besaid.zone / core
forked from tangled.org/core
Monorepo for Tangled
fork atom

spindle/{models,engine}: mount /etc/nix as volume; configure /etc/nix/nix.conf

Signed-off-by: Anirudh Oppiliappan <anirudh@tangled.sh>

anirudh.fi 944d0f1a 7c1e2364

verified
options
unified split
Changed files
+17 -1
spindle
engine
engine.go
models
pipeline.go
setup_steps.go
+7 -1
spindle/engine/engine.go
··· 497 497 Mode: 0o1777, // world-writeable sticky bit 498 498 }, 499 499 }, 500 + { 501 + Type: mount.TypeVolume, 502 + Source: "etc-nix-" + wid.String(), 503 + Target: "/etc/nix", 504 + }, 500 505 }, 501 506 ReadonlyRootfs: false, 502 507 CapDrop: []string{"ALL"}, 503 - SecurityOpt: []string{"seccomp=unconfined"}, 508 + CapAdd: []string{"CAP_DAC_OVERRIDE"}, 509 + SecurityOpt: []string{"no-new-privileges"}, 504 510 } 505 511 506 512 return hostConfig
+1
spindle/models/pipeline.go
··· 55 55 swf.addNixProfileToPath() 56 56 setup := &setupSteps{} 57 57 58 + setup.addStep(nixConfStep()) 58 59 setup.addStep(cloneStep(*twf, *pl.TriggerMetadata.Repo, cfg.Server.Dev)) 59 60 setup.addStep(checkoutStep(*twf, *pl.TriggerMetadata)) 60 61 setup.addStep(dependencyStep(*twf))
+9
spindle/models/setup_steps.go
··· 8 8 "tangled.sh/tangled.sh/core/api/tangled" 9 9 ) 10 10 11 + func nixConfStep() Step { 12 + setupCmd := `echo 'extra-experimental-features = nix-command flakes' >> /etc/nix/nix.conf 13 + echo 'build-users-group = ' >> /etc/nix/nix.conf` 14 + return Step{ 15 + Command: setupCmd, 16 + Name: "Configure Nix", 17 + } 18 + } 19 + 11 20 // checkoutStep checks out the specified ref in the cloned repository. 12 21 func checkoutStep(twf tangled.Pipeline_Workflow, tr tangled.Pipeline_TriggerMetadata) Step { 13 22 if twf.Clone.Skip {