pkgs/build-support/fetchdocker/generic-fetcher.nix at python-updates

Clone of https://github.com/NixOS/nixpkgs.git (to stress-test knotserver)
nixpkgs / pkgs / build-support / fetchdocker / generic-fetcher.nix
at python-updates 104 lines 3.1 kB view raw
wrap content
  1{
  2  stdenv,
  3  lib,
  4  haskellPackages,
  5  writeText,
  6  gawk,
  7}:
  8let
  9  awk = "${gawk}/bin/awk";
 10  dockerCredentialsFile = import ./credentials.nix { inherit lib; };
 11in
 12{
 13  fetcher,
 14  name,
 15  registry ? "https://registry-1.docker.io/v2/",
 16  repository ? "library",
 17  imageName,
 18  sha256,
 19  tag ? "",
 20  layerDigest ? "",
 21}:
 22
 23# There must be no slashes in the repository or container names since
 24# we use these to make the output derivation name for the nix store
 25# path
 26assert null == lib.findFirst (c: "/" == c) null (lib.stringToCharacters repository);
 27assert null == lib.findFirst (c: "/" == c) null (lib.stringToCharacters imageName);
 28
 29# Only allow hocker-config and hocker-layer as fetchers for now
 30assert (
 31  builtins.elem fetcher [
 32    "hocker-config"
 33    "hocker-layer"
 34  ]
 35);
 36
 37# If layerDigest is non-empty then it must not have a 'sha256:' prefix!
 38assert (if layerDigest != "" then !lib.hasPrefix "sha256:" layerDigest else true);
 39
 40let
 41  layerDigestFlag = lib.optionalString (layerDigest != "") "--layer ${layerDigest}";
 42in
 43stdenv.mkDerivation {
 44  inherit name;
 45  builder = writeText "${fetcher}-builder.sh" ''
 46    echo "${fetcher} exporting to $out"
 47
 48    declare -A creds
 49
 50    # This is a hack for Hydra since we have no way of adding values
 51    # to the NIX_PATH for Hydra jobsets!!
 52    staticCredentialsFile="/etc/nix-docker-credentials.txt"
 53    if [ ! -f "$dockerCredentialsFile" -a -f "$staticCredentialsFile" ]; then
 54      echo "credentials file not set, falling back on static credentials file at: $staticCredentialsFile"
 55      dockerCredentialsFile=$staticCredentialsFile
 56    fi
 57
 58    if [ -f "$dockerCredentialsFile" ]; then
 59      echo "using credentials from $dockerCredentialsFile"
 60
 61      CREDSFILE=$(cat "$dockerCredentialsFile")
 62      creds[token]=$(${awk} -F'=' '/DOCKER_TOKEN/ {print $2}' <<< "$CREDSFILE" | head -n1)
 63
 64      # Prefer DOCKER_TOKEN over the username and password
 65      # authentication method
 66      if [ -z "''${creds[token]}" ]; then
 67        creds[user]=$(${awk} -F'=' '/DOCKER_USER/  {print $2}' <<< "$CREDSFILE" | head -n1)
 68        creds[pass]=$(${awk} -F'=' '/DOCKER_PASS/  {print $2}' <<< "$CREDSFILE" | head -n1)
 69      fi
 70    fi
 71
 72    # These variables will be filled in first by the impureEnvVars, if
 73    # those variables are empty then they will default to the
 74    # credentials that may have been read in from the 'DOCKER_CREDENTIALS'
 75    DOCKER_USER="''${DOCKER_USER:-''${creds[user]}}"
 76    DOCKER_PASS="''${DOCKER_PASS:-''${creds[pass]}}"
 77    DOCKER_TOKEN="''${DOCKER_TOKEN:-''${creds[token]}}"
 78
 79    ${fetcher} --out="$out" \
 80      ''${registry:+--registry "$registry"} \
 81      ''${DOCKER_USER:+--username "$DOCKER_USER"} \
 82      ''${DOCKER_PASS:+--password "$DOCKER_PASS"} \
 83      ''${DOCKER_TOKEN:+--token "$DOCKER_TOKEN"} \
 84      ${layerDigestFlag} \
 85      "${repository}/${imageName}" \
 86      "${tag}"
 87  '';
 88
 89  buildInputs = [ haskellPackages.hocker ];
 90
 91  outputHashAlgo = "sha256";
 92  outputHashMode = "flat";
 93  outputHash = sha256;
 94
 95  preferLocalBuild = true;
 96
 97  impureEnvVars = [
 98    "DOCKER_USER"
 99    "DOCKER_PASS"
100    "DOCKER_TOKEN"
101  ];
102
103  inherit registry dockerCredentialsFile;
104}