49 lines
1.8 KiB
Nix
49 lines
1.8 KiB
Nix
# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
|
|
#
|
|
# SPDX-License-Identifier: Apache-2.0
|
|
|
|
{ pkgs, ... }:
|
|
let
|
|
origImageArgs = {
|
|
imageName = "octobus/heptapod";
|
|
imageDigest = "sha256:af6a7f47a15410c521a0d620377b98fa6f5715d6f091ea39d7e332146d20786c";
|
|
sha256 = "sha256:1gdi9q02g2a5y2vmpxray4l8rq3yapqpdbg0fg7xxk9f99ysng7j";
|
|
finalImageName = "octobus/heptapod";
|
|
finalImageTag = "0.30.1";
|
|
};
|
|
origImage = pkgs.dockerTools.pullImage origImageArgs;
|
|
|
|
name = origImageArgs.imageName;
|
|
tag = "${origImageArgs.finalImageTag}-lukegb";
|
|
in pkgs.dockerTools.buildImage rec {
|
|
inherit name tag;
|
|
fromImage = origImage;
|
|
fromImageName = origImageArgs.finalImageName;
|
|
fromImageTag = origImageArgs.finalImageTag;
|
|
diskSize = 9216;
|
|
runAsRoot = ''
|
|
#!{pkgs.runtimeShell}
|
|
cat <<"EOF" >/sshd_ca.pub
|
|
${builtins.readFile ../../../ops/secrets/client-ca.pub}
|
|
EOF
|
|
cat <<"EOF" >/assets/wrapper_wrapper
|
|
#!/bin/bash
|
|
/usr/bin/id hg || /usr/sbin/useradd -g $(id -u git) -u $(id -g git) -o -d /var/opt/gitlab -p "*" hg
|
|
/usr/bin/grep "AllowUsers git hg" /assets/sshd_config || /bin/sed -i "s/AllowUsers git/AllowUsers git hg/" /assets/sshd_config
|
|
/usr/bin/cat <<"EOC" >>/assets/sshd_config
|
|
TrustedUserCAKeys /sshd_ca.pub
|
|
Match User git
|
|
AuthorizedPrincipalsCommandUser root
|
|
AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb
|
|
Match User hg
|
|
AuthorizedPrincipalsCommandUser root
|
|
AuthorizedPrincipalsCommand /opt/gitlab/embedded/service/gitlab-shell/bin/gitlab-shell-authorized-principals-check lukegb lukegb
|
|
EOC
|
|
exec /assets/wrapper "$@"
|
|
EOF
|
|
chmod ugo=rx /assets/wrapper_wrapper
|
|
'';
|
|
config.Cmd = ["/assets/wrapper_wrapper"];
|
|
} // {
|
|
meta = { inherit name tag; };
|
|
}
|