commit e982acf02cd4667b53f5ec15292905051ba5e917 Author: Julian Mutter Date: Thu Jun 4 13:55:10 2026 +0200 First commit diff --git a/.gitea/workflows/build.yaml b/.gitea/workflows/build.yaml new file mode 100644 index 0000000..fc7ffac --- /dev/null +++ b/.gitea/workflows/build.yaml @@ -0,0 +1,41 @@ +name: Build and Publish Runner Image +on: + push: + branches: + - main + schedule: + # Run at 03:00 every Sunday to keep the base image fresh + - cron: '0 3 * * 0' + +env: + # Adjust this if your Gitea domain is different + REGISTRY: gitlab.julian-mutter.de + # This automatically evaluates to your user/repo name (e.g., julian/nix-ci-runner) + IMAGE_NAME: ${{ github.repository }} + +jobs: + build-and-push: + # We use the standard ubuntu-latest to build our custom runner + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Gitea Actions automatically provides a token that can push to its own registry + - name: Log in to the Container registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push Docker image + uses: docker/build-push-action@v5 + with: + context: . + push: true + # Tags it as 'latest'. If you push to main, it updates 'latest'. + tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..836f697 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,25 @@ +# Start with the official Cachix Devenv image (which has Nix and Devenv pre-installed) +FROM ghcr.io/cachix/devenv/devenv:latest + +# Switch to root to install system-level packages +USER root + +# Install the critical dependencies for Gitea Actions +# - nodejs: Required to run standard actions (like actions/checkout) +# - sudo: Required by many actions to escalate privileges +# - bash & jq: Standard utilities often expected in CI scripts +RUN apt-get update && \ + apt-get install -y nodejs sudo bash jq && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +# Allow passwordless sudo for any user in the container. +# CI runners often execute as 'runner' or 'root'. This guarantees neither gets stuck. +RUN echo "ALL ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers + +# Guarantee the image ships without the Nix sandboxing artifact. +# This prevents the "purity" crash on the very first Nix run. +RUN rm -rf /homeless-shelter + +# Set the default shell to bash +CMD ["/bin/bash"] diff --git a/Readme.md b/Readme.md new file mode 100644 index 0000000..39f9027 --- /dev/null +++ b/Readme.md @@ -0,0 +1,54 @@ +# Nix CI Runner for Gitea Actions + +A purpose-built Docker image for running Nix and Devenv pipelines inside Gitea Actions seamlessly. + +## 💡 Why does this exist? +Running standard Nix commands inside unprivileged Docker containers (which Gitea Actions uses by default) often results in friction. +* Standard Ubuntu images require installing Nix on every run (which takes time) and lack default caching setups. +* Standard Nix images lack `nodejs`, causing basic CI tools like `actions/checkout` to crash. +* Nix inside standard Docker creates a `/homeless-shelter` artifact due to disabled namespaces, causing "purity" crashes on subsequent runs. + +This project solves all of the above by baking everything into a single, clean base image. + +## ✨ Features +* **Base:** Official `cachix/devenv:latest` (Nix and Devenv pre-installed, flakes enabled). +* **Actions Compatible:** Pre-loaded with `nodejs`, `bash`, and `jq` so standard GitHub/Gitea Actions execute flawlessly. +* **Privilege Escalation:** Configured with passwordless `sudo` for smooth CI execution. +* **Pre-cleaned:** The `/homeless-shelter` artifact is purged during the build, guaranteeing a pure Nix environment out-of-the-box. + +## 🚀 Usage in your CI/CD + +To use this image in your other Nix-based Gitea repositories, simply define it under the `container` key in your workflow file. + +You no longer need to use `install-nix-action` or install system dependencies manually. + +```yaml +name: Build and Deploy +on: [push] + +jobs: + deploy: + runs-on: ubuntu-latest + + # 1. Point the runner to use this custom image + container: + image: gitlab.julian-mutter.de/julian/nix-ci-runner:latest + # Provide credentials if your registry is private + credentials: + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + steps: + # Node.js is pre-installed, so standard actions work instantly + - name: Checkout repository + uses: actions/checkout@v4 + + # Optional: Add caching (nix-community/cache-nix-action) here + + # 2. Run your Nix commands natively + - name: Build Flake + run: nix build .#default +``` + +## 🔄 Maintenance +This repository contains a scheduled Gitea Action that runs **every Sunday**. It automatically pulls the latest `devenv` base image, reinstalls the dependencies, and pushes a fresh `latest` tag to the registry. Your pipelines will always have up-to-date Nix packages without manual intervention.