# SPDX-FileCopyrightText: 2020 Luke Granger-Brown # # SPDX-License-Identifier: Apache-2.0 { pkgs, ... }: let origImageArgs = { imageName = "octobus/heptapod"; imageDigest = "sha256:af6a7f47a15410c521a0d620377b98fa6f5715d6f091ea39d7e332146d20786c"; sha256 = "sha256:1gdi9q02g2a5y2vmpxray4l8rq3yapqpdbg0fg7xxk9f99ysng7j"; finalImageName = "octobus/heptapod"; finalImageTag = "0.30.1"; }; origImage = pkgs.dockerTools.pullImage origImageArgs; name = origImageArgs.imageName; tag = "${origImageArgs.finalImageTag}-lukegb"; in pkgs.dockerTools.buildImage rec { inherit name tag; fromImage = origImage; fromImageName = origImageArgs.finalImageName; fromImageTag = origImageArgs.finalImageTag; diskSize = 9216; runAsRoot = '' #!{pkgs.runtimeShell} cat <<"EOF" >/sshd_ca.pub ${builtins.readFile ../../../ops/secrets/client-ca.pub} EOF cat <<"EOF" >/assets/wrapper_wrapper #!/bin/bash /usr/bin/id hg || /usr/sbin/useradd -g $(id -u git) -u $(id -g git) -o -d /var/opt/gitlab -p "*" hg /usr/bin/grep "AllowUsers git hg" /assets/sshd_config || /bin/sed -i "s/AllowUsers git/AllowUsers git hg/" /assets/sshd_config /usr/bin/cat <<"EOC" >>/assets/sshd_config TrustedUserCAKeys /sshd_ca.pub Match User git AuthorizedPrincipalsCommandUser root AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb Match User hg AuthorizedPrincipalsCommandUser root AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb EOC exec /assets/wrapper "$@" EOF chmod ugo=rx /assets/wrapper_wrapper ''; config.Cmd = ["/assets/wrapper_wrapper"]; } // { meta = { inherit name tag; }; }