about summary refs log tree commit diff
path: root/tools/nixery/default.nix
blob: 6b053e55dd4e94183c69ae637399d159ff8f6d8b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
# Copyright 2022 The TVL Contributors
# SPDX-License-Identifier: Apache-2.0

# This function header aims to provide compatibility between builds of
# Nixery taking place inside/outside of the TVL depot.
#
# In the future, Nixery will transition to using //nix/buildGo for its
# build system and this will need some major adaptations to support
# that.
{ depot ? { nix.readTree.drvTargets = x: x; }
, pkgs ? import <nixpkgs> { }
, preLaunch ? ""
, extraPackages ? [ ]
, maxLayers ? 20
, commitHash ? null
, ...
}@args:

with pkgs;

let
  inherit (pkgs) buildGoModule;

  # Avoid extracting this from git until we have a way to plumb
  # through revision numbers.
  nixery-commit-hash = "depot";

in
depot.nix.readTree.drvTargets rec {
  # Implementation of the Nix image building logic
  nixery-prepare-image = import ./prepare-image { inherit pkgs; };

  # Use mdBook to build a static asset page which Nixery can then
  # serve. This is primarily used for the public instance at
  # nixery.dev.
  nixery-book = callPackage ./docs { };

  nixery-popcount = callPackage ./popcount { };

  # Build Nixery's Go code, resulting in the binaries used for various
  # bits of functionality.
  #
  # The server binary is wrapped to ensure that required environment
  # variables are set at runtime.
  nixery = buildGoModule rec {
    name = "nixery";
    src = ./.;
    doCheck = true;

    # Needs to be updated after every modification of go.mod/go.sum
    vendorSha256 = "1xnmyz2a5s5sck0fzhcz51nds4s80p0jw82dhkf4v2c4yzga83yk";

    buildFlagsArray = [
      "-ldflags=-s -w -X main.version=${nixery-commit-hash}"
    ];

    nativeBuildInputs = [ makeWrapper ];
    postInstall = ''
      wrapProgram $out/bin/server \
        --set WEB_DIR "${nixery-book}" \
        --prefix PATH : ${nixery-prepare-image}/bin
    '';
  };

  # Container image containing Nixery and Nix itself. This image can
  # be run on Kubernetes, published on AppEngine or whatever else is
  # desired.
  nixery-image =
    let
      # Wrapper script for the wrapper script (meta!) which configures
      # the container environment appropriately.
      #
      # Most importantly, sandboxing is disabled to avoid privilege
      # issues in containers.
      nixery-launch-script = writeShellScriptBin "nixery" ''
        set -e
        export PATH=${coreutils}/bin:$PATH
        export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
        mkdir -p /tmp

        # Create the build user/group required by Nix
        echo 'nixbld:x:30000:nixbld' >> /etc/group
        echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
        echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
        echo 'root:x:0:' >> /etc/group

        # Disable sandboxing to avoid running into privilege issues
        mkdir -p /etc/nix
        echo 'sandbox = false' >> /etc/nix/nix.conf

        # In some cases users building their own image might want to
        # customise something on the inside (e.g. set up an environment
        # for keys or whatever).
        #
        # This can be achieved by setting a 'preLaunch' script.
        ${preLaunch}

        exec ${nixery}/bin/server
      '';
    in
    dockerTools.buildLayeredImage {
      name = "nixery";
      config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];

      inherit maxLayers;
      contents = [
        bashInteractive
        cacert
        coreutils
        git
        gnutar
        gzip
        iana-etc
        nix
        nixery-prepare-image
        nixery-launch-script
        openssh
        zlib
      ] ++ extraPackages;
    };
}