Skip to content

Commit 7b35194

Browse files
omarjatoiomarjatoi
committed
Fix image building workflow
1 parent b74a4ab commit 7b35194

File tree

2 files changed

+113
-87
lines changed

2 files changed

+113
-87
lines changed

.github/workflows/build.yaml

Lines changed: 37 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -11,32 +11,55 @@ env:
1111

1212
jobs:
1313
build:
14-
runs-on: ubuntu-latest
14+
strategy:
15+
matrix:
16+
image: [controller, proxy, builder]
17+
include:
18+
- runner: ubuntu-latest
19+
arch: amd64
20+
- runner: ubuntu-24.04-arm
21+
arch: arm64
22+
runs-on: ${{ matrix.runner }}
1523
permissions:
1624
id-token: write
1725
contents: read
1826
packages: write
19-
strategy:
20-
matrix:
21-
image: [controller, proxy, builder]
2227
steps:
23-
- name: Checkout repository
24-
uses: actions/checkout@v4
25-
28+
- uses: actions/checkout@v4
2629
- uses: DeterminateSystems/determinate-nix-action@v3
2730
- uses: DeterminateSystems/flakehub-cache-action@main
2831

29-
- name: Log in to Container Registry
30-
uses: docker/login-action@v3
32+
- uses: docker/login-action@v3
3133
with:
3234
registry: ${{ env.REGISTRY }}
3335
username: ${{ github.actor }}
3436
password: ${{ secrets.GITHUB_TOKEN }}
3537

36-
- name: Build ${{ matrix.image }} image
37-
run: nix build .#${{ matrix.image }}-image
38-
39-
- name: Load and push ${{ matrix.image }} image
38+
- name: Build and push ${{ matrix.image }} (${{ matrix.arch }})
4039
run: |
40+
nix build .#${{ matrix.image }}-image
4141
docker load < result
42-
docker push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:latest
42+
docker push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:${{ matrix.arch }}
43+
44+
manifest:
45+
needs: build
46+
runs-on: ubuntu-latest
47+
if: github.event_name == 'push'
48+
permissions:
49+
packages: write
50+
strategy:
51+
matrix:
52+
image: [controller, proxy, builder]
53+
steps:
54+
- uses: docker/login-action@v3
55+
with:
56+
registry: ${{ env.REGISTRY }}
57+
username: ${{ github.actor }}
58+
password: ${{ secrets.GITHUB_TOKEN }}
59+
60+
- name: Create multi-arch manifest
61+
run: |
62+
docker manifest create ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:latest \
63+
--amend ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:amd64 \
64+
--amend ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:arm64
65+
docker manifest push ${{ env.REGISTRY }}/${{ github.repository }}/${{ matrix.image }}:latest

flake.nix

Lines changed: 76 additions & 73 deletions
Original file line numberDiff line numberDiff line change
@@ -17,101 +17,104 @@
1717
let
1818
pkgs = nixpkgs.legacyPackages.${system};
1919
version = "0.1.0";
20-
in
21-
{
22-
packages = {
23-
controller = pkgs.buildGoModule {
24-
pname = "controller";
25-
inherit version;
26-
src = ./.;
27-
vendorHash = "sha256-Ua6i6574AG84UsyAIj/KL5yc0+4BVVy1eR+N98qpUkQ=";
28-
subPackages = [ "cmd/controller" ];
29-
ldflags = [
30-
"-s"
31-
"-w"
32-
"-X main.version=${version}"
33-
];
34-
};
3520

36-
proxy = pkgs.buildGoModule {
37-
pname = "proxy";
21+
# Build a Go binary for a given pkgs set
22+
buildGoApp =
23+
goPkgs: name:
24+
goPkgs.buildGoModule {
25+
pname = name;
3826
inherit version;
3927
src = ./.;
4028
vendorHash = "sha256-Ua6i6574AG84UsyAIj/KL5yc0+4BVVy1eR+N98qpUkQ=";
41-
subPackages = [ "cmd/proxy" ];
29+
subPackages = [ "cmd/${name}" ];
30+
CGO_ENABLED = 0;
4231
ldflags = [
4332
"-s"
4433
"-w"
4534
"-X main.version=${version}"
4635
];
4736
};
4837

49-
controller-image = pkgs.dockerTools.buildImage {
50-
name = "ghcr.io/omarjatoi/nix-remote-build-controller/controller";
38+
# Build a container image for a given app
39+
buildImage =
40+
imgPkgs: name: app:
41+
imgPkgs.dockerTools.buildImage {
42+
name = "ghcr.io/omarjatoi/nix-remote-build-controller/${name}";
5143
tag = "latest";
52-
contents = [ self.packages.${system}.controller ];
44+
contents = [ app ];
5345
config = {
54-
Entrypoint = [ "${self.packages.${system}.controller}/bin/controller" ];
46+
Entrypoint = [ "${app}/bin/${name}" ];
5547
};
5648
};
49+
in
50+
{
51+
packages = {
52+
# Native binaries for local development
53+
controller = buildGoApp pkgs "controller";
54+
proxy = buildGoApp pkgs "proxy";
5755

58-
proxy-image = pkgs.dockerTools.buildImage {
59-
name = "ghcr.io/omarjatoi/nix-remote-build-controller/proxy";
60-
tag = "latest";
61-
contents = [ self.packages.${system}.proxy ];
62-
config = {
63-
Entrypoint = [ "${self.packages.${system}.proxy}/bin/proxy" ];
64-
};
65-
};
56+
# Container images (uses current system's pkgs - works on Linux runners)
57+
controller-image = buildImage pkgs "controller" self.packages.${system}.controller;
58+
proxy-image = buildImage pkgs "proxy" self.packages.${system}.proxy;
59+
60+
# Entrypoint script for builder container - runs setup at container start
61+
builder-entrypoint = pkgs.writeShellScriptBin "entrypoint" ''
62+
set -e
63+
64+
# Create necessary directories
65+
mkdir -p /etc/ssh /var/empty /home/nixbld/.ssh
66+
67+
# Create nixbld user if it doesn't exist
68+
if ! id nixbld &>/dev/null; then
69+
echo "nixbld:x:1000:1000:Nix Build User:/home/nixbld:/bin/sh" >> /etc/passwd
70+
echo "nixbld:x:1000:" >> /etc/group
71+
fi
72+
73+
# Generate host key if needed
74+
if [ ! -f /etc/ssh/ssh_host_ed25519_key ]; then
75+
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
76+
fi
77+
78+
# Set up SSH config
79+
cat > /etc/ssh/sshd_config <<SSHD_CONFIG
80+
HostKey /etc/ssh/ssh_host_ed25519_key
81+
AuthorizedKeysFile /home/nixbld/.ssh/authorized_keys
82+
PasswordAuthentication no
83+
AllowUsers nixbld
84+
SSHD_CONFIG
85+
86+
# Fix permissions
87+
chown -R nixbld:nixbld /home/nixbld
88+
chmod 700 /home/nixbld/.ssh
89+
90+
# Start nix-daemon in the background
91+
${pkgs.nix}/bin/nix-daemon &
92+
sleep 1
93+
94+
# Start SSHD
95+
exec ${pkgs.openssh}/bin/sshd -D -e
96+
'';
6697

6798
builder-image = pkgs.dockerTools.buildImage {
6899
name = "ghcr.io/omarjatoi/nix-remote-build-controller/builder";
69100
tag = "latest";
70-
fromImage = pkgs.dockerTools.pullImage {
71-
imageName = "nixos/nix";
72-
imageDigest = "sha256:0e6ade350a4d86d76dd4046a654ccbbb58d14fe93b6e3deef42c1d0fd9db3849";
73-
sha256 = "sha256-zdGBgjbw+Z8iP5hu5oCkehO6L/VFlWmUiGsB4Y2z6i0=";
101+
copyToRoot = pkgs.buildEnv {
102+
name = "builder-root";
103+
paths = [
104+
pkgs.nix
105+
pkgs.openssh
106+
pkgs.coreutils
107+
pkgs.bashInteractive
108+
self.packages.${system}.builder-entrypoint
109+
];
110+
pathsToLink = [ "/bin" "/etc" "/share" ];
74111
};
75-
contents = [
76-
pkgs.openssh
77-
pkgs.shadow
78-
];
79-
runAsRoot = ''
80-
#!${pkgs.runtimeShell}
81-
mkdir -p /etc/ssh /var/empty
82-
${pkgs.shadow}/bin/useradd -m -s /bin/sh nixbld
83-
mkdir -p /home/nixbld/.ssh
84-
chown nixbld:nixbld /home/nixbld/.ssh
85-
chmod 700 /home/nixbld/.ssh
86-
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -N ""
87-
88-
cat > /etc/ssh/sshd_config <<SSHD_CONFIG
89-
HostKey /etc/ssh/ssh_host_ed25519_key
90-
AuthorizedKeysFile /home/nixbld/.ssh/authorized_keys
91-
PasswordAuthentication no
92-
AllowUsers nixbld
93-
SSHD_CONFIG
94-
95-
# Create entrypoint script
96-
cat > /bin/entrypoint.sh <<EOF
97-
#!${pkgs.runtimeShell}
98-
# Start nix-daemon in the background
99-
${pkgs.nix}/bin/nix-daemon &
100-
101-
# Wait for daemon to be ready
102-
sleep 1
103-
104-
# Start SSHD
105-
exec ${pkgs.openssh}/bin/sshd -D -e
106-
EOF
107-
chmod +x /bin/entrypoint.sh
108-
109-
# Ensure nix binaries are in path
110-
ln -sf ${pkgs.nix}/bin/nix* /bin/
111-
'';
112112
config = {
113-
Cmd = [ "/bin/entrypoint.sh" ];
114-
Env = [ "PATH=/bin:/usr/bin" ];
113+
Entrypoint = [ "${self.packages.${system}.builder-entrypoint}/bin/entrypoint" ];
114+
Env = [
115+
"PATH=/bin"
116+
"NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
117+
];
115118
ExposedPorts = {
116119
"22/tcp" = { };
117120
};

0 commit comments

Comments
 (0)