chore: adding backlog of additions
This commit is contained in:
parent
28ff5da7ed
commit
d5380d1ea2
24 changed files with 534 additions and 38 deletions
|
@ -1,6 +1,7 @@
|
||||||
#!/usr/bin/env python3
|
#!/usr/bin/env python3
|
||||||
import os
|
import os
|
||||||
import yaml
|
import yaml
|
||||||
|
import subprocess
|
||||||
import logging
|
import logging
|
||||||
|
|
||||||
from jinja2 import Environment, PackageLoader, select_autoescape
|
from jinja2 import Environment, PackageLoader, select_autoescape
|
||||||
|
@ -14,7 +15,6 @@ repo_name = os.getenv("REPO_NAME") or os.getenv("GITHUB_REPOSITORY", "default_re
|
||||||
|
|
||||||
env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape())
|
env = Environment(loader=PackageLoader("render-readme"), autoescape=select_autoescape())
|
||||||
|
|
||||||
|
|
||||||
def load_metadata(file_path):
|
def load_metadata(file_path):
|
||||||
try:
|
try:
|
||||||
with open(file_path, "r") as f:
|
with open(file_path, "r") as f:
|
||||||
|
@ -25,7 +25,6 @@ def load_metadata(file_path):
|
||||||
logging.error(f"File {file_path} not found.")
|
logging.error(f"File {file_path} not found.")
|
||||||
return None
|
return None
|
||||||
|
|
||||||
|
|
||||||
def process_metadata(apps_dir):
|
def process_metadata(apps_dir):
|
||||||
app_images = []
|
app_images = []
|
||||||
for subdir, _, files in os.walk(apps_dir):
|
for subdir, _, files in os.walk(apps_dir):
|
||||||
|
@ -36,7 +35,14 @@ def process_metadata(apps_dir):
|
||||||
if not meta:
|
if not meta:
|
||||||
continue # Skip if metadata couldn't be loaded
|
continue # Skip if metadata couldn't be loaded
|
||||||
|
|
||||||
# Iterate through the channels and build image metadata
|
dockerfile_path = os.path.join(subdir, "Dockerfile")
|
||||||
|
docker_labels = load_docker_labels(dockerfile_path)
|
||||||
|
|
||||||
|
# Compliance check and badge setting
|
||||||
|
goss_file = os.path.join(subdir, "ci", "goss.yaml")
|
||||||
|
print(goss_file)
|
||||||
|
badge = run_compliance_check(goss_file)
|
||||||
|
|
||||||
for channel in meta.get("channels", []):
|
for channel in meta.get("channels", []):
|
||||||
name = (
|
name = (
|
||||||
meta["app"]
|
meta["app"]
|
||||||
|
@ -46,13 +52,71 @@ def process_metadata(apps_dir):
|
||||||
image = {
|
image = {
|
||||||
"name": name,
|
"name": name,
|
||||||
"channel": channel["name"],
|
"channel": channel["name"],
|
||||||
"html_url": f"https://code.252.no/{repo_owner}/pkgs/container/{name}",
|
"version": meta["version"],
|
||||||
|
"platforms": channel["platforms"],
|
||||||
|
"tests_enabled": channel["tests"]["enabled"],
|
||||||
|
"tests_type": channel["tests"]["type"],
|
||||||
|
"html_url": f"https://code.252.no/{repo_owner}/containers/{name}",
|
||||||
"owner": repo_owner,
|
"owner": repo_owner,
|
||||||
|
"maintainer": docker_labels.get("maintainer"),
|
||||||
|
"description": docker_labels.get("org.opencontainers.image.description"),
|
||||||
|
"source": docker_labels.get("org.opencontainers.image.source"),
|
||||||
|
"vendor": docker_labels.get("org.opencontainers.image.vendor"),
|
||||||
|
"authors": docker_labels.get("org.opencontainers.image.authors"),
|
||||||
|
"badge": badge,
|
||||||
}
|
}
|
||||||
app_images.append(image)
|
app_images.append(image)
|
||||||
logging.info(f"Added image {name} from channel {channel['name']}")
|
logging.info(f"Added image {name} from channel {channel['name']} with badge {badge}")
|
||||||
return app_images
|
return app_images
|
||||||
|
|
||||||
|
def load_docker_labels(dockerfile_path):
|
||||||
|
labels = {}
|
||||||
|
try:
|
||||||
|
with open(dockerfile_path, "r") as f:
|
||||||
|
for line in f:
|
||||||
|
if line.startswith("LABEL"):
|
||||||
|
label_parts = line.split("=", 1)
|
||||||
|
if len(label_parts) == 2:
|
||||||
|
key, value = label_parts
|
||||||
|
key = key.replace("LABEL ", "").strip().replace("\"", "")
|
||||||
|
value = value.strip().replace("\"", "")
|
||||||
|
labels[key] = value
|
||||||
|
except FileNotFoundError:
|
||||||
|
logging.warning(f"Dockerfile {dockerfile_path} not found.")
|
||||||
|
return labels
|
||||||
|
|
||||||
|
def run_compliance_check(goss_file, image_name):
|
||||||
|
"""Run compliance test using dgoss and return appropriate badge path."""
|
||||||
|
if not os.path.exists(goss_file):
|
||||||
|
logging.warning(f"Compliance file {goss_file} not found.")
|
||||||
|
return "assets/build-failing-red.svg" # Default to failing badge if no compliance file
|
||||||
|
|
||||||
|
# Set up the environment variables needed for dgoss
|
||||||
|
env = os.environ.copy()
|
||||||
|
env["CONTAINER_RUNTIME"] = "docker"
|
||||||
|
env["GOSS_FILE"] = goss_file
|
||||||
|
env["GOSS_OPTS"] = "--retry-timeout 60s --sleep 2s --color --format documentation"
|
||||||
|
env["GOSS_SLEEP"] = "2"
|
||||||
|
env["GOSS_FILES_STRATEGY"] = "cp"
|
||||||
|
|
||||||
|
print("Running dgoss with file:", goss_file, "on image:", image_name)
|
||||||
|
|
||||||
|
# Run dgoss against the container image
|
||||||
|
result = subprocess.run(
|
||||||
|
["dgoss", "run", image_name],
|
||||||
|
capture_output=True,
|
||||||
|
env=env,
|
||||||
|
shell=True # Necessary to handle dgoss's internal shell scripts
|
||||||
|
)
|
||||||
|
output = result.stdout.decode()
|
||||||
|
print(output) # Decode and print output for logging
|
||||||
|
|
||||||
|
if result.returncode == 0:
|
||||||
|
logging.info(f"Compliance check passed for {goss_file}")
|
||||||
|
return "assets/badges/build-passing-brightgreen.svg"
|
||||||
|
else:
|
||||||
|
logging.error(f"Compliance check failed for {goss_file}")
|
||||||
|
return "assets/build-failing-red.svg"
|
||||||
|
|
||||||
if __name__ == "__main__":
|
if __name__ == "__main__":
|
||||||
apps_dir = "./apps"
|
apps_dir = "./apps"
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
#+BEGIN_EXPORT html
|
#+BEGIN_EXPORT html
|
||||||
<div align="center">
|
<div align="center">
|
||||||
<h1>Container Collection</h1>
|
<h1>Container Collection</h1>
|
||||||
<h3>Containers for Kubernetes deployment_</h3>
|
<h4>Images for Kubernetes deployments</h4>
|
||||||
<img src="https://code.252.no/tommy/containers/raw/branch/main/assets/macchiato-palette.png" width="600" align="center"/>
|
<img src="https://code.252.no/tommy/containers/raw/branch/main/assets/macchiato-palette.png" width="600" align="center"/>
|
||||||
<p></p>
|
<p></p>
|
||||||
<a href="https://nixos.wiki/wiki/Flakes" target="_blank">
|
<a href="https://nixos.wiki/wiki/Flakes" target="_blank">
|
||||||
|
|
40
.forgejo/workflows/build-images.yaml
Normal file
40
.forgejo/workflows/build-images.yaml
Normal file
|
@ -0,0 +1,40 @@
|
||||||
|
name: "Build and Push Images with Podman in Colima Using Custom Seccomp Profile"
|
||||||
|
|
||||||
|
on:
|
||||||
|
push:
|
||||||
|
paths:
|
||||||
|
- 'apps/*/Dockerfile'
|
||||||
|
workflow_dispatch:
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
build-and-push:
|
||||||
|
name: Build and Push Images with Podman and Custom Seccomp Profile in Colima
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout Repository
|
||||||
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: Install Podman Dependencies
|
||||||
|
run: |
|
||||||
|
sudo apt-get update
|
||||||
|
sudo apt-get install -y podman slirp4netns fuse-overlayfs
|
||||||
|
|
||||||
|
|
||||||
|
- name: Build and Push Images with Custom Seccomp Profile
|
||||||
|
run: |
|
||||||
|
export REGISTRY_USER=$GITHUB_REPOSITORY_OWNER
|
||||||
|
export REGISTRY_PASS=$GITHUB_TOKEN
|
||||||
|
SEC_PROFILE=./podman-seccomp.json
|
||||||
|
|
||||||
|
for dockerfile in $(find ./apps -name Dockerfile); do
|
||||||
|
app_name=$(basename $(dirname $dockerfile))
|
||||||
|
image="code.252.no/tommy/containers/${app_name}:latest"
|
||||||
|
|
||||||
|
# Use the seccomp profile within Colima
|
||||||
|
sudo podman build --security-opt seccomp=unconfined --tls-verify=false -t $image -f $dockerfile
|
||||||
|
echo $REGISTRY_PASS | sudo podman login code.252.no -u $REGISTRY_USER --password-stdin
|
||||||
|
sudo podman push --security-opt seccomp=$SEC_PROFILE $image --tls-verify=false
|
||||||
|
done
|
||||||
|
env:
|
||||||
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
GITHUB_REPOSITORY_OWNER: ${{ github.repository_owner }}
|
|
@ -25,7 +25,12 @@ jobs:
|
||||||
shell: bash
|
shell: bash
|
||||||
run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze
|
run: pip install -r ./.forgejo/scripts/requirements.txt && pip freeze
|
||||||
|
|
||||||
- name: Render README
|
- name: Install Goss
|
||||||
|
shell: bash
|
||||||
|
run: |
|
||||||
|
curl -fsSL https://goss.rocks/install | sh
|
||||||
|
|
||||||
|
- name: Run Compliance Tests and Render README
|
||||||
env:
|
env:
|
||||||
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
|
||||||
shell: bash
|
shell: bash
|
||||||
|
@ -40,4 +45,4 @@ jobs:
|
||||||
git config --global user.email "tommy+forgejo@252.no"
|
git config --global user.email "tommy+forgejo@252.no"
|
||||||
git add ./README.org
|
git add ./README.org
|
||||||
git commit -m "chore: render README.org" || echo "No changes to commit"
|
git commit -m "chore: render README.org" || echo "No changes to commit"
|
||||||
git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push"
|
#git push https://x-access-token:${{ secrets.GITHUB_TOKEN }}@code.252.no/tommy/containers.git || echo "No changes to push"
|
||||||
|
|
20
.taskfiles/docker.yaml
Normal file
20
.taskfiles/docker.yaml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
version: "3"
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
create-image:
|
||||||
|
desc: Build local docker image (nixos-builder)
|
||||||
|
cmds:
|
||||||
|
- nerdctl build --platform linux/amd64 -t nixos-builder --no-cache apps/lix-builder
|
||||||
|
|
||||||
|
shell:
|
||||||
|
desc: Drop into a build shell
|
||||||
|
env:
|
||||||
|
app: "{{ .app }}"
|
||||||
|
cmds:
|
||||||
|
- nerdctl run -v "$(pwd)/apps/{{.app}}":/root/working-dir -w /root/working-dir --platform linux/amd64 -it nixos-builder -c "nix develop"
|
||||||
|
|
||||||
|
cache:
|
||||||
|
desc: Start an attic server
|
||||||
|
dir: "attic"
|
||||||
|
cmds:
|
||||||
|
- nerdctl run -it --rm --name=attic -p 8080:8080 -v ./config:/var/empty/.config/attic -v ./data:/var/empty/.local/share/attic docker.io/heywoodlh/attic
|
|
@ -1,20 +1,14 @@
|
||||||
version: "3"
|
version: "3"
|
||||||
|
|
||||||
vars:
|
vars:
|
||||||
LABELS_CONFIG_FILE: '{{.ROOT_DIR}}/.github/labels.yaml'
|
PROJECT_DIR:
|
||||||
|
sh: "git rev-parse --show-toplevel"
|
||||||
|
|
||||||
|
includes:
|
||||||
|
docker: .taskfiles/docker.yaml
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
default:
|
default:
|
||||||
cmd: task -l
|
|
||||||
silent: true
|
silent: true
|
||||||
|
|
||||||
append-app-labels:
|
|
||||||
desc: Append app labels to the labels config file
|
|
||||||
cmds:
|
cmds:
|
||||||
- for: {var: apps}
|
- task -l
|
||||||
cmd: |
|
|
||||||
yq -i '. += [{"name": "app/{{.ITEM}}", "color": "0e8a16"}]' {{.LABELS_CONFIG_FILE}}
|
|
||||||
vars:
|
|
||||||
apps:
|
|
||||||
sh: for dir in {{.ROOT_DIR}}/apps/*/; do basename "${dir}"; done
|
|
||||||
silent: true
|
|
||||||
|
|
|
@ -1,7 +1,14 @@
|
||||||
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
|
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/tonistiigi/xx AS xx
|
||||||
|
|
||||||
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
|
FROM --platform=$BUILDPLATFORM code.forgejo.org/oci/golang:1.21-alpine3.19 as build-env
|
||||||
|
|
||||||
|
LABEL maintainer="tommy@252.no"
|
||||||
|
LABEL org.opencontainers.image.title="Forgejo Runner"
|
||||||
|
LABEL org.opencontainers.image.description="Forgejo Runner for Kubernetes with minimal privileges"
|
||||||
|
LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/forgejo-runner"
|
||||||
|
LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
|
||||||
|
LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
|
||||||
|
LABEL org.opencontainers.image.authors="tommy@252.no"
|
||||||
|
|
||||||
#
|
#
|
||||||
# Transparently cross compile for the target platform
|
# Transparently cross compile for the target platform
|
||||||
#
|
#
|
||||||
|
@ -25,17 +32,6 @@ RUN apk add --no-cache git bash
|
||||||
|
|
||||||
COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner
|
COPY --from=build-env /srv/forgejo-runner /bin/forgejo-runner
|
||||||
|
|
||||||
LABEL maintainer="contact@forgejo.org" \
|
|
||||||
org.opencontainers.image.authors="Forgejo" \
|
|
||||||
org.opencontainers.image.url="https://forgejo.org" \
|
|
||||||
org.opencontainers.image.documentation="https://forgejo.org/docs/latest/admin/actions/#forgejo-runner" \
|
|
||||||
org.opencontainers.image.source="https://code.forgejo.org/forgejo/runner" \
|
|
||||||
org.opencontainers.image.version="${RELEASE_VERSION}" \
|
|
||||||
org.opencontainers.image.vendor="Forgejo" \
|
|
||||||
org.opencontainers.image.licenses="MIT" \
|
|
||||||
org.opencontainers.image.title="Forgejo Runner" \
|
|
||||||
org.opencontainers.image.description="A runner for Forgejo Actions."
|
|
||||||
|
|
||||||
ENV HOME=/data
|
ENV HOME=/data
|
||||||
|
|
||||||
USER 1000:1000
|
USER 1000:1000
|
||||||
|
|
|
@ -1,4 +0,0 @@
|
||||||
# yaml-language-server: $schema=https://raw.githubusercontent.com/goss-org/goss/master/docs/schema.yaml
|
|
||||||
file:
|
|
||||||
/usr/bin/git:
|
|
||||||
exists: true
|
|
|
@ -1,5 +1,5 @@
|
||||||
app: forgejo-runner
|
app: forgejo-runner
|
||||||
versioning: calver
|
version: 24.10.01
|
||||||
channels:
|
channels:
|
||||||
- name: stable
|
- name: stable
|
||||||
platforms: ["linux/amd64"]
|
platforms: ["linux/amd64"]
|
||||||
|
|
48
apps/kaniko/Dockerfile
Normal file
48
apps/kaniko/Dockerfile
Normal file
|
@ -0,0 +1,48 @@
|
||||||
|
# Set the Alpine version for consistency
|
||||||
|
ARG ALPINE_VERSION=3.20.3
|
||||||
|
|
||||||
|
# First stage: Build Kaniko executor
|
||||||
|
FROM alpine:${ALPINE_VERSION} AS kaniko-build
|
||||||
|
|
||||||
|
# Install necessary tools
|
||||||
|
RUN apk --update --no-cache add skopeo umoci
|
||||||
|
|
||||||
|
# Set working directory
|
||||||
|
WORKDIR /workdir-kaniko
|
||||||
|
|
||||||
|
# Specify Kaniko version
|
||||||
|
ARG KANIKO_VERSION=1.23.2
|
||||||
|
|
||||||
|
# Copy Kaniko executor using skopeo
|
||||||
|
RUN skopeo copy docker://gcr.io/kaniko-project/executor:v${KANIKO_VERSION} oci:kaniko:current
|
||||||
|
|
||||||
|
# Unpack the Kaniko executor
|
||||||
|
RUN umoci unpack --image kaniko:current unpacked
|
||||||
|
|
||||||
|
# Second stage: Create the final image
|
||||||
|
FROM alpine:${ALPINE_VERSION}
|
||||||
|
|
||||||
|
# Add a non-root user with UID and GID 1001
|
||||||
|
RUN addgroup -S kaniko -g 1001 && adduser -S kaniko -u 1001 -G kaniko
|
||||||
|
|
||||||
|
# Create necessary directories and set ownership and permissions
|
||||||
|
RUN mkdir -p /opt/kaniko /kaniko && \
|
||||||
|
chown -R kaniko:kaniko /opt/kaniko /kaniko && \
|
||||||
|
chmod -R 775 /opt/kaniko /kaniko
|
||||||
|
|
||||||
|
# Copy the Kaniko executor from the build stage
|
||||||
|
COPY --from=kaniko-build /workdir-kaniko/unpacked/rootfs/kaniko/executor /opt/kaniko/kaniko
|
||||||
|
|
||||||
|
# Ensure the executor has the correct ownership and execute permissions
|
||||||
|
RUN chown -R kaniko:kaniko /opt/kaniko/kaniko && \
|
||||||
|
chmod +x /opt/kaniko/kaniko
|
||||||
|
|
||||||
|
# Set environment variables
|
||||||
|
ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kaniko
|
||||||
|
ENV DOCKER_CONFIG=/opt/kaniko/.docker/
|
||||||
|
|
||||||
|
# Switch to the non-root user
|
||||||
|
USER kaniko
|
||||||
|
|
||||||
|
# Define the entrypoint
|
||||||
|
ENTRYPOINT ["/opt/kaniko/kaniko"]
|
0
apps/kaniko/ci/goss.yaml
Normal file
0
apps/kaniko/ci/goss.yaml
Normal file
5
apps/kaniko/ci/latest.sh
Normal file
5
apps/kaniko/ci/latest.sh
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/usr/bin/env bash
|
||||||
|
version=$(curl -sX GET "https://api.github.com/repos/actions/runner/releases/latest" | jq --raw-output '.tag_name')
|
||||||
|
version="${version#*v}"
|
||||||
|
version="${version#*release-}"
|
||||||
|
printf "%s" "${version}"
|
9
apps/kaniko/metadata.yaml
Normal file
9
apps/kaniko/metadata.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
app: kaniko
|
||||||
|
version: 24.10.01
|
||||||
|
channels:
|
||||||
|
- name: stable
|
||||||
|
platforms: ["linux/amd64"]
|
||||||
|
stable: false
|
||||||
|
tests:
|
||||||
|
enabled: true
|
||||||
|
type: cli
|
8
apps/kaniko/readme.org
Normal file
8
apps/kaniko/readme.org
Normal file
|
@ -0,0 +1,8 @@
|
||||||
|
|
||||||
|
|
||||||
|
#+begin_src sh
|
||||||
|
nerdctl build \
|
||||||
|
--platform linux/amd64 \
|
||||||
|
-t code.252.no/tommy/kaniko:v24.10.01 \
|
||||||
|
--output=type=image,name=code.252.no/tommy/kaniko:v24.10.01,push=true .
|
||||||
|
#+end_src
|
18
apps/lix-builder/Dockerfile
Normal file
18
apps/lix-builder/Dockerfile
Normal file
|
@ -0,0 +1,18 @@
|
||||||
|
FROM nixos/nix:2.18.9
|
||||||
|
|
||||||
|
LABEL maintainer="tommy@252.no"
|
||||||
|
LABEL org.opencontainers.image.title="Nix Builder"
|
||||||
|
LABEL org.opencontainers.image.description="Builder for Lix Flake and Snowfall environments"
|
||||||
|
LABEL org.opencontainers.image.url="https://code.252.no/tommy/containers/lix-builder"
|
||||||
|
LABEL org.opencontainers.image.source="https://code.252.no/tommy/containers"
|
||||||
|
LABEL org.opencontainers.image.vendor="https://code.252.no/tommy"
|
||||||
|
LABEL org.opencontainers.image.authors="tommy@252.no"
|
||||||
|
|
||||||
|
WORKDIR /tmp/working-dir
|
||||||
|
|
||||||
|
RUN echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
|
||||||
|
RUN nix-channel --update
|
||||||
|
|
||||||
|
RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere nixpkgs.slirp4netns nixpkgs.podman nixpkgs.podman-tui
|
||||||
|
|
||||||
|
ENTRYPOINT ["fish"]
|
0
apps/lix-builder/ci/goss.yaml
Normal file
0
apps/lix-builder/ci/goss.yaml
Normal file
61
apps/lix-builder/flake.lock
generated
Normal file
61
apps/lix-builder/flake.lock
generated
Normal file
|
@ -0,0 +1,61 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"flake-utils": {
|
||||||
|
"inputs": {
|
||||||
|
"systems": "systems"
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1726560853,
|
||||||
|
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "numtide",
|
||||||
|
"repo": "flake-utils",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1730200266,
|
||||||
|
"narHash": "sha256-l253w0XMT8nWHGXuXqyiIC/bMvh1VRszGXgdpQlfhvU=",
|
||||||
|
"owner": "nixos",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"rev": "807e9154dcb16384b1b765ebe9cd2bba2ac287fd",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nixos",
|
||||||
|
"ref": "nixos-unstable",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-utils": "flake-utils",
|
||||||
|
"nixpkgs": "nixpkgs"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"systems": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1681028828,
|
||||||
|
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "nix-systems",
|
||||||
|
"repo": "default",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
88
apps/lix-builder/flake.nix
Normal file
88
apps/lix-builder/flake.nix
Normal file
|
@ -0,0 +1,88 @@
|
||||||
|
{
|
||||||
|
description = "docker base images";
|
||||||
|
|
||||||
|
inputs = {
|
||||||
|
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
|
||||||
|
flake-utils.url = "github:numtide/flake-utils";
|
||||||
|
};
|
||||||
|
|
||||||
|
outputs = { self, nixpkgs, flake-utils }:
|
||||||
|
let
|
||||||
|
system = "x86_64-linux";
|
||||||
|
pkgs = import nixpkgs { inherit system; };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
packages = {
|
||||||
|
hello = pkgs.dockerTools.buildImage {
|
||||||
|
name = "hello-docker";
|
||||||
|
config = {
|
||||||
|
Cmd = [ "${pkgs.hello}/bin/hello" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
flakes-action = pkgs.dockerTools.buildImageWithNixDb {
|
||||||
|
name = "code.252.no/tommy/flakes-action";
|
||||||
|
tag = "latest";
|
||||||
|
copyToRoot = pkgs.buildEnv {
|
||||||
|
name = "image-root";
|
||||||
|
pathsToLink = ["/bin" "/etc"];
|
||||||
|
ignoreCollisions = true;
|
||||||
|
paths = with pkgs; [
|
||||||
|
coreutils-full
|
||||||
|
docker
|
||||||
|
bash
|
||||||
|
cacert
|
||||||
|
coreutils
|
||||||
|
curl
|
||||||
|
gawk
|
||||||
|
gitFull
|
||||||
|
git-lfs
|
||||||
|
gnused
|
||||||
|
gnutar
|
||||||
|
gzip
|
||||||
|
nixVersions.stable
|
||||||
|
nodejs
|
||||||
|
openssh
|
||||||
|
sudo
|
||||||
|
wget
|
||||||
|
xz
|
||||||
|
zstd
|
||||||
|
(pkgs.writeTextFile {
|
||||||
|
name = "nix.conf";
|
||||||
|
destination = "/etc/nix/nix.conf";
|
||||||
|
text = ''
|
||||||
|
accept-flake-config = true
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
'';
|
||||||
|
})
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
extraCommands = ''
|
||||||
|
# for /usr/bin/env
|
||||||
|
mkdir usr
|
||||||
|
ln -s ../bin usr/bin
|
||||||
|
|
||||||
|
# make sure /tmp exists
|
||||||
|
mkdir -m 1777 tmp
|
||||||
|
|
||||||
|
# need a HOME
|
||||||
|
mkdir -vp root
|
||||||
|
'';
|
||||||
|
config = {
|
||||||
|
Cmd = ["/bin/bash"];
|
||||||
|
Env = [
|
||||||
|
"NIX_PATH=nixpkgs=${nixpkgs}"
|
||||||
|
"LANG=en_GB.UTF-8"
|
||||||
|
"ENV=/etc/profile.d/nix.sh"
|
||||||
|
"BASH_ENV=/etc/profile.d/nix.sh"
|
||||||
|
"NIX_BUILD_SHELL=/bin/bash"
|
||||||
|
"PAGER=cat"
|
||||||
|
"PATH=/usr/bin:/bin"
|
||||||
|
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
|
||||||
|
"USER=root"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
102
apps/lix-builder/manifest.yaml
Normal file
102
apps/lix-builder/manifest.yaml
Normal file
|
@ -0,0 +1,102 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: builds
|
||||||
|
labels:
|
||||||
|
pod-security.kubernetes.io/enforce: privileged
|
||||||
|
pod-security.kubernetes.io/enforce-version: latest
|
||||||
|
pod-security.kubernetes.io/warn: privileged
|
||||||
|
pod-security.kubernetes.io/warn-version: latest
|
||||||
|
pod-security.kubernetes.io/audit: privileged
|
||||||
|
pod-security.kubernetes.io/audit-version: latest
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Pod
|
||||||
|
metadata:
|
||||||
|
name: kaniko
|
||||||
|
namespace: builds
|
||||||
|
spec:
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1001
|
||||||
|
runAsGroup: 1001
|
||||||
|
fsGroup: 1001
|
||||||
|
seccompProfile:
|
||||||
|
type: Unconfined
|
||||||
|
containers:
|
||||||
|
- name: kaniko
|
||||||
|
image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 1000m
|
||||||
|
memory: 2Gi
|
||||||
|
command: ["/opt/kaniko/kaniko"]
|
||||||
|
args:
|
||||||
|
- --dockerfile=Dockerfile
|
||||||
|
#- --reproducible
|
||||||
|
- --context=/kaniko
|
||||||
|
- --custom-platform=linux/amd64
|
||||||
|
- --destination=code.252.no/tommy/lix-builder:v24.10.01
|
||||||
|
#- --dockerfile=Dockerfile
|
||||||
|
#- --reproducible
|
||||||
|
#- --kaniko-dir=/workspace/kaniko
|
||||||
|
#- --context=/workspace
|
||||||
|
#- --custom-platform=linux/amd64
|
||||||
|
#- --destination=code.252.no/tommy/lix-builder:v24.10.01
|
||||||
|
#- --cache=true
|
||||||
|
#- --compressed-caching=false
|
||||||
|
#- --use-new-run
|
||||||
|
#- --cleanup
|
||||||
|
volumeMounts:
|
||||||
|
# - name: workspace-dir
|
||||||
|
# mountPath: /workspace
|
||||||
|
- name: docker-config
|
||||||
|
mountPath: /opt/kaniko/.docker/config.json
|
||||||
|
subPath: config.json
|
||||||
|
- name: dockerfile
|
||||||
|
mountPath: /kaniko/Dockerfile
|
||||||
|
subPath: Dockerfile
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 1001
|
||||||
|
privileged: false
|
||||||
|
allowPrivilegeEscalation: false
|
||||||
|
runAsNonRoot: true
|
||||||
|
capabilities:
|
||||||
|
drop:
|
||||||
|
- ALL
|
||||||
|
add:
|
||||||
|
- CHOWN
|
||||||
|
- FOWNER
|
||||||
|
- DAC_OVERRIDE
|
||||||
|
- SYS_ADMIN
|
||||||
|
restartPolicy: Never
|
||||||
|
volumes:
|
||||||
|
# - name: workspace-dir
|
||||||
|
# emptyDir: {}
|
||||||
|
- name: docker-config
|
||||||
|
secret:
|
||||||
|
secretName: tommy-pushsecret-rw
|
||||||
|
items:
|
||||||
|
- key: .dockerconfigjson
|
||||||
|
path: config.json
|
||||||
|
- name: dockerfile
|
||||||
|
configMap:
|
||||||
|
name: dockerfile
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: dockerfile
|
||||||
|
namespace: builds
|
||||||
|
data:
|
||||||
|
Dockerfile: |
|
||||||
|
FROM ghcr.io/lix-project/lix:2.91
|
||||||
|
|
||||||
|
WORKDIR /tmp/working-dir
|
||||||
|
|
||||||
|
RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \
|
||||||
|
nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \
|
||||||
|
nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \
|
||||||
|
nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \
|
||||||
|
nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere
|
||||||
|
|
||||||
|
ENTRYPOINT ["fish"]
|
9
apps/lix-builder/metadata.yaml
Normal file
9
apps/lix-builder/metadata.yaml
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
app: lix-builder
|
||||||
|
version: v24.10.01
|
||||||
|
channels:
|
||||||
|
- name: stable
|
||||||
|
platforms: ["linux/amd64"]
|
||||||
|
stable: false
|
||||||
|
tests:
|
||||||
|
enabled: true
|
||||||
|
type: cli
|
6
apps/lix-builder/nix.conf
Normal file
6
apps/lix-builder/nix.conf
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
filter-syscalls = false
|
||||||
|
experimental-features = nix-command flakes
|
||||||
|
extra-platforms = x86_64-linux aarch64-linux
|
||||||
|
build-users-group = nixbld
|
||||||
|
trusted-users = root @admin @wheel vscode
|
||||||
|
system-features = kvm big-parallel
|
1
assets/badges/build-failing-red.svg
Normal file
1
assets/badges/build-failing-red.svg
Normal file
|
@ -0,0 +1 @@
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="80" height="20" role="img" aria-label="build: failing"><title>build: failing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="80" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="43" height="20" fill="#e05d44"/><rect width="80" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="575" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="330">failing</text><text x="575" y="140" transform="scale(.1)" fill="#fff" textLength="330">failing</text></g></svg>
|
After Width: | Height: | Size: 1.1 KiB |
1
assets/badges/build-passing-brightgreen.svg
Normal file
1
assets/badges/build-passing-brightgreen.svg
Normal file
|
@ -0,0 +1 @@
|
||||||
|
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="88" height="20" role="img" aria-label="build: passing"><title>build: passing</title><linearGradient id="s" x2="0" y2="100%"><stop offset="0" stop-color="#bbb" stop-opacity=".1"/><stop offset="1" stop-opacity=".1"/></linearGradient><clipPath id="r"><rect width="88" height="20" rx="3" fill="#fff"/></clipPath><g clip-path="url(#r)"><rect width="37" height="20" fill="#555"/><rect x="37" width="51" height="20" fill="#4c1"/><rect width="88" height="20" fill="url(#s)"/></g><g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" text-rendering="geometricPrecision" font-size="110"><text aria-hidden="true" x="195" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="270">build</text><text x="195" y="140" transform="scale(.1)" fill="#fff" textLength="270">build</text><text aria-hidden="true" x="615" y="150" fill="#010101" fill-opacity=".3" transform="scale(.1)" textLength="410">passing</text><text x="615" y="140" transform="scale(.1)" fill="#fff" textLength="410">passing</text></g></svg>
|
After Width: | Height: | Size: 1.1 KiB |
25
podman-seccomp.json
Normal file
25
podman-seccomp.json
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
{
|
||||||
|
"defaultAction": "SCMP_ACT_ALLOW",
|
||||||
|
"syscalls": [
|
||||||
|
{
|
||||||
|
"names": [
|
||||||
|
"keyctl",
|
||||||
|
"syslog",
|
||||||
|
"mknod",
|
||||||
|
"mknodat",
|
||||||
|
"pkey_mprotect",
|
||||||
|
"kexec_load",
|
||||||
|
"open_by_handle_at",
|
||||||
|
"init_module",
|
||||||
|
"finit_module",
|
||||||
|
"delete_module",
|
||||||
|
"bpf"
|
||||||
|
],
|
||||||
|
"action": "SCMP_ACT_ERRNO",
|
||||||
|
"args": [],
|
||||||
|
"comment": "Deny potentially risky syscalls that could impact system integrity",
|
||||||
|
"includes": {},
|
||||||
|
"excludes": {}
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Add table
Reference in a new issue