jcollie.dev / nixos-runner
NixOS-based container for running GitHub actions
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

more permission fixes

Jeffrey C. Ollie 2deb4dde bee4675b

+20 -30
+20 -30
flake.nix
··· 57 57 let 58 58 bundleNixpkgs = true; 59 59 channelName = "nixpkgs"; 60 - channelURL = "https://nixos.org/channels/nixos-unstable"; 60 + channelURL = "https://channels.nixos.org/channels/nixos-unstable"; 61 61 defaultPkgs = [ 62 62 pkgs.attic-client 63 63 pkgs.bashInteractive ··· 93 93 self.packages.${pkgs.stdenv.hostPlatform.system}.git 94 94 push-container.packages.${pkgs.stdenv.hostPlatform.system}.push-container 95 95 ]; 96 - 97 - flake-registry = null; 98 96 99 97 users = { 100 98 root = { ··· 201 199 groupContents = (lib.concatStringsSep "\n" (lib.attrValues (lib.mapAttrs groupToGroup groups))); 202 200 203 201 defaultNixConf = { 204 - sandbox = "false"; 202 + sandbox = "true"; 205 203 build-users-group = "nixbld"; 204 + trusted-user = [ 205 + "root" 206 + "github" 207 + ]; 206 208 trusted-public-keys = [ 207 209 "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" 208 210 ]; ··· 376 378 mkdir -p $out/var/tmp 377 379 mkdir -p $out/etc/nix 378 380 cat $nixConfContentsPath > $out/etc/nix/nix.conf 379 - mkdir -p $out/root 380 - mkdir -p $out/nix/var/nix/profiles/per-user/root 381 - mkdir -p $out/github 382 - mkdir -p $out/github/home 383 - mkdir -p $out/nix/var/nix/profiles/per-user/github 384 381 385 382 mkdir -p $out/etc/containers 386 383 mkdir -p $out/etc/containers/networks ··· 391 388 cat $containerRegistriesPath > $out/etc/containers/registry.conf 392 389 cat $containerPolicyPath > $out/etc/containers/policy.json 393 390 391 + mkdir -p $out/nix/var/nix/profiles 394 392 ln -s ${profile} $out/nix/var/nix/profiles/default-1-link 395 393 ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default 394 + 395 + mkdir -p $out/root 396 + mkdir -p $out/nix/var/nix/profiles/per-user/root 396 397 ln -s /nix/var/nix/profiles/default $out/root/.nix-profile 397 - ln -s /nix/var/nix/profiles/default $out/github/home/.nix-profile 398 398 ln -s ${channel} $out/nix/var/nix/profiles/per-user/root/channels-1-link 399 399 ln -s $out/nix/var/nix/profiles/per-user/root/channels-1-link $out/nix/var/nix/profiles/per-user/root/channels 400 - 401 400 mkdir -p $out/root/.nix-defexpr 402 401 ln -s $out/nix/var/nix/profiles/per-user/root/channels $out/root/.nix-defexpr/channels 403 402 echo "${channelURL} ${channelName}" > $out/root/.nix-channels 403 + mkdir -p $out/root/.config/git 404 + cat $gitConfigPath > $out/root/.config/git/config 404 405 406 + mkdir -p $out/github 407 + mkdir -p $out/github/home 408 + mkdir -p $out/nix/var/nix/profiles/per-user/github 409 + ln -s /nix/var/nix/profiles/default $out/github/home/.nix-profile 410 + ln -s ${channel} $out/nix/var/nix/profiles/per-user/github/channels-1-link 411 + ln -s $out/nix/var/nix/profiles/per-user/github/channels-1-link $out/nix/var/nix/profiles/per-user/github/channels 405 412 mkdir -p $out/github/home/.nix-defexpr 406 413 ln -s $out/nix/var/nix/profiles/per-user/github/channels $out/github/home/.nix-defexpr/channels 407 414 echo "${channelURL} ${channelName}" > $out/github/home/.nix-channels 408 - 409 - mkdir -p $out/root/.config/git 410 - cat $gitConfigPath > $out/root/.config/git/config 411 415 mkdir -p $out/github/home/.config/git 412 416 cat $gitConfigPath > $out/github/home/.config/git/config 413 417 414 418 mkdir -p $out/bin $out/usr/bin 415 419 ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env 416 420 ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh 417 - '' 418 - + (lib.optionalString (flake-registry != null) '' 419 - nixCacheDir="/root/.cache/nix" 420 - mkdir -p $out$nixCacheDir 421 - globalFlakeRegistryPath="$nixCacheDir/flake-registry.json" 422 - ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath 423 - mkdir -p $out/nix/var/nix/gcroots/auto 424 - rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath)) 425 - ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName 426 - ''); 421 + ''; 427 422 in 428 423 pkgs.dockerTools.buildLayeredImageWithNixDb { 429 424 name = "nixos-runner"; ··· 452 447 chmod u=rwxt,u=rwx,o=rwx tmp 453 448 chmod u=rwxt,u=rwx,o=rwx var/tmp 454 449 chown -R 1001:1001 nix 455 - chown 1001:1001 github 456 - chown 1001:1001 github/home 457 - chown 1001:1001 github/home/.nix-defexpr 458 - chown 1001:1001 github/home/.config 459 - chown 1001:1001 github/home/.config/git 460 - chown 1001:1001 github/home/.config/git/config 450 + chown -R 1001:1001 github 461 451 ''; 462 452 config = { 463 453 Cmd = [ "${pkgs.bashInteractive}/bin/bash" ];