containers/apps/lix-builder/manifest.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: builds
  labels:
    pod-security.kubernetes.io/enforce: privileged
    pod-security.kubernetes.io/enforce-version: latest
    pod-security.kubernetes.io/warn: privileged
    pod-security.kubernetes.io/warn-version: latest
    pod-security.kubernetes.io/audit: privileged
    pod-security.kubernetes.io/audit-version: latest
---
apiVersion: v1
kind: Pod
metadata:
  name: kaniko
  namespace: builds
spec:
  securityContext:
    runAsUser: 1001
    runAsGroup: 1001
    fsGroup: 1001
    seccompProfile:
      type: Unconfined
  containers:
  - name: kaniko
    image: code.252.no/tommy/kaniko:v24.10.01@sha256:d51c3b5c468bb070108d9e27884072f8527f20c9e41e2133621c56f62f89afc0
    resources:
      limits:
        cpu: 1000m
        memory: 2Gi
    command: ["/opt/kaniko/kaniko"]
    args:
    - --dockerfile=Dockerfile
    #- --reproducible
    - --context=/kaniko
    - --custom-platform=linux/amd64
    - --destination=code.252.no/tommy/lix-builder:v24.10.01
    #- --dockerfile=Dockerfile
    #- --reproducible
    #- --kaniko-dir=/workspace/kaniko
    #- --context=/workspace
    #- --custom-platform=linux/amd64
    #- --destination=code.252.no/tommy/lix-builder:v24.10.01
    #- --cache=true
    #- --compressed-caching=false
    #- --use-new-run
    #- --cleanup
    volumeMounts:
    # - name: workspace-dir
    #   mountPath: /workspace
    - name: docker-config
      mountPath: /opt/kaniko/.docker/config.json
      subPath: config.json
    - name: dockerfile
      mountPath: /kaniko/Dockerfile
      subPath: Dockerfile
    securityContext:
      runAsUser: 1001
      privileged: false
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      capabilities:
        drop:
        - ALL
        add:
        - CHOWN
        - FOWNER
        - DAC_OVERRIDE
        - SYS_ADMIN
  restartPolicy: Never
  volumes:
  # - name: workspace-dir
  #   emptyDir: {}
  - name: docker-config
    secret:
      secretName: tommy-pushsecret-rw
      items:
      - key: .dockerconfigjson
        path: config.json
  - name: dockerfile
    configMap:
      name: dockerfile
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dockerfile
  namespace: builds
data:
  Dockerfile: |
    FROM ghcr.io/lix-project/lix:2.91

    WORKDIR /tmp/working-dir

    RUN nix-env -iA nixpkgs.go nixpkgs.vim nixpkgs.sops nixpkgs.nix-direnv \
                nixpkgs.attic-client nixpkgs.nh nixpkgs.deploy-rs nixpkgs.statix \
                nixpkgs.deadnix nixpkgs.alejandra nixpkgs.home-manager \
                nixpkgs.ssh-to-age nixpkgs.gnupg nixpkgs.age nixpkgs.linux \
                nixpkgs.go-task nixpkgs.curl nixpkgs.fish nixpkgs.nixos-anywhere

    ENTRYPOINT ["fish"]