes, published on AppEngine or whatever else is # desired. - nixery-image = - let - # Wrapper script for the wrapper script (meta!) which configures - # the container environment appropriately. - # - # Most importantly, sandboxing is disabled to avoid privilege - # issues in containers. - nixery-launch-script = writeShellScriptBin "nixery" '' - set -e - export PATH=${coreutils}/bin:$PATH - export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt - mkdir -p /tmp - - # Create the build user/group required by Nix - echo 'nixbld:x:30000:nixbld' >> /etc/group - echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd - echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd - echo 'root:x:0:' >> /etc/group - - # Disable sandboxing to avoid running into privilege issues - mkdir -p /etc/nix - echo 'sandbox = false' >> /etc/nix/nix.conf - - # In some cases users building their own image might want to - # customise something on the inside (e.g. set up an environment - # for keys or whatever). - # - # This can be achieved by setting a 'preLaunch' script. - ${preLaunch} - - exec ${nixery-bin}/bin/nixery - ''; - in - dockerTools.buildLayeredImage { - name = "nixery"; - config.Cmd = [ "${nixery-launch-script}/bin/nixery" ]; - - inherit maxLayers; - contents = [ - bashInteractive - cacert - coreutils - git - gnutar - gzip - iana-etc - nix - nixery-prepare-image - nixery-launch-script - openssh - zlib - ] ++ extraPackages; - }; + nixery-image = dockerTools.buildLayeredImage { + name = "nixery"; + config.Cmd = [ "${nixery-launch-script}/bin/nixery" ]; + + inherit maxLayers; + contents = [ + bashInteractive + cacert + coreutils + git + gnutar + gzip + iana-etc + nix + nixery-prepare-image + nixery-launch-script + openssh + zlib + ] ++ extraPackages; + }; } |