From 14a76a5d7ce2ef6419c87e81558f16452b3fa400 Mon Sep 17 00:00:00 2001 From: Tommy Skaug Date: Mon, 30 Dec 2024 21:50:06 +0100 Subject: [PATCH] misc --- .forgejo/renovate.json5 | 50 ++++++++ .forgejo/workflows/build-images.yaml | 85 +++++++++----- .taskfiles/ci-os.yaml | 9 +- apps/ci-os/Dockerfile | 26 +++++ apps/ci-os/flake.nix | 11 +- apps/ci-os/packages/kube-linter/default.nix | 19 ++++ apps/home-assistant/Dockerfile | 119 ++++++++++++++++++++ apps/home-assistant/ci/goss.yaml | 14 +++ apps/home-assistant/ci/latest.sh | 5 + apps/home-assistant/entrypoint.sh | 11 ++ apps/home-assistant/metadata.yaml | 10 ++ podman-seccomp.json | 25 ---- 12 files changed, 327 insertions(+), 57 deletions(-) create mode 100644 .forgejo/renovate.json5 create mode 100644 apps/ci-os/Dockerfile create mode 100644 apps/ci-os/packages/kube-linter/default.nix create mode 100644 apps/home-assistant/Dockerfile create mode 100644 apps/home-assistant/ci/goss.yaml create mode 100644 apps/home-assistant/ci/latest.sh create mode 100644 apps/home-assistant/entrypoint.sh create mode 100644 apps/home-assistant/metadata.yaml delete mode 100644 podman-seccomp.json diff --git a/.forgejo/renovate.json5 b/.forgejo/renovate.json5 new file mode 100644 index 0000000..fe03f19 --- /dev/null +++ b/.forgejo/renovate.json5 @@ -0,0 +1,50 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "config:recommended", + "docker:enableMajor", + ":dependencyDashboard", + ":disableRateLimiting", + ":timezone(America/New_York)", + ":semanticCommits" + ], + "dependencyDashboardTitle": "Renovate Dashboard 🤖", + "suppressNotifications": ["prEditedNotification", "prIgnoreNotification"], + "packageRules": [ + { + "addLabels": ["renovate/container", "type/major"], + "additionalBranchPrefix": "{{parentDir}}-", + "commitMessageExtra": " ( {{currentVersion}} → {{newVersion}} )", + "commitMessagePrefix": "feat({{parentDir}})!: ", + "commitMessageTopic": "{{depName}}", + "labels": ["app/{{parentDir}}"], + "matchDatasources": ["docker"], + "matchFileNames": ["apps/**/Dockerfile"], + "matchUpdateTypes": ["major"] + }, + { + "addLabels": ["renovate/container", "type/minor"], + "additionalBranchPrefix": "{{parentDir}}-", + "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )", + "commitMessageTopic": "{{depName}}", + "labels": ["app/{{parentDir}}"], + "matchDatasources": ["docker"], + "matchFileNames": ["apps/**/Dockerfile"], + "matchUpdateTypes": ["minor"], + "semanticCommitScope": "{{parentDir}}", + "semanticCommitType": "feat" + }, + { + "addLabels": ["renovate/container", "type/patch"], + "additionalBranchPrefix": "{{parentDir}}-", + "commitMessageExtra": "( {{currentVersion}} → {{newVersion}} )", + "commitMessageTopic": "{{depName}}", + "labels": ["app/{{parentDir}}"], + "matchDatasources": ["docker"], + "matchFileNames": ["apps/**/Dockerfile"], + "matchUpdateTypes": ["patch"], + "semanticCommitScope": "{{parentDir}}", + "semanticCommitType": "fix" + } + ] +} \ No newline at end of file diff --git a/.forgejo/workflows/build-images.yaml b/.forgejo/workflows/build-images.yaml index 6343b93..20185e2 100644 --- a/.forgejo/workflows/build-images.yaml +++ b/.forgejo/workflows/build-images.yaml @@ -1,4 +1,4 @@ -name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile" +name: "Build and Push Images with Kaniko" on: push: @@ -6,35 +6,66 @@ on: - 'apps/*/Dockerfile' workflow_dispatch: + jobs: + # 1) Find all Dockerfiles under apps/* and output them as JSON + discover-dockerfiles: + runs-on: ci-os + outputs: + dockerfiles: ${{ steps.set-matrix.outputs.dockerfiles }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - id: set-matrix + name: Find Dockerfiles + run: | + # Find all Dockerfiles in apps/* subdirectories + files=$(find apps -mindepth 2 -maxdepth 2 -type f -name Dockerfile) + + # If no Dockerfiles found, output an empty array to avoid parsing errors + if [ -z "$files" ]; then + echo 'dockerfiles=[]' >> "$GITHUB_OUTPUT" + exit 0 + fi + + # Build a JSON array of Dockerfile paths + json="[" + for f in $files; do + json="${json}\"$f\"," + done + # Remove trailing comma and close array + json="${json%,}]" + + # Write to job output + echo "dockerfiles=$json" >> "$GITHUB_OUTPUT" + + # 2) For each Dockerfile discovered, build & push with Kaniko build-and-push: - name: Build and Push Images with Podman and Custom Seccomp Profile in Colima - runs-on: ubuntu-latest + runs-on: ci-os + needs: discover-dockerfiles + strategy: + fail-fast: false + matrix: + dockerfile: ${{ fromJSON(needs.discover-dockerfiles.outputs.dockerfiles) }} + steps: - name: Checkout Repository uses: actions/checkout@v4 - - name: Install Podman Dependencies - run: | - sudo apt-get update - sudo apt-get install -y podman slirp4netns fuse-overlayfs - - - - name: Build and Push Images with Custom Seccomp Profile - run: | - export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER - export REGISTRY_PASS=$GITHUB_TOKEN - SEC_PROFILE=./podman-seccomp.json - - for dockerfile in $(find ./apps -name Dockerfile); do - app_name=$(basename $(dirname $dockerfile)) - image="code.252.no/tommy/containers/${app_name}:latest" - - # Use the seccomp profile within Colima - sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile - echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin - sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false - done - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} + - name: Build and Push with Kaniko + uses: https://code.252.no/pub/kaniko-action@latest + with: + context: ./ + dockerfile: ${{ matrix.dockerfile }} + destinations: > + code.252.no/${{ github.repository }}/${ { matrix.dockerfile + // remove `apps/` + // remove `/Dockerfile` + // e.g. "apps/ci-os/Dockerfile" => "ci-os" + // There's no built-in function to do this inline, so consider a real approach: + }}:latest + credentials: "code.252.no=tommy:${{ secrets.REGISTRY_TOKEN }}" + push: "true" + cache: "false" + # cache_repo: "code.252.no/${{ github.repository }}/cache" diff --git a/.taskfiles/ci-os.yaml b/.taskfiles/ci-os.yaml index 897afed..c27dccf 100644 --- a/.taskfiles/ci-os.yaml +++ b/.taskfiles/ci-os.yaml @@ -5,10 +5,15 @@ tasks: desc: Build local docker image (nixos-builder) dir: "{{ .ROOT_DIR }}/apps/ci-os" cmds: - - nix build .#packages.x86_64-linux.build-image && nerdctl load < result + - docker buildx build --platform linux/amd64 -t code.252.no/pub/ci-os-builder . + - | + container_id=$(docker create code.252.no/pub/ci-os-builder) + docker cp $container_id:/workspace/result ci-os.tar + docker rm $container_id + - docker load < ci-os.tar publish: desc: Builds and pushes the flakes action image dir: "{{ .ROOT_DIR }}/apps/ci-os" cmds: - - nerdctl push code.252.no/tommy/ci-os:latest + - nerdctl push code.252.no/pub/ci-os:latest diff --git a/apps/ci-os/Dockerfile b/apps/ci-os/Dockerfile new file mode 100644 index 0000000..5761690 --- /dev/null +++ b/apps/ci-os/Dockerfile @@ -0,0 +1,26 @@ +# Stage 1: Build the x86_64-linux image +FROM nixos/nix:2.24.11 as builder + +# Set up environment +ENV LANG=en_US.UTF-8 \ + NIX_PATH=nixpkgs=channel:nixos-unstable \ + PATH=/root/.nix-profile/bin:/usr/local/bin:/usr/bin:/bin + +# Copy the flake configuration +WORKDIR /workspace +COPY . /workspace + +# Build the Docker image specified in the Nix flake +RUN nix \ + --extra-experimental-features "nix-command flakes" \ + --option filter-syscalls false \ + build .#packages.x86_64-linux.build-image -o result + +# Stage 2: Create the final runtime image +FROM scratch + +# Copy the built image from the builder stage +COPY --from=builder /workspace/result /workspace/result + +# Set the default command +CMD ["/bin/bash"] \ No newline at end of file diff --git a/apps/ci-os/flake.nix b/apps/ci-os/flake.nix index 8f84138..39d6b50 100644 --- a/apps/ci-os/flake.nix +++ b/apps/ci-os/flake.nix @@ -4,7 +4,7 @@ inputs = { nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; flake-utils.url = "github:numtide/flake-utils"; - git-sv.url = "git+https://code.252.no/tommy/git-sv"; + git-sv.url = "git+https://code.252.no/pub/git-sv"; }; outputs = { self, nixpkgs, flake-utils, git-sv, ... }: @@ -36,7 +36,7 @@ packages = { build-image = pkgs.dockerTools.buildImageWithNixDb { - name = "code.252.no/tommy/ci-os"; + name = "code.252.no/pub/ci-os"; tag = "latest"; copyToRoot = pkgs.buildEnv { name = "image-root"; @@ -57,9 +57,14 @@ pkgs-local.forgejo-release pkgs-local.forgejo-label + # code + #codeql + nodePackages.eslint + eslint_d + # repository tooling gitSvPkg - + git-lfs gnupg coreutils-full gnugrep diff --git a/apps/ci-os/packages/kube-linter/default.nix b/apps/ci-os/packages/kube-linter/default.nix new file mode 100644 index 0000000..0cd6818 --- /dev/null +++ b/apps/ci-os/packages/kube-linter/default.nix @@ -0,0 +1,19 @@ +{ lib, pkgs }: + +pkgs.buildGoModule rec { + pname = "kubelinter"; + version = "v0.7.1"; + + # Fetch the source from the GitHub repository + src = pkgs.fetchFromGitHub { + owner = "stackrox"; + repo = "kube-linter"; + rev = "v0.7.1"; + sha256 = ""; + }; + + # Vendor dependencies for reproducibility + vendorHash = ""; + + subPackages = [ "." ]; +} diff --git a/apps/home-assistant/Dockerfile b/apps/home-assistant/Dockerfile new file mode 100644 index 0000000..eb56f1a --- /dev/null +++ b/apps/home-assistant/Dockerfile @@ -0,0 +1,119 @@ +FROM docker.io/library/python:3.13.1-alpine + +ARG TARGETPLATFORM +ARG VERSION +ARG CHANNEL + +ENV \ + PYTHONDONTWRITEBYTECODE=1 \ + PYTHONUNBUFFERED=1 \ + PIP_ROOT_USER_ACTION=ignore \ + PIP_NO_CACHE_DIR=1 \ + PIP_DISABLE_PIP_VERSION_CHECK=1 \ + PIP_BREAK_SYSTEM_PACKAGES=1 \ + UV_SYSTEM_PYTHON=true \ + UV_NO_CACHE=true \ + CRYPTOGRAPHY_DONT_BUILD_RUST=1 \ + HOMEASSISTANT_WHEELS="https://wheels.home-assistant.io/musllinux/" \ + HOME="/config" \ + PYTHONPATH="/config/deps" + +ENV UMASK="0002" \ + TZ="Etc/UTC" + +USER root +WORKDIR /app + +#hadolint ignore=DL3018,DL3013,DL3059,DL4006 +RUN \ + apk add --no-cache \ + bash \ + binutils \ + bluez \ + bluez-deprecated \ + bluez-libs \ + ca-certificates \ + catatonit \ + coreutils \ + cups-libs \ + curl \ + eudev-libs \ + ffmpeg \ + git \ + iputils \ + jo \ + jq \ + libcap \ + libjpeg-turbo-dev \ + libpcap-dev \ + libstdc++ \ + libxslt \ + mariadb-connector-c \ + mariadb-connector-c-dev \ + nano \ + openssh-client \ + openssl \ + postgresql-libs \ + socat \ + tiff \ + trurl \ + tzdata \ + unzip \ + && \ + apk add --no-cache --virtual=.build-deps \ + autoconf \ + build-base \ + cargo \ + cmake \ + cups-dev \ + eudev-dev \ + ffmpeg-dev \ + glib-dev \ + jpeg-dev \ + libffi-dev \ + libxml2-dev \ + libxslt-dev \ + postgresql-dev \ + unixodbc-dev \ + && \ + pip install uv \ + && \ + curl -fsSL "https://github.com/home-assistant/core/archive/${VERSION}.tar.gz" \ + | tar xzf - -C /tmp --strip-components=1 \ + && \ + case "${TARGETPLATFORM}" in \ + 'linux/amd64') \ + export ARCH='amd64'; \ + export GO2RTC_SUFFIX='amd64'; \ + ;; \ + 'linux/arm64') \ + export ARCH='aarch64'; \ + export GO2RTC_SUFFIX='arm64'; \ + ;; \ + esac \ + && \ + HOME_ASSISTANT_BASE=$(curl -fsSL "https://raw.githubusercontent.com/home-assistant/core/${VERSION}/build.yaml" | grep "${ARCH}: " | cut -d ":" -f3) \ + && \ + uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \ + --requirement "https://raw.githubusercontent.com/home-assistant/docker/${HOME_ASSISTANT_BASE}/requirements.txt" \ + && \ + uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \ + --requirement /tmp/requirements_all.txt \ + && \ + uv pip install --only-binary=:all: --find-links "${HOMEASSISTANT_WHEELS}" \ + homeassistant=="${VERSION}" \ + && curl -L https://github.com/AlexxIT/go2rtc/releases/download/v1.9.7/go2rtc_linux_${GO2RTC_SUFFIX} --output /bin/go2rtc \ + && chmod +x /bin/go2rtc \ + && mkdir -p /config && chown nobody:nogroup -R /config \ + && apk del --purge .build-deps \ + && rm -rf /root/.cache /root/.cargo /tmp/* + +COPY ./apps/home-assistant/entrypoint.sh /entrypoint.sh + +USER nobody:nogroup +WORKDIR /config +VOLUME ["/config"] + +ENTRYPOINT ["/usr/bin/catatonit", "--", "/entrypoint.sh"] + +LABEL org.opencontainers.image.source="https://github.com/home-assistant/core" \ No newline at end of file diff --git a/apps/home-assistant/ci/goss.yaml b/apps/home-assistant/ci/goss.yaml new file mode 100644 index 0000000..e7bd318 --- /dev/null +++ b/apps/home-assistant/ci/goss.yaml @@ -0,0 +1,14 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml +process: + hass: + running: true +file: + /usr/local/bin/hass: + exists: true +port: + tcp6:8123: + listening: true +http: + http://localhost:8123: + status: 200 diff --git a/apps/home-assistant/ci/latest.sh b/apps/home-assistant/ci/latest.sh new file mode 100644 index 0000000..050de32 --- /dev/null +++ b/apps/home-assistant/ci/latest.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +version=$(curl -sX GET "https://api.github.com/repos/home-assistant/core/releases/latest" | jq --raw-output '.tag_name' 2>/dev/null) +version="${version#*v}" +version="${version#*release-}" +printf "%s" "${version}" \ No newline at end of file diff --git a/apps/home-assistant/entrypoint.sh b/apps/home-assistant/entrypoint.sh new file mode 100644 index 0000000..c9a1771 --- /dev/null +++ b/apps/home-assistant/entrypoint.sh @@ -0,0 +1,11 @@ +#!/usr/bin/env bash +#shellcheck disable=SC2086 + +if [[ "${HOME_ASSISTANT__HACS_INSTALL}" == "true" ]]; then + curl -sfSL https://get.hacs.xyz | bash - +fi + +exec \ + /usr/local/bin/hass \ + --config /config \ + "$@" \ No newline at end of file diff --git a/apps/home-assistant/metadata.yaml b/apps/home-assistant/metadata.yaml new file mode 100644 index 0000000..238ec5e --- /dev/null +++ b/apps/home-assistant/metadata.yaml @@ -0,0 +1,10 @@ +--- +app: home-assistant +semver: false +channels: +- name: stable + platforms: [ "linux/amd64" ] + stable: true + tests: + enabled: true + type: web diff --git a/podman-seccomp.json b/podman-seccomp.json deleted file mode 100644 index 4dc6f78..0000000 --- a/podman-seccomp.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "defaultAction": "SCMP_ACT_ALLOW", - "syscalls": [ - { - "names": [ - "keyctl", - "syslog", - "mknod", - "mknodat", - "pkey_mprotect", - "kexec_load", - "open_by_handle_at", - "init_module", - "finit_module", - "delete_module", - "bpf" - ], - "action": "SCMP_ACT_ERRNO", - "args": [], - "comment": "Deny potentially risky syscalls that could impact system integrity", - "includes": {}, - "excludes": {} - } - ] -} \ No newline at end of file