commit 944d0f1adff75801b8593e09580602337f02fd13 · tangled.org/core

+7 -1

spindle/engine/engine.go

··· 497 Mode: 0o1777, // world-writeable sticky bit 498 }, 499 }, 500 }, 501 ReadonlyRootfs: false, 502 CapDrop: []string{"ALL"}, 503 - SecurityOpt: []string{"seccomp=unconfined"}, 504 } 505 506 return hostConfig

··· 497 Mode: 0o1777, // world-writeable sticky bit 498 }, 499 }, 500 + { 501 + Type: mount.TypeVolume, 502 + Source: "etc-nix-" + wid.String(), 503 + Target: "/etc/nix", 504 + }, 505 }, 506 ReadonlyRootfs: false, 507 CapDrop: []string{"ALL"}, 508 + CapAdd: []string{"CAP_DAC_OVERRIDE"}, 509 + SecurityOpt: []string{"no-new-privileges"}, 510 } 511 512 return hostConfig

+1

spindle/models/pipeline.go

··· 55 swf.addNixProfileToPath() 56 setup := &setupSteps{} 57 58 setup.addStep(cloneStep(*twf, *pl.TriggerMetadata.Repo, cfg.Server.Dev)) 59 setup.addStep(checkoutStep(*twf, *pl.TriggerMetadata)) 60 setup.addStep(dependencyStep(*twf))

··· 55 swf.addNixProfileToPath() 56 setup := &setupSteps{} 57 58 + setup.addStep(nixConfStep()) 59 setup.addStep(cloneStep(*twf, *pl.TriggerMetadata.Repo, cfg.Server.Dev)) 60 setup.addStep(checkoutStep(*twf, *pl.TriggerMetadata)) 61 setup.addStep(dependencyStep(*twf))

+9

spindle/models/setup_steps.go

··· 8 "tangled.sh/tangled.sh/core/api/tangled" 9 ) 10 11 // checkoutStep checks out the specified ref in the cloned repository. 12 func checkoutStep(twf tangled.Pipeline_Workflow, tr tangled.Pipeline_TriggerMetadata) Step { 13 if twf.Clone.Skip {

··· 8 "tangled.sh/tangled.sh/core/api/tangled" 9 ) 10 11 + func nixConfStep() Step { 12 + setupCmd := `echo 'extra-experimental-features = nix-command flakes' >> /etc/nix/nix.conf 13 + echo 'build-users-group = ' >> /etc/nix/nix.conf` 14 + return Step{ 15 + Command: setupCmd, 16 + Name: "Configure Nix", 17 + } 18 + } 19 + 20 // checkoutStep checks out the specified ref in the cloned repository. 21 func checkoutStep(twf tangled.Pipeline_Workflow, tr tangled.Pipeline_TriggerMetadata) Step { 22 if twf.Clone.Skip {