misc

.forgejo/renovate.json5

@@ -0,0 +1,50 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    "docker:enableMajor",
+    ":dependencyDashboard",
+    ":disableRateLimiting",
+    ":timezone(America/New_York)",
+    ":semanticCommits"
+  ],
+  "dependencyDashboardTitle": "Renovate Dashboard 🤖",
+  "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"],
+  "packageRules": [
+    {
+      "addLabels": ["renovate/container", "type/major"],
+      "additionalBranchPrefix": "{{parentDir}}-",
+      "commitMessageExtra": " ( {{currentVersion}} → {{newVersion}} )",
+      "commitMessagePrefix": "feat({{parentDir}})!: ",
+      "commitMessageTopic": "{{depName}}",
+      "labels": ["app/{{parentDir}}"],
+      "matchDatasources": ["docker"],
+      "matchFileNames": ["apps/**/Dockerfile"],
+      "matchUpdateTypes": ["major"]
+    },
+    {
+      "addLabels": ["renovate/container", "type/minor"],
+      "additionalBranchPrefix": "{{parentDir}}-",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )",
+      "commitMessageTopic": "{{depName}}",
+      "labels": ["app/{{parentDir}}"],
+      "matchDatasources": ["docker"],
+      "matchFileNames": ["apps/**/Dockerfile"],
+      "matchUpdateTypes": ["minor"],
+      "semanticCommitScope": "{{parentDir}}",
+      "semanticCommitType": "feat"
+    },
+    {
+      "addLabels": ["renovate/container", "type/patch"],
+      "additionalBranchPrefix": "{{parentDir}}-",
+      "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )",
+      "commitMessageTopic": "{{depName}}",
+      "labels": ["app/{{parentDir}}"],
+      "matchDatasources": ["docker"],
+      "matchFileNames": ["apps/**/Dockerfile"],
+      "matchUpdateTypes": ["patch"],
+      "semanticCommitScope": "{{parentDir}}",
+      "semanticCommitType": "fix"
+    }
+  ]
+}

.forgejo/workflows/build-images.yaml

@@ -1,4 +1,4 @@
-name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile"
+name: "Build and Push Images with Kaniko"
 
 on:
   push:
@@ -6,35 +6,66 @@ on:
     - 'apps/*/Dockerfile'
   workflow_dispatch:
 
+
 jobs:
+  # 1) Find all Dockerfiles under apps/* and output them as JSON
+  discover-dockerfiles:
+    runs-on: ci-os
+    outputs:
+      dockerfiles: ${{ steps.set-matrix.outputs.dockerfiles }}
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - id: set-matrix
+      name: Find Dockerfiles
+      run: |
+        # Find all Dockerfiles in apps/* subdirectories
+        files=$(find apps -mindepth 2 -maxdepth 2 -type f -name Dockerfile)
+
+        # If no Dockerfiles found, output an empty array to avoid parsing errors
+        if [ -z "$files" ]; then
+          echo 'dockerfiles=[]' >> "$GITHUB_OUTPUT"
+          exit 0
+        fi
+
+        # Build a JSON array of Dockerfile paths
+        json="["
+        for f in $files; do
+          json="${json}\"$f\","
+        done
+        # Remove trailing comma and close array
+        json="${json%,}]"
+
+        # Write to job output
+        echo "dockerfiles=$json" >> "$GITHUB_OUTPUT"
+
+  # 2) For each Dockerfile discovered, build & push with Kaniko
   build-and-push:
-    name: Build and Push Images with Podman and Custom Seccomp Profile in Colima
-    runs-on: ubuntu-latest
+    runs-on: ci-os
+    needs: discover-dockerfiles
+    strategy:
+      fail-fast: false
+      matrix:
+        dockerfile: ${{ fromJSON(needs.discover-dockerfiles.outputs.dockerfiles) }}
+
     steps:
     - name: Checkout Repository
       uses: actions/checkout@v4
 
-    - name: Install Podman Dependencies
-      run: |
-        sudo apt-get update
-        sudo apt-get install -y podman slirp4netns fuse-overlayfs
-
-
-    - name: Build and Push Images with Custom Seccomp Profile
-      run: |
-        export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER
-        export REGISTRY_PASS=$GITHUB_TOKEN
-        SEC_PROFILE=./podman-seccomp.json
-
-        for dockerfile in $(find ./apps -name Dockerfile); do
-          app_name=$(basename $(dirname $dockerfile))
-          image="code.252.no/tommy/containers/${app_name}:latest"
-
-          # Use the seccomp profile within Colima
-          sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile
-          echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin
-          sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false
-        done
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
+    - name: Build and Push with Kaniko
+      uses: https://code.252.no/pub/kaniko-action@latest
+      with:
+        context: ./
+        dockerfile: ${{ matrix.dockerfile }}
+        destinations: >
+          code.252.no/${{ github.repository }}/${ { matrix.dockerfile
+            // remove `apps/`
+            // remove `/Dockerfile`
+            // e.g. "apps/ci-os/Dockerfile" => "ci-os"
+            // There's no built-in function to do this inline, so consider a real approach:
+          }}:latest
+        credentials: "code.252.no=tommy:${{ secrets.REGISTRY_TOKEN }}"
+        push: "true"
+        cache: "false"
+        # cache_repo: "code.252.no/${{ github.repository }}/cache"

.taskfiles/ci-os.yaml

@@ -5,10 +5,15 @@ tasks:
     desc: Build local docker image (nixos-builder)
     dir: "{{ .ROOT_DIR }}/apps/ci-os"
     cmds:
-    - nix build .#packages.x86_64-linux.build-image && nerdctl load < result
+    - docker buildx build --platform linux/amd64 -t code.252.no/pub/ci-os-builder .
+    - |
+      container_id=$(docker create code.252.no/pub/ci-os-builder)
+      docker cp $container_id:/workspace/result ci-os.tar
+      docker rm $container_id
+    - docker load < ci-os.tar
 
   publish:
     desc: Builds and pushes the flakes action image
     dir: "{{ .ROOT_DIR }}/apps/ci-os"
     cmds:
-    - nerdctl push code.252.no/tommy/ci-os:latest
+    - nerdctl push code.252.no/pub/ci-os:latest

apps/ci-os/Dockerfile

@@ -0,0 +1,26 @@
+# Stage 1: Build the x86_64-linux image
+FROM nixos/nix:2.24.11 as builder
+
+# Set up environment
+ENV LANG=en_US.UTF-8 \
+    NIX_PATH=nixpkgs=channel:nixos-unstable \
+    PATH=/root/.nix-profile/bin:/usr/local/bin:/usr/bin:/bin
+
+# Copy the flake configuration
+WORKDIR /workspace
+COPY . /workspace
+
+# Build the Docker image specified in the Nix flake
+RUN nix \
+    --extra-experimental-features "nix-command flakes" \
+    --option filter-syscalls false \
+    build .#packages.x86_64-linux.build-image -o result
+
+# Stage 2: Create the final runtime image
+FROM scratch
+
+# Copy the built image from the builder stage
+COPY --from=builder /workspace/result /workspace/result
+
+# Set the default command
+CMD ["/bin/bash"]

apps/ci-os/flake.nix

@@ -4,7 +4,7 @@
   inputs = {
     nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
     flake-utils.url = "github:numtide/flake-utils";
-    git-sv.url = "git+https://code.252.no/tommy/git-sv";
+    git-sv.url = "git+https://code.252.no/pub/git-sv";
   };
 
   outputs = { self, nixpkgs, flake-utils, git-sv, ... }:
@@ -36,7 +36,7 @@
 
         packages = {
           build-image = pkgs.dockerTools.buildImageWithNixDb {
-            name = "code.252.no/tommy/ci-os";
+            name = "code.252.no/pub/ci-os";
             tag = "latest";
             copyToRoot = pkgs.buildEnv {
               name = "image-root";
@@ -57,9 +57,14 @@
                 pkgs-local.forgejo-release
                 pkgs-local.forgejo-label
 
+                # code
+                #codeql
+                nodePackages.eslint
+                eslint_d
+
                 # repository tooling
                 gitSvPkg
-
+                git-lfs
                 gnupg
                 coreutils-full
                 gnugrep

apps/ci-os/packages/kube-linter/default.nix

@@ -0,0 +1,19 @@
+{ lib, pkgs }:
+
+pkgs.buildGoModule rec {
+  pname = "kubelinter";
+  version = "v0.7.1";
+
+  # Fetch the source from the GitHub repository
+  src = pkgs.fetchFromGitHub {
+    owner = "stackrox";
+    repo = "kube-linter";
+    rev = "v0.7.1";
+    sha256 = "<replace-with-correct-sha256>";
+  };
+
+  # Vendor dependencies for reproducibility
+  vendorHash = "<replace-with-vendor-hash>";
+
+  subPackages = [ "." ];
+}

apps/home-assistant/Dockerfile

@@ -0,0 +1,119 @@
+FROM docker.io/library/python:3.13.1-alpine
+
+ARG TARGETPLATFORM
+ARG VERSION
+ARG CHANNEL
+
+ENV \
+    PYTHONDONTWRITEBYTECODE=1 \
+    PYTHONUNBUFFERED=1 \
+    PIP_ROOT_USER_ACTION=ignore \
+    PIP_NO_CACHE_DIR=1 \
+    PIP_DISABLE_PIP_VERSION_CHECK=1 \
+    PIP_BREAK_SYSTEM_PACKAGES=1 \
+    UV_SYSTEM_PYTHON=true \
+    UV_NO_CACHE=true \
+    CRYPTOGRAPHY_DONT_BUILD_RUST=1 \
+    HOMEASSISTANT_WHEELS="https://wheels.home-assistant.io/musllinux/" \
+    HOME="/config" \
+    PYTHONPATH="/config/deps"
+
+ENV UMASK="0002" \
+    TZ="Etc/UTC"
+
+USER root
+WORKDIR /app
+
+#hadolint ignore=DL3018,DL3013,DL3059,DL4006
+RUN \
+    apk add --no-cache \
+        bash \
+        binutils \
+        bluez \
+        bluez-deprecated \
+        bluez-libs \
+        ca-certificates \
+        catatonit \
+        coreutils \
+        cups-libs \
+        curl \
+        eudev-libs \
+        ffmpeg \
+        git \
+        iputils \
+        jo \
+        jq \
+        libcap \
+        libjpeg-turbo-dev \
+        libpcap-dev \
+        libstdc++ \
+        libxslt \
+        mariadb-connector-c \
+        mariadb-connector-c-dev \
+        nano \
+        openssh-client \
+        openssl \
+        postgresql-libs \
+        socat \
+        tiff \
+        trurl \
+        tzdata \
+        unzip \
+    && \
+    apk add --no-cache --virtual=.build-deps \
+        autoconf \
+        build-base \
+        cargo \
+        cmake \
+        cups-dev \
+        eudev-dev \
+        ffmpeg-dev \
+        glib-dev \
+        jpeg-dev \
+        libffi-dev \
+        libxml2-dev \
+        libxslt-dev \
+        postgresql-dev \
+        unixodbc-dev \
+    && \
+    pip install uv \
+    && \
+    curl -fsSL "https://github.com/home-assistant/core/archive/${VERSION}.tar.gz" \
+        | tar xzf - -C /tmp --strip-components=1 \
+    && \
+    case "${TARGETPLATFORM}" in \
+        'linux/amd64') \
+            export ARCH='amd64'; \
+            export GO2RTC_SUFFIX='amd64'; \
+        ;; \
+        'linux/arm64') \
+            export ARCH='aarch64'; \
+            export GO2RTC_SUFFIX='arm64'; \
+        ;; \
+    esac \
+    && \
+    HOME_ASSISTANT_BASE=$(curl -fsSL "https://raw.githubusercontent.com/home-assistant/core/${VERSION}/build.yaml" | grep "${ARCH}: " | cut -d ":" -f3) \
+    && \
+    uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \
+        --requirement "https://raw.githubusercontent.com/home-assistant/docker/${HOME_ASSISTANT_BASE}/requirements.txt" \
+    && \
+    uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \
+        --requirement /tmp/requirements_all.txt \
+    && \
+    uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \
+        homeassistant=="${VERSION}" \
+    && curl -L https://github.com/AlexxIT/go2rtc/releases/download/v1.9.7/go2rtc_linux_${GO2RTC_SUFFIX} --output /bin/go2rtc \
+    && chmod +x /bin/go2rtc \
+    && mkdir -p /config && chown nobody:nogroup -R /config \
+    && apk del --purge .build-deps \
+    && rm -rf /root/.cache /root/.cargo /tmp/*
+
+COPY ./apps/home-assistant/entrypoint.sh /entrypoint.sh
+
+USER nobody:nogroup
+WORKDIR /config
+VOLUME ["/config"]
+
+ENTRYPOINT ["/usr/bin/catatonit", "--", "/entrypoint.sh"]
+
+LABEL org.opencontainers.image.source="https://github.com/home-assistant/core"

apps/home-assistant/ci/goss.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml
+process:
+  hass:
+    running: true
+file:
+  /usr/local/bin/hass:
+    exists: true
+port:
+  tcp6:8123:
+    listening: true
+http:
+  http://localhost:8123:
+    status: 200

apps/home-assistant/ci/latest.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+version=$(curl -sX GET "https://api.github.com/repos/home-assistant/core/releases/latest" | jq --raw-output '.tag_name' 2>/dev/null)
+version="${version#*v}"
+version="${version#*release-}"
+printf "%s" "${version}"

apps/home-assistant/entrypoint.sh

@@ -0,0 +1,11 @@
+#!/usr/bin/env bash
+#shellcheck disable=SC2086
+
+if [[ "${HOME_ASSISTANT__HACS_INSTALL}" == "true" ]]; then
+    curl -sfSL https://get.hacs.xyz | bash -
+fi
+
+exec \
+    /usr/local/bin/hass \
+        --config /config \
+        "$@"

apps/home-assistant/metadata.yaml

@@ -0,0 +1,10 @@
+---
+app: home-assistant
+semver: false
+channels:
+- name: stable
+  platforms: [ "linux/amd64" ]
+  stable: true
+  tests:
+    enabled: true
+    type: web

podman-seccomp.json

@@ -1,25 +0,0 @@
-{
-  "defaultAction": "SCMP_ACT_ALLOW",
-  "syscalls": [
-    {
-      "names": [
-        "keyctl",
-        "syslog",
-        "mknod",
-        "mknodat",
-        "pkey_mprotect",
-        "kexec_load",
-        "open_by_handle_at",
-        "init_module",
-        "finit_module",
-        "delete_module",
-        "bpf"
-      ],
-      "action": "SCMP_ACT_ERRNO",
-      "args": [],
-      "comment": "Deny potentially risky syscalls that could impact system integrity",
-      "includes": {},
-      "excludes": {}
-    }
-  ]
-}