Merge remote-tracking branch 'origin/master' into arion-hs

2019-09-27 12:28:57 +02:00 · 2019-09-27 12:28:57 +02:00 · 9d7eb01c73
commit 9d7eb01c73
parent 6d6361e7e8 81a51ae5ea
8 changed files with 31 additions and 6 deletions
--- a/2
+++ b/2
@ -187,7 +187,7 @@
      same "printed page" as the copyright notice for easier
      identification within third-party archives.

-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2019 Hercules Labs OÜ

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
--- a/README.asciidoc
+++ b/README.asciidoc
@ -51,7 +51,7 @@ Add this module to your NixOS configuration:

 ```nix
 { ... }: {
-  environment.systemPackages = [ (import (builtins.fetchTarball https://github.com/hercules-ci/arion/tarball/master) {}) ];
+  environment.systemPackages = [ (import (builtins.fetchTarball https://github.com/hercules-ci/arion/tarball/master) {}).arion ];
  virtualisation.docker.enable = true;
  users.extraUsers.myuser.extraGroups = ["docker"];
 }
--- a/bors.toml
+++ b/bors.toml
@ -0,0 +1,5 @@
+status = [
+  "ci/hercules/derivations",
+  "ci/hercules/evaluation",
+]
+delete_merged_branches = true
--- a/src/nix/modules/composition/docker-compose.nix
+++ b/src/nix/modules/composition/docker-compose.nix
@ -22,7 +22,7 @@ in
      readOnly = true;
    };
    build.dockerComposeYamlText = lib.mkOption {
-      type = lib.types.string;
+      type = lib.types.str;
      description = "The text of build.dockerComposeYaml.";
      readOnly = true;
    };
--- a/src/nix/modules/composition/host-environment.nix
+++ b/src/nix/modules/composition/host-environment.nix
@ -15,7 +15,7 @@
    };

    host.nixStorePrefix = lib.mkOption {
-      type = lib.types.string;
+      type = lib.types.str;
      default = "";
      example = "/mnt/foo";
      description = ''
--- a/src/nix/modules/service/docker-compose-service.nix
+++ b/src/nix/modules/service/docker-compose-service.nix
@ -90,6 +90,11 @@ in
      default = null;
      description = dockerComposeRef "command";
    };
+    service.container_name = mkOption {
+      type = nullOr types.str;
+      default = null;
+      description = dockerComposeRef "container_name";
+    };
    service.depends_on = mkOption {
      type = listOf str;
      default = [];
@ -169,6 +174,11 @@ in
      default = null;
      description = dockerComposeRef "network_mode";
    };
+    service.networks = mkOption {
+      type = nullOr (listOf types.str);
+      default = null;
+      description = dockerComposeRef "networks";
+    };
    service.stop_signal = mkOption {
      type = nullOr str;
      default = null;
@ -214,6 +224,8 @@ in
    inherit cap_drop;
  } // lib.optionalAttrs (config.service.command != null) {
    inherit (config.service) command;
+  } // lib.optionalAttrs (config.service.container_name != null) {
+    inherit (config.service) container_name;
  } // lib.optionalAttrs (config.service.depends_on != []) {
    inherit (config.service) depends_on;
  } // lib.optionalAttrs (config.service.devices != []) {
@ -238,6 +250,8 @@ in
    inherit (config.service) privileged;
  } // lib.optionalAttrs (config.service.network_mode != null) {
    inherit (config.service) network_mode;
+  } // lib.optionalAttrs (config.service.networks != null) {
+    inherit (config.service) networks;
  } // lib.optionalAttrs (config.service.restart != null) {
    inherit (config.service) restart;
  } // lib.optionalAttrs (config.service.stop_signal != null) {
--- a/src/nix/modules/service/host-store.nix
+++ b/src/nix/modules/service/host-store.nix
@ -17,6 +17,11 @@ in
      default = false;
      description = "Bind mounts the host store if enabled, avoiding copying.";
    };
+    service.hostStoreAsReadOnly = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount.";
+    };
    service.useHostNixDaemon = mkOption {
      type = types.bool;
      default = false;
@ -29,8 +34,8 @@ in
    service.build.context = "${../../../arion-image}";
    service.environment.NIX_REMOTE = lib.optionalString config.service.useHostNixDaemon "daemon";
    service.volumes = [
-      "${config.host.nixStorePrefix}/nix/store:/nix/store"
-      "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system"
+      "${config.host.nixStorePrefix}/nix/store:/nix/store${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
+      "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}"
      ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket";
    service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or []));
  };
--- a/src/nix/modules/service/nixos-init.nix
+++ b/src/nix/modules/service/nixos-init.nix
@ -26,6 +26,7 @@ in
    ];
    image.command = [ "${config.nixos.build.toplevel}/init" ];
    service.environment.container = "docker";
+    service.environment.PATH = "/usr/bin:/run/current-system/sw/bin/";
    service.volumes = [
      "/sys/fs/cgroup:/sys/fs/cgroup:ro"
    ];