diff --git a/.forgejo/scripts/render-readme.py b/.forgejo/scripts/render-readme.py index c9a7e73..6275f2c 100644 --- a/.forgejo/scripts/render-readme.py +++ b/.forgejo/scripts/render-readme.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 import os import yaml +import subprocess import logging from jinja2 import Environment, PackageLoader, select_autoescape @@ -14,7 +15,6 @@ repo_name = os.getenv("REPO_NAME") or os.getenv("GITHUB_REPOSITORY", "default_re env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape()) - def load_metadata(file_path): try: with open(file_path, "r") as f: @@ -25,7 +25,6 @@ def load_metadata(file_path): logging.error(f"File {file_path} not found.") return None - def process_metadata(apps_dir): app_images = [] for subdir, _, files in os.walk(apps_dir): @@ -36,7 +35,14 @@ def process_metadata(apps_dir): if not meta: continue # Skip if metadata couldn't be loaded - # Iterate through the channels and build image metadata + dockerfile_path = os.path.join(subdir, "Dockerfile") + docker_labels = load_docker_labels(dockerfile_path) + + # Compliance check and badge setting + goss_file = os.path.join(subdir, "ci", "goss.yaml") + print(goss_file) + badge = run_compliance_check(goss_file) + for channel in meta.get("channels", []): name = ( meta["app"] @@ -46,13 +52,71 @@ def process_metadata(apps_dir): image = { "name": name, "channel": channel["name"], - "html_url": f"https://code.252.no/{repo_owner}/pkgs/container/{name}", + "version": meta["version"], + "platforms": channel["platforms"], + "tests_enabled": channel["tests"]["enabled"], + "tests_type": channel["tests"]["type"], + "html_url": f"https://code.252.no/{repo_owner}/containers/{name}", "owner": repo_owner, + "maintainer": docker_labels.get("maintainer"), + "description": docker_labels.get("org.opencontainers.image.description"), + "source": docker_labels.get("org.opencontainers.image.source"), + "vendor": docker_labels.get("org.opencontainers.image.vendor"), + "authors": docker_labels.get("org.opencontainers.image.authors"), + "badge": badge, } app_images.append(image) - logging.info(f"Added image {name} from channel {channel['name']}") + logging.info(f"Added image {name} from channel {channel['name']} with badge {badge}") return app_images +def load_docker_labels(dockerfile_path): + labels = {} + try: + with open(dockerfile_path, "r") as f: + for line in f: + if line.startswith("LABEL"): + label_parts = line.split("=", 1) + if len(label_parts) == 2: + key, value = label_parts + key = key.replace("LABEL ", "").strip().replace("\"", "") + value = value.strip().replace("\"", "") + labels[key] = value + except FileNotFoundError: + logging.warning(f"Dockerfile {dockerfile_path} not found.") + return labels + +def run_compliance_check(goss_file, image_name): + """Run compliance test using dgoss and return appropriate badge path.""" + if not os.path.exists(goss_file): + logging.warning(f"Compliance file {goss_file} not found.") + return "assets/build-failing-red.svg" # Default to failing badge if no compliance file + + # Set up the environment variables needed for dgoss + env = os.environ.copy() + env["CONTAINER_RUNTIME"] = "docker" + env["GOSS_FILE"] = goss_file + env["GOSS_OPTS"] = "--retry-timeout 60s --sleep 2s --color --format documentation" + env["GOSS_SLEEP"] = "2" + env["GOSS_FILES_STRATEGY"] = "cp" + + print("Running dgoss with file:", goss_file, "on image:", image_name) + + # Run dgoss against the container image + result = subprocess.run( + ["dgoss", "run", image_name], + capture_output=True, + env=env, + shell=True # Necessary to handle dgoss's internal shell scripts + ) + output = result.stdout.decode() + print(output) # Decode and print output for logging + + if result.returncode == 0: + logging.info(f"Compliance check passed for {goss_file}") + return "assets/badges/build-passing-brightgreen.svg" + else: + logging.error(f"Compliance check failed for {goss_file}") + return "assets/build-failing-red.svg" if __name__ == "__main__": apps_dir = "./apps" @@ -64,4 +128,4 @@ if __name__ == "__main__": f.write(template.render(app_images=app_images)) logging.info("README.org successfully generated.") except Exception as e: - logging.error(f"Error rendering template: {e}") \ No newline at end of file + logging.error(f"Error rendering template: {e}") diff --git a/.forgejo/scripts/templates/README.org.j2 b/.forgejo/scripts/templates/README.org.j2 index bed3c07..b3dcb79 100644 --- a/.forgejo/scripts/templates/README.org.j2 +++ b/.forgejo/scripts/templates/README.org.j2 @@ -8,7 +8,7 @@ #+BEGIN_EXPORT html

Container Collection

-

Containers for Kubernetes deployment_

+

Images for Kubernetes deployments

diff --git a/.forgejo/workflows/build-images.yaml b/.forgejo/workflows/build-images.yaml new file mode 100644 index 0000000..6343b93 --- /dev/null +++ b/.forgejo/workflows/build-images.yaml @@ -0,0 +1,40 @@ +name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile" + +on: + push: + paths: + - 'apps/*/Dockerfile' + workflow_dispatch: + +jobs: + build-and-push: + name: Build and Push Images with Podman and Custom Seccomp Profile in Colima + runs-on: ubuntu-latest + steps: + - name: Checkout Repository + uses: actions/checkout@v4 + + - name: Install Podman Dependencies + run: | + sudo apt-get update + sudo apt-get install -y podman slirp4netns fuse-overlayfs + + + - name: Build and Push Images with Custom Seccomp Profile + run: | + export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER + export REGISTRY_PASS=$GITHUB_TOKEN + SEC_PROFILE=./podman-seccomp.json + + for dockerfile in $(find ./apps -name Dockerfile); do + app_name=$(basename $(dirname $dockerfile)) + image="code.252.no/tommy/containers/${app_name}:latest" + + # Use the seccomp profile within Colima + sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile + echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin + sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false + done + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }} diff --git a/.forgejo/workflows/render-readme.yaml b/.forgejo/workflows/render-readme.yaml index ab6bb88..27ef64a 100644 --- a/.forgejo/workflows/render-readme.yaml +++ b/.forgejo/workflows/render-readme.yaml @@ -25,7 +25,12 @@ jobs: shell: bash run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze - - name: Render README + - name: Install Goss + shell: bash + run: | + curl -fsSL https://goss.rocks/install | sh + + - name: Run Compliance Tests and Render README env: GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}" shell: bash @@ -40,4 +45,4 @@ jobs: git config --global user.email "tommy+forgejo@252.no" git add ./README.org git commit -m "chore: render README.org" || echo "No changes to commit" - git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push" + #git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push" diff --git a/.taskfiles/docker.yaml b/.taskfiles/docker.yaml new file mode 100644 index 0000000..b1866b5 --- /dev/null +++ b/.taskfiles/docker.yaml @@ -0,0 +1,20 @@ +version: "3" + +tasks: + create-image: + desc: Build local docker image (nixos-builder) + cmds: + - nerdctl build --platform linux/amd64 -t nixos-builder --no-cache apps/lix-builder + + shell: + desc: Drop into a build shell + env: + app: "{{ .app }}" + cmds: + - nerdctl run -v "$(pwd)/apps/{{.app}}":/root/working-dir -w /root/working-dir --platform linux/amd64 -it nixos-builder -c "nix develop" + + cache: + desc: Start an attic server + dir: "attic" + cmds: + - nerdctl run -it --rm --name=attic -p 8080:8080 -v ./config:/var/empty/.config/attic -v ./data:/var/empty/.local/share/attic docker.io/heywoodlh/attic diff --git a/Taskfile.yaml b/Taskfile.yaml index f6c7671..d3d5328 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -1,20 +1,14 @@ version: "3" vars: - LABELS_CONFIG_FILE: '{{.ROOT_DIR}}/.github/labels.yaml' + PROJECT_DIR: + sh: "git rev-parse --show-toplevel" + +includes: + docker: .taskfiles/docker.yaml tasks: default: - cmd: task -l silent: true - - append-app-labels: - desc: Append app labels to the labels config file cmds: - - for: {var: apps} - cmd: | - yq -i '. += [{"name": "app/{{.ITEM}}", "color": "0e8a16"}]' {{.LABELS_CONFIG_FILE}} - vars: - apps: - sh: for dir in {{.ROOT_DIR}}/apps/*/; do basename "${dir}"; done - silent: true + - task -l diff --git a/apps/forgejo-runner/Dockerfile b/apps/forgejo-runner/Dockerfile index 50f1965..be3c0cd 100644 --- a/apps/forgejo-runner/Dockerfile +++ b/apps/forgejo-runner/Dockerfile @@ -1,7 +1,14 @@ FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx - FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env +LABEL maintainer="tommy@252.no" +LABEL org.opencontainers.image.title="Forgejo Runner" +LABEL org.opencontainers.image.description="Forgejo Runner for Kubernetes with minimal privileges" +LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/forgejo-runner" +LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers" +LABEL org.opencontainers.image.vendor="https://code.252.no/tommy" +LABEL org.opencontainers.image.authors="tommy@252.no" + # # Transparently cross compile for the target platform # @@ -25,17 +32,6 @@ RUN apk add --no-cache git bash COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner -LABEL maintainer="contact@forgejo.org" \ - org.opencontainers.image.authors="Forgejo" \ - org.opencontainers.image.url="https://forgejo.org" \ - org.opencontainers.image.documentation="https://forgejo.org/docs/latest/admin/actions/#forgejo-runner" \ - org.opencontainers.image.source="https://code.forgejo.org/forgejo/runner" \ - org.opencontainers.image.version="${RELEASE_VERSION}" \ - org.opencontainers.image.vendor="Forgejo" \ - org.opencontainers.image.licenses="MIT" \ - org.opencontainers.image.title="Forgejo Runner" \ - org.opencontainers.image.description="A runner for Forgejo Actions." - ENV HOME=/data USER 1000:1000 diff --git a/apps/forgejo-runner/ci/goss.yaml b/apps/forgejo-runner/ci/goss.yaml index e1d81ad..e69de29 100644 --- a/apps/forgejo-runner/ci/goss.yaml +++ b/apps/forgejo-runner/ci/goss.yaml @@ -1,4 +0,0 @@ -# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml -file: - /usr/bin/git: - exists: true diff --git a/apps/forgejo-runner/metadata.yaml b/apps/forgejo-runner/metadata.yaml index f2a77a3..075187a 100644 --- a/apps/forgejo-runner/metadata.yaml +++ b/apps/forgejo-runner/metadata.yaml @@ -1,5 +1,5 @@ app: forgejo-runner -versioning: calver +version: 24.10.01 channels: - name: stable platforms: ["linux/amd64"] diff --git a/apps/kaniko/Dockerfile b/apps/kaniko/Dockerfile new file mode 100644 index 0000000..6edd186 --- /dev/null +++ b/apps/kaniko/Dockerfile @@ -0,0 +1,48 @@ +# Set the Alpine version for consistency +ARG ALPINE_VERSION=3.20.3 + +# First stage: Build Kaniko executor +FROM alpine:${ALPINE_VERSION} AS kaniko-build + +# Install necessary tools +RUN apk --update --no-cache add skopeo umoci + +# Set working directory +WORKDIR /workdir-kaniko + +# Specify Kaniko version +ARG KANIKO_VERSION=1.23.2 + +# Copy Kaniko executor using skopeo +RUN skopeo copy docker://gcr.io/kaniko-project/executor:v${KANIKO_VERSION} oci:kaniko:current + +# Unpack the Kaniko executor +RUN umoci unpack --image kaniko:current unpacked + +# Second stage: Create the final image +FROM alpine:${ALPINE_VERSION} + +# Add a non-root user with UID and GID 1001 +RUN addgroup -S kaniko -g 1001 && adduser -S kaniko -u 1001 -G kaniko + +# Create necessary directories and set ownership and permissions +RUN mkdir -p /opt/kaniko /kaniko && \ + chown -R kaniko:kaniko /opt/kaniko /kaniko && \ + chmod -R 775 /opt/kaniko /kaniko + +# Copy the Kaniko executor from the build stage +COPY --from=kaniko-build /workdir-kaniko/unpacked/rootfs/kaniko/executor /opt/kaniko/kaniko + +# Ensure the executor has the correct ownership and execute permissions +RUN chown -R kaniko:kaniko /opt/kaniko/kaniko && \ + chmod +x /opt/kaniko/kaniko + +# Set environment variables +ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kaniko +ENV DOCKER_CONFIG=/opt/kaniko/.docker/ + +# Switch to the non-root user +USER kaniko + +# Define the entrypoint +ENTRYPOINT ["/opt/kaniko/kaniko"] diff --git a/apps/kaniko/ci/goss.yaml b/apps/kaniko/ci/goss.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/kaniko/ci/latest.sh b/apps/kaniko/ci/latest.sh new file mode 100644 index 0000000..c62d868 --- /dev/null +++ b/apps/kaniko/ci/latest.sh @@ -0,0 +1,5 @@ +#!/usr/bin/env bash +version=$(curl -sX GET "https://api.github.com/repos/actions/runner/releases/latest" | jq --raw-output '.tag_name') +version="${version#*v}" +version="${version#*release-}" +printf "%s" "${version}" \ No newline at end of file diff --git a/apps/kaniko/metadata.yaml b/apps/kaniko/metadata.yaml new file mode 100644 index 0000000..02d9ff1 --- /dev/null +++ b/apps/kaniko/metadata.yaml @@ -0,0 +1,9 @@ +app: kaniko +version: 24.10.01 +channels: +- name: stable + platforms: ["linux/amd64"] + stable: false + tests: + enabled: true + type: cli diff --git a/apps/kaniko/readme.org b/apps/kaniko/readme.org new file mode 100644 index 0000000..2f447bd --- /dev/null +++ b/apps/kaniko/readme.org @@ -0,0 +1,8 @@ + + +#+begin_src sh +nerdctl build \ + --platform linux/amd64 \ + -t code.252.no/tommy/kaniko:v24.10.01 \ + --output=type=image,name=code.252.no/tommy/kaniko:v24.10.01,push=true . +#+end_src \ No newline at end of file diff --git a/apps/lix-builder/Dockerfile b/apps/lix-builder/Dockerfile new file mode 100644 index 0000000..692c7db --- /dev/null +++ b/apps/lix-builder/Dockerfile @@ -0,0 +1,18 @@ +FROM nixos/nix:2.18.9 + +LABEL maintainer="tommy@252.no" +LABEL org.opencontainers.image.title="Nix Builder" +LABEL org.opencontainers.image.description="Builder for Lix Flake and Snowfall environments" +LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/lix-builder" +LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers" +LABEL org.opencontainers.image.vendor="https://code.252.no/tommy" +LABEL org.opencontainers.image.authors="tommy@252.no" + +WORKDIR /tmp/working-dir + +RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf +RUN nix-channel --update + +RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere nixpkgs.slirp4netns nixpkgs.podman nixpkgs.podman-tui + +ENTRYPOINT ["fish"] diff --git a/apps/lix-builder/ci/goss.yaml b/apps/lix-builder/ci/goss.yaml new file mode 100644 index 0000000..e69de29 diff --git a/apps/lix-builder/flake.lock b/apps/lix-builder/flake.lock new file mode 100644 index 0000000..2860b5e --- /dev/null +++ b/apps/lix-builder/flake.lock @@ -0,0 +1,61 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1726560853, + "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1730200266, + "narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/apps/lix-builder/flake.nix b/apps/lix-builder/flake.nix new file mode 100644 index 0000000..521a7da --- /dev/null +++ b/apps/lix-builder/flake.nix @@ -0,0 +1,88 @@ +{ + description = "docker base images"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = { self, nixpkgs, flake-utils }: + let + system = "x86_64-linux"; + pkgs = import nixpkgs { inherit system; }; + in + { + packages = { + hello = pkgs.dockerTools.buildImage { + name = "hello-docker"; + config = { + Cmd = [ "${pkgs.hello}/bin/hello" ]; + }; + }; + flakes-action = pkgs.dockerTools.buildImageWithNixDb { + name = "code.252.no/tommy/flakes-action"; + tag = "latest"; + copyToRoot = pkgs.buildEnv { + name = "image-root"; + pathsToLink = ["/bin" "/etc"]; + ignoreCollisions = true; + paths = with pkgs; [ + coreutils-full + docker + bash + cacert + coreutils + curl + gawk + gitFull + git-lfs + gnused + gnutar + gzip + nixVersions.stable + nodejs + openssh + sudo + wget + xz + zstd + (pkgs.writeTextFile { + name = "nix.conf"; + destination = "/etc/nix/nix.conf"; + text = '' + accept-flake-config = true + experimental-features = nix-command flakes + ''; + }) + ]; + }; + + extraCommands = '' + # for /usr/bin/env + mkdir usr + ln -s ../bin usr/bin + + # make sure /tmp exists + mkdir -m 1777 tmp + + # need a HOME + mkdir -vp root + ''; + config = { + Cmd = ["/bin/bash"]; + Env = [ + "NIX_PATH=nixpkgs=${nixpkgs}" + "LANG=en_GB.UTF-8" + "ENV=/etc/profile.d/nix.sh" + "BASH_ENV=/etc/profile.d/nix.sh" + "NIX_BUILD_SHELL=/bin/bash" + "PAGER=cat" + "PATH=/usr/bin:/bin" + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "USER=root" + ]; + }; + }; + }; + }; + } diff --git a/apps/lix-builder/manifest.yaml b/apps/lix-builder/manifest.yaml new file mode 100644 index 0000000..739d63a --- /dev/null +++ b/apps/lix-builder/manifest.yaml @@ -0,0 +1,102 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: builds + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: latest + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/warn-version: latest + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/audit-version: latest +--- +apiVersion: v1 +kind: Pod +metadata: + name: kaniko + namespace: builds +spec: + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + seccompProfile: + type: Unconfined + containers: + - name: kaniko + image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0 + resources: + limits: + cpu: 1000m + memory: 2Gi + command: ["/opt/kaniko/kaniko"] + args: + - --dockerfile=Dockerfile + #- --reproducible + - --context=/kaniko + - --custom-platform=linux/amd64 + - --destination=code.252.no/tommy/lix-builder:v24.10.01 + #- --dockerfile=Dockerfile + #- --reproducible + #- --kaniko-dir=/workspace/kaniko + #- --context=/workspace + #- --custom-platform=linux/amd64 + #- --destination=code.252.no/tommy/lix-builder:v24.10.01 + #- --cache=true + #- --compressed-caching=false + #- --use-new-run + #- --cleanup + volumeMounts: + # - name: workspace-dir + # mountPath: /workspace + - name: docker-config + mountPath: /opt/kaniko/.docker/config.json + subPath: config.json + - name: dockerfile + mountPath: /kaniko/Dockerfile + subPath: Dockerfile + securityContext: + runAsUser: 1001 + privileged: false + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + add: + - CHOWN + - FOWNER + - DAC_OVERRIDE + - SYS_ADMIN + restartPolicy: Never + volumes: + # - name: workspace-dir + # emptyDir: {} + - name: docker-config + secret: + secretName: tommy-pushsecret-rw + items: + - key: .dockerconfigjson + path: config.json + - name: dockerfile + configMap: + name: dockerfile +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: dockerfile + namespace: builds +data: + Dockerfile: | + FROM ghcr.io/lix-project/lix:2.91 + + WORKDIR /tmp/working-dir + + RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \ + nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \ + nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \ + nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \ + nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere + + ENTRYPOINT ["fish"] diff --git a/apps/lix-builder/metadata.yaml b/apps/lix-builder/metadata.yaml new file mode 100644 index 0000000..8a6c0ae --- /dev/null +++ b/apps/lix-builder/metadata.yaml @@ -0,0 +1,9 @@ +app: lix-builder +version: v24.10.01 +channels: +- name: stable + platforms: ["linux/amd64"] + stable: false + tests: + enabled: true + type: cli diff --git a/apps/lix-builder/nix.conf b/apps/lix-builder/nix.conf new file mode 100644 index 0000000..003d8c4 --- /dev/null +++ b/apps/lix-builder/nix.conf @@ -0,0 +1,6 @@ +filter-syscalls = false +experimental-features = nix-command flakes +extra-platforms = x86_64-linux aarch64-linux +build-users-group = nixbld +trusted-users = root @admin @wheel vscode +system-features = kvm big-parallel diff --git a/assets/badges/build-failing-red.svg b/assets/badges/build-failing-red.svg new file mode 100644 index 0000000..cd4a8db --- /dev/null +++ b/assets/badges/build-failing-red.svg @@ -0,0 +1 @@ +build: failingbuildfailing \ No newline at end of file diff --git a/assets/badges/build-passing-brightgreen.svg b/assets/badges/build-passing-brightgreen.svg new file mode 100644 index 0000000..983bcec --- /dev/null +++ b/assets/badges/build-passing-brightgreen.svg @@ -0,0 +1 @@ +build: passingbuildpassing \ No newline at end of file diff --git a/podman-seccomp.json b/podman-seccomp.json new file mode 100644 index 0000000..4dc6f78 --- /dev/null +++ b/podman-seccomp.json @@ -0,0 +1,25 @@ +{ + "defaultAction": "SCMP_ACT_ALLOW", + "syscalls": [ + { + "names": [ + "keyctl", + "syslog", + "mknod", + "mknodat", + "pkey_mprotect", + "kexec_load", + "open_by_handle_at", + "init_module", + "finit_module", + "delete_module", + "bpf" + ], + "action": "SCMP_ACT_ERRNO", + "args": [], + "comment": "Deny potentially risky syscalls that could impact system integrity", + "includes": {}, + "excludes": {} + } + ] +} \ No newline at end of file