jcollie.dev / nixos-runner
NixOS-based container for running GitHub actions
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

more permission fixes

Jeffrey C. Ollie fde5b979 ceab96ea

+240 -51
+3
.gitignore
··· 2 2 # SPDX-License-Identifier: MIT 3 3 4 4 /result* 5 + /.zig-cache 6 + /zig-out 7 + /zig-pkg
+45
build.zig
··· 1 + // SPDX-FileCopyrightText: © 2023 Jeffrey C. Ollie 2 + // SPDX-License-Identifier: MIT 3 + 4 + const std = @import("std"); 5 + 6 + pub fn build(b: *std.Build) !void { 7 + const target = b.standardTargetOptions(.{}); 8 + const optimize = b.standardOptimizeOption(.{}); 9 + 10 + const uid = b.option(u32, "uid", "uid to run as") orelse return error.MissingOption; 11 + 12 + const options = b.addOptions(); 13 + options.addOption(u32, "uid", uid); 14 + 15 + const exe = b.addExecutable(.{ 16 + .name = "execas", 17 + .root_module = b.createModule(.{ 18 + .root_source_file = b.path("src/main.zig"), 19 + .target = target, 20 + .optimize = optimize, 21 + }), 22 + }); 23 + exe.root_module.addOptions("options", options); 24 + 25 + b.installArtifact(exe); 26 + const run_step = b.step("run", "Run the app"); 27 + 28 + const run_cmd = b.addRunArtifact(exe); 29 + run_step.dependOn(&run_cmd.step); 30 + 31 + run_cmd.step.dependOn(b.getInstallStep()); 32 + 33 + if (b.args) |args| { 34 + run_cmd.addArgs(args); 35 + } 36 + 37 + const exe_tests = b.addTest(.{ 38 + .root_module = exe.root_module, 39 + }); 40 + 41 + const run_exe_tests = b.addRunArtifact(exe_tests); 42 + 43 + const test_step = b.step("test", "Run tests"); 44 + test_step.dependOn(&run_exe_tests.step); 45 + }
+16
build.zig.zon
··· 1 + // SPDX-FileCopyrightText: © 2023 Jeffrey C. Ollie 2 + // SPDX-License-Identifier: MIT 3 + 4 + .{ 5 + .name = .execas, 6 + .version = "0.0.1", 7 + .fingerprint = 0xd3da9c6c90740108, // Changing this has security and trust implications. 8 + .minimum_zig_version = "0.16.0-dev.2596+469bf6af0", 9 + .dependencies = .{}, 10 + .paths = .{ 11 + "build.zig", 12 + "build.zig.zon", 13 + "src", 14 + "LICENSES", 15 + }, 16 + }
+13 -11
flake.lock
··· 18 18 "nixpkgs": [ 19 19 "nixpkgs" 20 20 ], 21 - "zig": "zig" 21 + "zig": [ 22 + "zig" 23 + ] 22 24 }, 23 25 "locked": { 24 - "lastModified": 1771090423, 25 - "narHash": "sha256-LXgGCQwxq4FVFGz9y67u4mRJ2/IcR6DzGAeozibGzio=", 26 + "lastModified": 1771097473, 27 + "narHash": "sha256-rdwLgKpTuxXwoYZ+Bb4G3AGWllqsUa0hYebhy7rvRvU=", 26 28 "ref": "refs/heads/main", 27 - "rev": "16258dc104bead08b93ef424315f8404ba3cf34f", 28 - "revCount": 17, 29 + "rev": "66fddd025358abde9935f8d3398506bc854eeea1", 30 + "revCount": 18, 29 31 "type": "git", 30 32 "url": "https://git.ocjtech.us/jeff/push-container.git" 31 33 }, ··· 37 39 "root": { 38 40 "inputs": { 39 41 "nixpkgs": "nixpkgs", 40 - "push-container": "push-container" 42 + "push-container": "push-container", 43 + "zig": "zig" 41 44 } 42 45 }, 43 46 "zig": { 44 47 "inputs": { 45 48 "nixpkgs": [ 46 - "push-container", 47 49 "nixpkgs" 48 50 ] 49 51 }, 50 52 "locked": { 51 - "lastModified": 1771027958, 52 - "narHash": "sha256-tpNoCFgtf+WNKUhiVuYF3ih7381ef/e8kRWrQmpLcSY=", 53 + "lastModified": 1771099964, 54 + "narHash": "sha256-xIg8XsZ5CqMrjmArTrcd1SEPm927gqqHAauLIs43bfk=", 53 55 "ref": "refs/heads/main", 54 - "rev": "844f43e0f29c47b2c6e690b4e6038774a032ed3e", 55 - "revCount": 1619, 56 + "rev": "4310fcb250a29bcb86ba95466754573ba033810e", 57 + "revCount": 1620, 56 58 "type": "git", 57 59 "url": "https://git.ocjtech.us/jeff/zig-overlay.git" 58 60 },
+108 -40
flake.nix
··· 12 12 url = "git+https://git.ocjtech.us/jeff/push-container.git"; 13 13 inputs = { 14 14 nixpkgs.follows = "nixpkgs"; 15 + zig.follows = "zig"; 16 + }; 17 + }; 18 + zig = { 19 + url = "git+https://git.ocjtech.us/jeff/zig-overlay.git"; 20 + inputs = { 21 + nixpkgs.follows = "nixpkgs"; 15 22 }; 16 23 }; 17 24 }; ··· 21 28 self, 22 29 nixpkgs, 23 30 push-container, 31 + zig, 24 32 }: 25 33 let 26 34 makePackages = 27 35 system: 28 36 import nixpkgs { 29 37 inherit system; 38 + overlays = [ 39 + # (final: prev: { 40 + # util-linux = prev.util-linux.override { 41 + # pamSupport = false; 42 + # }; 43 + # }) 44 + # (final: prev: { 45 + # nix = prev.nix.overrideAttrs (old: { 46 + # postInstall = '' 47 + # chmod u+s $out/bin/nix 48 + # ''; 49 + # }); 50 + # }) 51 + (final: prev: { 52 + docker_29 = prev.docker_29.override { 53 + clientOnly = true; 54 + }; 55 + }) 56 + # (final: prev: { 57 + # git = prev.git.override { 58 + # perlSupport = false; 59 + # pythonSupport = false; 60 + # svnSupport = false; 61 + # sendEmailSupport = false; 62 + # withManual = false; 63 + # withSsh = true; 64 + # openssh = prev.openssh; 65 + # }; 66 + # }) 67 + ]; 30 68 }; 31 69 forAllSystems = ( 32 70 function: ··· 42 80 lib = pkgs.lib; 43 81 in 44 82 { 45 - docker-client = pkgs.docker_28.override { 46 - clientOnly = true; 47 - }; 83 + # docker-client = pkgs.docker_29.override { 84 + # clientOnly = true; 85 + # }; 48 86 git = pkgs.git.override { 49 87 perlSupport = false; 50 88 pythonSupport = false; ··· 64 102 pkgs.bind.dnsutils 65 103 pkgs.coreutils-full 66 104 pkgs.curl 105 + pkgs.docker_29 67 106 pkgs.forgejo-cli 68 107 pkgs.gawk 69 108 pkgs.gh 109 + # pkgs.git 70 110 pkgs.glibc 71 111 pkgs.gnugrep 72 112 pkgs.gnused ··· 82 122 pkgs.podman 83 123 pkgs.reuse 84 124 pkgs.regctl 125 + pkgs.shadow.su 85 126 pkgs.stdenv.cc.cc.lib 86 127 pkgs.sudo 87 128 pkgs.tailscale ··· 89 130 pkgs.xz 90 131 pkgs.zstd 91 132 92 - self.packages.${pkgs.stdenv.hostPlatform.system}.docker-client 133 + # self.packages.${pkgs.stdenv.hostPlatform.system}.sudo 134 + # self.packages.${pkgs.stdenv.hostPlatform.system}.docker-client 93 135 self.packages.${pkgs.stdenv.hostPlatform.system}.git 94 136 push-container.packages.${pkgs.stdenv.hostPlatform.system}.push-container 95 137 ]; ··· 278 320 ''; 279 321 280 322 sudoers = '' 281 - root ALL=(ALL:ALL) SETENV:ALL 323 + root ALL=(ALL:ALL) NOPASSWD:ALL SETENV:ALL 282 324 %wheel ALL=(ALL:ALL) NOPASSWD:ALL SETENV:ALL 283 325 ''; 284 326 ··· 362 404 } 363 405 '' 364 406 mkdir -p $out/etc 407 + 365 408 mkdir -p $out/etc/ssl/certs 366 409 ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs 410 + 367 411 cat $passwdContentsPath > $out/etc/passwd 368 412 echo "" >> $out/etc/passwd 413 + 369 414 cat $groupContentsPath > $out/etc/group 370 415 echo "" >> $out/etc/group 416 + 371 417 cat $shadowContentsPath > $out/etc/shadow 372 418 echo "" >> $out/etc/shadow 419 + 373 420 cat $sudoersPath > $out/etc/sudoers 421 + echo "" >> $out/etc/sudoers 422 + 423 + mkdir -p $out/etc/pam.d 424 + cat $pamSuPath > $out/etc/pam.d/su 425 + echo "" >> $out/etc/pam.d/su 426 + 427 + mkdir -p $out/etc/nix 428 + cat $nixConfContentsPath > $out/etc/nix/nix.conf 429 + echo "" >> $out/etc/nix/nix.conf 430 + 374 431 mkdir -p $out/usr 375 432 ln -s /nix/var/nix/profiles/share $out/usr/ 376 433 mkdir -p $out/nix/var/nix/gcroots 377 434 mkdir -p $out/tmp 378 435 mkdir -p $out/var/tmp 379 - mkdir -p $out/etc/nix 380 - cat $nixConfContentsPath > $out/etc/nix/nix.conf 381 436 382 437 mkdir -p $out/etc/containers 383 438 mkdir -p $out/etc/containers/networks ··· 417 472 418 473 mkdir -p $out/bin $out/usr/bin 419 474 ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env 420 - # ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh 421 475 ''; 422 476 in 423 477 pkgs.dockerTools.buildLayeredImageWithNixDb { ··· 446 500 chmod u=rwxt,u=rwx,o=rwx tmp 447 501 chmod u=rwxt,u=rwx,o=rwx var/tmp 448 502 chown -R 1001:1001 github 449 - chown -R 1001:1001 nix 503 + # chown -R 1001:1001 nix 450 504 ''; 451 - config = { 452 - Cmd = [ "${pkgs.bashInteractive}/bin/bash" ]; 453 - User = "1001:1001"; 454 - WorkingDir = "/github/home"; 455 - Env = [ 456 - "USER=github" 457 - "PATH=${ 458 - lib.concatStringsSep ":" [ 459 - "/github/home/.nix-profile/bin" 460 - "/nix/var/nix/profiles/default/bin" 461 - "/nix/var/nix/profiles/default/sbin" 462 - ] 463 - }" 464 - "MANPATH=${ 465 - lib.concatStringsSep ":" [ 466 - "/github/home/.nix-profile/share/man" 467 - "/nix/var/nix/profiles/default/share/man" 468 - ] 469 - }" 470 - "LD_LIBRARY_PATH=${ 471 - pkgs.lib.makeLibraryPath [ 472 - pkgs.glibc 473 - pkgs.stdenv.cc.cc.lib 474 - ] 475 - }" 476 - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 477 - "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 478 - "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 479 - "NIX_PATH=/nix/var/nix/profiles/per-user/github/channels:/github/home/.nix-defexpr/channels" 480 - ]; 481 - }; 505 + config = 506 + let 507 + execas = pkgs.callPackage ./package.nix { 508 + uid = 1001; 509 + zig = zig.packages.${pkgs.stdenv.hostPlatform.system}.master; 510 + }; 511 + entrypoint = pkgs.writeShellScriptBin "setup" '' 512 + ${lib.getExe pkgs.nix} daemon --trusted >/dev/null 2>&1 & 513 + 514 + exec ${lib.getExe execas} "$@" 515 + ''; 516 + in 517 + { 518 + Cmd = [ "${pkgs.bashInteractive}/bin/bash" ]; 519 + User = "0:0"; 520 + WorkingDir = "/github/home"; 521 + Entrypoint = [ "${lib.getExe entrypoint}" ]; 522 + Env = [ 523 + "USER=github" 524 + "PATH=${ 525 + lib.concatStringsSep ":" [ 526 + "/github/home/.nix-profile/bin" 527 + "/nix/var/nix/profiles/default/bin" 528 + "/nix/var/nix/profiles/default/sbin" 529 + ] 530 + }" 531 + "MANPATH=${ 532 + lib.concatStringsSep ":" [ 533 + "/github/home/.nix-profile/share/man" 534 + "/nix/var/nix/profiles/default/share/man" 535 + ] 536 + }" 537 + "LD_LIBRARY_PATH=${ 538 + pkgs.lib.makeLibraryPath [ 539 + pkgs.glibc 540 + pkgs.stdenv.cc.cc.lib 541 + ] 542 + }" 543 + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 544 + "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 545 + "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" 546 + "NIX_PATH=/nix/var/nix/profiles/per-user/github/channels:/github/home/.nix-defexpr/channels" 547 + ]; 548 + }; 482 549 }; 483 550 } 484 551 ); ··· 490 557 pkgs.pinact 491 558 pkgs.regctl 492 559 pkgs.reuse 560 + zig.packages.${pkgs.stdenv.hostPlatform.system}.master 493 561 push-container.packages.${pkgs.stdenv.hostPlatform.system}.push-container 494 562 ]; 495 563
+24
package.nix
··· 1 + # SPDX-FileCopyrightText: © 2026 Jeffrey C. Ollie 2 + # SPDX-License-Identifier: MIT 3 + 4 + { 5 + lib, 6 + stdenv, 7 + zig, 8 + uid, 9 + ... 10 + }: 11 + stdenv.mkDerivation (finalAttrs: { 12 + name = "execas"; 13 + src = lib.cleanSource ./.; 14 + nativeBuildInputs = [ 15 + zig 16 + ]; 17 + zigBuildFlags = [ 18 + "-Duid=${toString uid}" 19 + ]; 20 + meta = { 21 + mainProgram = "execas"; 22 + license = lib.licenses.mit; 23 + }; 24 + })
+31
src/main.zig
··· 1 + // SPDX-FileCopyrightText: © 2023 Jeffrey C. Ollie 2 + // SPDX-License-Identifier: MIT 3 + 4 + const std = @import("std"); 5 + const options = @import("options"); 6 + 7 + pub fn main(init: std.process.Init) !void { 8 + const arena: std.mem.Allocator = init.arena.allocator(); 9 + const io = init.io; 10 + 11 + const rc = std.os.linux.setuid(options.uid); 12 + switch (std.os.linux.errno(rc)) { 13 + .SUCCESS => {}, 14 + else => |err| return std.posix.unexpectedErrno(err), 15 + } 16 + 17 + var argv: std.ArrayList([]const u8) = .empty; 18 + 19 + var it = try init.minimal.args.iterateAllocator(arena); 20 + _ = it.next(); 21 + 22 + while (it.next()) |arg| { 23 + try argv.append(arena, arg); 24 + } 25 + 26 + const err = std.process.replace(io, .{ 27 + .argv = argv.items, 28 + }); 29 + 30 + std.debug.print("unable to execute: {t}\n", .{err}); 31 + }