diff --git a/LICENSE b/LICENSE index d645695..e8d43bf 100644 --- a/LICENSE +++ b/LICENSE @@ -187,7 +187,7 @@ same "printed page" as the copyright notice for easier identification within third-party archives. - Copyright [yyyy] [name of copyright owner] + Copyright 2019 Hercules Labs OÜ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/README.asciidoc b/README.asciidoc index 725f3c3..459b0b8 100644 --- a/README.asciidoc +++ b/README.asciidoc @@ -51,7 +51,7 @@ Add this module to your NixOS configuration: ```nix { ... }: { - environment.systemPackages = [ (import (builtins.fetchTarball https://github.com/hercules-ci/arion/tarball/master) {}) ]; + environment.systemPackages = [ (import (builtins.fetchTarball https://github.com/hercules-ci/arion/tarball/master) {}).arion ]; virtualisation.docker.enable = true; users.extraUsers.myuser.extraGroups = ["docker"]; } diff --git a/bors.toml b/bors.toml new file mode 100644 index 0000000..8d42320 --- /dev/null +++ b/bors.toml @@ -0,0 +1,5 @@ +status = [ + "ci/hercules/derivations", + "ci/hercules/evaluation", +] +delete_merged_branches = true diff --git a/src/nix/modules/composition/docker-compose.nix b/src/nix/modules/composition/docker-compose.nix index 6734041..c223f68 100644 --- a/src/nix/modules/composition/docker-compose.nix +++ b/src/nix/modules/composition/docker-compose.nix @@ -22,7 +22,7 @@ in readOnly = true; }; build.dockerComposeYamlText = lib.mkOption { - type = lib.types.string; + type = lib.types.str; description = "The text of build.dockerComposeYaml."; readOnly = true; }; diff --git a/src/nix/modules/composition/host-environment.nix b/src/nix/modules/composition/host-environment.nix index 3e36531..5989695 100644 --- a/src/nix/modules/composition/host-environment.nix +++ b/src/nix/modules/composition/host-environment.nix @@ -15,7 +15,7 @@ }; host.nixStorePrefix = lib.mkOption { - type = lib.types.string; + type = lib.types.str; default = ""; example = "/mnt/foo"; description = '' diff --git a/src/nix/modules/service/docker-compose-service.nix b/src/nix/modules/service/docker-compose-service.nix index 54dae9f..80a795d 100644 --- a/src/nix/modules/service/docker-compose-service.nix +++ b/src/nix/modules/service/docker-compose-service.nix @@ -90,6 +90,11 @@ in default = null; description = dockerComposeRef "command"; }; + service.container_name = mkOption { + type = nullOr types.str; + default = null; + description = dockerComposeRef "container_name"; + }; service.depends_on = mkOption { type = listOf str; default = []; @@ -169,6 +174,11 @@ in default = null; description = dockerComposeRef "network_mode"; }; + service.networks = mkOption { + type = nullOr (listOf types.str); + default = null; + description = dockerComposeRef "networks"; + }; service.stop_signal = mkOption { type = nullOr str; default = null; @@ -214,6 +224,8 @@ in inherit cap_drop; } // lib.optionalAttrs (config.service.command != null) { inherit (config.service) command; + } // lib.optionalAttrs (config.service.container_name != null) { + inherit (config.service) container_name; } // lib.optionalAttrs (config.service.depends_on != []) { inherit (config.service) depends_on; } // lib.optionalAttrs (config.service.devices != []) { @@ -238,6 +250,8 @@ in inherit (config.service) privileged; } // lib.optionalAttrs (config.service.network_mode != null) { inherit (config.service) network_mode; + } // lib.optionalAttrs (config.service.networks != null) { + inherit (config.service) networks; } // lib.optionalAttrs (config.service.restart != null) { inherit (config.service) restart; } // lib.optionalAttrs (config.service.stop_signal != null) { diff --git a/src/nix/modules/service/host-store.nix b/src/nix/modules/service/host-store.nix index 9ec06fc..63a77c1 100644 --- a/src/nix/modules/service/host-store.nix +++ b/src/nix/modules/service/host-store.nix @@ -17,6 +17,11 @@ in default = false; description = "Bind mounts the host store if enabled, avoiding copying."; }; + service.hostStoreAsReadOnly = mkOption { + type = types.bool; + default = true; + description = "Adds a ':ro' (read-only) access mode to the host nix store bind mount."; + }; service.useHostNixDaemon = mkOption { type = types.bool; default = false; @@ -29,8 +34,8 @@ in service.build.context = "${../../../arion-image}"; service.environment.NIX_REMOTE = lib.optionalString config.service.useHostNixDaemon "daemon"; service.volumes = [ - "${config.host.nixStorePrefix}/nix/store:/nix/store" - "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system" + "${config.host.nixStorePrefix}/nix/store:/nix/store${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}" + "${config.host.nixStorePrefix}${pkgs.buildEnv { name = "container-system-env"; paths = [ pkgs.bashInteractive pkgs.coreutils ]; }}:/run/system${lib.optionalString config.service.hostStoreAsReadOnly ":ro"}" ] ++ lib.optional config.service.useHostNixDaemon "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket"; service.command = lib.mkDefault (map escape (config.image.rawConfig.Cmd or [])); }; diff --git a/src/nix/modules/service/nixos-init.nix b/src/nix/modules/service/nixos-init.nix index 7521a09..5e97451 100644 --- a/src/nix/modules/service/nixos-init.nix +++ b/src/nix/modules/service/nixos-init.nix @@ -26,6 +26,7 @@ in ]; image.command = [ "${config.nixos.build.toplevel}/init" ]; service.environment.container = "docker"; + service.environment.PATH = "/usr/bin:/run/current-system/sw/bin/"; service.volumes = [ "/sys/fs/cgroup:/sys/fs/cgroup:ro" ];