home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

commit 49151b1a096facf2ab476d40390f4c7dcd75d2f8
parent 97ae9b0969415f5f7d445d0c5ba9dc0b504403b9
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Thu,  1 Sep 2022 13:31:07 +0200

systems/modules: add an image mirroring job…

… and configure aomi to use it.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Msystems/hosts/aomi.nix | 58+++++++++++++++++++++++++++++++++++++++++-----------------
Asystems/modules/dev/containers-image-mirroring.nix | 80+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Msystems/modules/dev/default.nix | 1+
3 files changed, 122 insertions(+), 17 deletions(-)

diff --git a/systems/hosts/aomi.nix b/systems/hosts/aomi.nix @@ -82,6 +82,30 @@ in hardware = { laptop.enable = true; }; + dev = { + enable = true; + containers = { + enable = true; + docker.enable = true; + podman.enable = true; + image-mirroring = { + enable = true; + targets = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ]; + settings = { + "docker.io" = { + "images" = { + # sync latest and edge tags + "alpine" = [ "latest" "edge" ]; + }; + "images-by-tag-regex" = { + # sync all "3.x" images" + "alpine" = "^[3-0]\.[0-9]+$"; + }; + }; + }; + }; + }; + }; services = { avahi.enable = true; ssh.enable = true; @@ -92,10 +116,10 @@ in profiles = { externalbuilder.enable = true; home = true; - dev.enable = true; + # dev.enable = true; virtualization = { enable = true; nested = true; }; redhat.enable = true; - docker.enable = true; + # docker.enable = true; }; @@ -140,21 +164,21 @@ in }; }; - virtualisation.podman.enable = true; - virtualisation.containers = { - enable = true; - registries = { - search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; - }; - policy = { - default = [{ type = "insecureAcceptAnything"; }]; - transports = { - docker-daemon = { - "" = [{ type = "insecureAcceptAnything"; }]; - }; - }; - }; - }; + # virtualisation.podman.enable = true; + # virtualisation.containers = { + # enable = true; + # registries = { + # search = [ "registry.fedoraproject.org" "registry.access.redhat.com" "registry.centos.org" "docker.io" "quay.io" ]; + # }; + # policy = { + # default = [{ type = "insecureAcceptAnything"; }]; + # transports = { + # docker-daemon = { + # "" = [{ type = "insecureAcceptAnything"; }]; + # }; + # }; + # }; + # }; # Move this to a "builder" role users.extraUsers.builder = { diff --git a/systems/modules/dev/containers-image-mirroring.nix b/systems/modules/dev/containers-image-mirroring.nix @@ -0,0 +1,80 @@ +{ config, lib, pkgs, ... }: + +let + inherit (lib) mkEnableOption mkOption mkIf types; + cfg = config.modules.dev.containers.image-mirroring; + settingsFormat = pkgs.formats.yaml { }; + settingsFile = settingsFormat.generate "sync.yaml" cfg.settings; +in +{ + ##### interface + options = { + modules.dev.containers.image-mirroring = { + enable = mkEnableOption "Enable container image mirroring service"; + targets = mkOption { + type = types.listOf types.str; + example = [ "quay.io/vdemeest" "ghcr.io/vdemeester" ]; + description = lib.mdDoc '' + A list of targets to sync images to. It will use the same + sync configuration to push on all. + ''; + }; + settings = mkOption { + type = settingsFormat.type; + default = { }; + example = { + "docker.io" = { + "vdemeester/foo" = [ "latest" "bar" ]; + }; + "quay.io" = { + "buildah/stable" = [ "latest" ]; + }; + }; + description = lib.mdDoc '' + Configuration of the image to sync, using skopeo-sync. + See skopeo-sync(1) for the content. + ''; + }; + }; + }; + ##### implementation + config = mkIf cfg.enable { + systemd.services.container-image-mirroring = { + description = "Synchronize docker images to a set of targets"; + requires = [ "network-online.target" ]; + + restartIfChanged = false; + unitConfig.X-StopOnRemoval = false; + + serviceConfig = { + Type = "oneshot"; + User = "vincent"; + OnFailure = "status-email-root@%.service"; + }; + + path = with pkgs; [ skopeo ]; + # ./scripts/docker.mirroring.script.sh; + script = '' + BUILDTMPDIR=$(mktemp -d) + trap 'rm -rf -- "$BUILDTMPDIR"' EXIT + + + # Pull to dir first + skopeo sync --src yaml --dest dir \ + ${settingsFile} \ + $BUILDTMPDIR + + # Push to targets + for target in ${lib.strings.concatStringsSep " " cfg.targets}; do + skopeo sync --src dir --dest docker \ + $BUILDTMPDIR \ + $target + done + ''; + + after = [ "network-online.target" ]; + # Make it configurable ? + startAt = "weekly"; + }; + }; +} diff --git a/systems/modules/dev/default.nix b/systems/modules/dev/default.nix @@ -2,5 +2,6 @@ imports = [ ./base.nix ./containers.nix + ./containers-image-mirroring.nix ]; }