depot/nix/docker/heptapod/default.nix

49 lines
1.8 KiB
Nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0
{ pkgs, ... }:
let
origImageArgs = {
imageName = "octobus/heptapod";
imageDigest = "sha256:b748ef2de9daa87c1266853ee20b804c28c2e2bb5a60afab29f761312ebfee5b";
sha256 = "sha256:1ljy2jx5cvqjj7z7ikhnayphw5bjsk0mqqgqpdf5a0gfcvnm1pkk";
finalImageName = "octobus/heptapod";
finalImageTag = "0.30.0";
};
origImage = pkgs.dockerTools.pullImage origImageArgs;
name = origImageArgs.imageName;
tag = "${origImageArgs.finalImageTag}-lukegb";
in pkgs.dockerTools.buildImage rec {
inherit name tag;
fromImage = origImage;
fromImageName = origImageArgs.finalImageName;
fromImageTag = origImageArgs.finalImageTag;
diskSize = 9216;
runAsRoot = ''
#!{pkgs.runtimeShell}
cat <<"EOF" >/sshd_ca.pub
${builtins.readFile ../../../ops/secrets/client-ca.pub}
EOF
cat <<"EOF" >/assets/wrapper_wrapper
#!/bin/bash
/usr/bin/id hg || /usr/sbin/useradd -g $(id -u git) -u $(id -g git) -o -d /var/opt/gitlab -p "*" hg
/usr/bin/grep "AllowUsers git hg" /assets/sshd_config || /bin/sed -i "s/AllowUsers git/AllowUsers git hg/" /assets/sshd_config
/usr/bin/cat <<"EOC" >>/assets/sshd_config
TrustedUserCAKeys /sshd_ca.pub
Match User git
AuthorizedPrincipalsCommandUser root
AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb
Match User hg
AuthorizedPrincipalsCommandUser root
AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb
EOC
exec /assets/wrapper "$@"
EOF
chmod ugo=rx /assets/wrapper_wrapper
'';
config.Cmd = ["/assets/wrapper_wrapper"];
} // {
meta = { inherit name tag; };
}