From 3c9bc56e4e987c06758d05101d6f825454b5d581 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Fri, 12 May 2023 23:16:15 +0200 Subject: [PATCH 01/21] Build Docker images with Nix Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 43 ++++++++++++++++++++++++++++++++ default.nix | 6 +++++ mailbox/docker-image.nix | 23 +++++++++++++++++ nixpkgs.json | 5 ++++ nixpkgs.nix | 1 + relay/docker-image.nix | 24 ++++++++++++++++++ wormhole/docker-image.nix | 19 ++++++++++++++ 7 files changed, 121 insertions(+) create mode 100644 .github/workflows/docker-nix.yml create mode 100644 default.nix create mode 100644 mailbox/docker-image.nix create mode 100644 nixpkgs.json create mode 100644 nixpkgs.nix create mode 100644 relay/docker-image.nix create mode 100644 wormhole/docker-image.nix diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml new file mode 100644 index 0000000..0c3b0c5 --- /dev/null +++ b/.github/workflows/docker-nix.yml @@ -0,0 +1,43 @@ + +--- +name: Docker Nix Images + +on: + push: + branches: + - main + paths: + - '.github/workflows/docker-nix.yml' + - 'nixpkgs.json' + - '*.nix' + - '*/*.nix' + pull_request: + branches: + - main + paths: + - '.github/workflows/docker-nix.yml' + - 'nixpkgs.json' + - '*.nix' + - '*/*.nix' + +jobs: + build-nix: + name: Build Docker images with Nix + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v20 + with: + nix_path: nixpkgs=channel:nixos-22.11 + + - name: Build the Docker images with nix + run: | + nix-build | while read IMG; do + docker load --input ${IMG} + done + + - name: List images + run: docker images diff --git a/default.nix b/default.nix new file mode 100644 index 0000000..8a2f5ab --- /dev/null +++ b/default.nix @@ -0,0 +1,6 @@ +{ pkgs ? import ./nixpkgs.nix { } }: +{ + mailbox = pkgs.callPackage ./mailbox/docker-image.nix { }; + relay = pkgs.callPackage ./relay/docker-image.nix { }; + wormhole = pkgs.callPackage ./wormhole/docker-image.nix { }; +} diff --git a/mailbox/docker-image.nix b/mailbox/docker-image.nix new file mode 100644 index 0000000..354228c --- /dev/null +++ b/mailbox/docker-image.nix @@ -0,0 +1,23 @@ +{ dockerTools, python3 }: +let + # Inject mailbox in the standard Python env + pyenv = python3.buildEnv.override { + extraLibs = [ python3.pkgs.magic-wormhole-mailbox-server ]; + ignoreCollisions = true; + }; +in +# Build the image with our custom CMD +dockerTools.buildLayeredImage { + name = "magic-wormhole-mailbox"; + config = { + WorkingDir = "/app"; + Volumes = { "/db" = { }; }; + Cmd = [ + "twist wormhole-mailbox" + "--usage-db=/db/usage-relay.sqlite" + "--blur-usage=3600" + "--channel-db=/db/relay.sqlite" + ]; + }; + contents = [ pyenv ]; +} diff --git a/nixpkgs.json b/nixpkgs.json new file mode 100644 index 0000000..87445ee --- /dev/null +++ b/nixpkgs.json @@ -0,0 +1,5 @@ +{ + "name": "source", + "url": "https://releases.nixos.org/nixos/21.11/nixos-21.11.337975.eabc3821918/nixexprs.tar.xz", + "sha256": "1fq3zz7qfavksdbqvicns7hg61q3hhbxs2ibm818gy629hwkvsvm" +} \ No newline at end of file diff --git a/nixpkgs.nix b/nixpkgs.nix new file mode 100644 index 0000000..a49c447 --- /dev/null +++ b/nixpkgs.nix @@ -0,0 +1 @@ +import (builtins.fetchTarball (builtins.fromJSON (builtins.readFile ./nixpkgs.json))) diff --git a/relay/docker-image.nix b/relay/docker-image.nix new file mode 100644 index 0000000..ba757dd --- /dev/null +++ b/relay/docker-image.nix @@ -0,0 +1,24 @@ +{ dockerTools, python3 }: +let + # Inject mailbox in the standard Python env + pyenv = python3.buildEnv.override { + extraLibs = [ python3.pkgs.magic-wormhole-transit-relay ]; + ignoreCollisions = true; + }; +in +# Build the image with our custom CMD +dockerTools.buildLayeredImage { + name = "magic-wormhole-relay"; + config = { + WorkingDir = "/app"; + Volumes = { "/db" = { }; }; + Cmd = [ + "twist transitrelay" + "--usage-db=/db/usage-transitrelay.sqlite" + "--blur-usage=3600" + "--port=tcp:4001" + "--websocket=tcp:4002" + ]; + }; + contents = [ pyenv ]; +} diff --git a/wormhole/docker-image.nix b/wormhole/docker-image.nix new file mode 100644 index 0000000..e368f6c --- /dev/null +++ b/wormhole/docker-image.nix @@ -0,0 +1,19 @@ +{ dockerTools, python3 }: +let + # Inject mailbox in the standard Python env + pyenv = python3.buildEnv.override { + extraLibs = [ python3.pkgs.magic-wormhole ]; + ignoreCollisions = true; + }; +in +# Build the image with our custom CMD +dockerTools.buildLayeredImage { + name = "magic-wormhole"; + config = { + WorkingDir = "/app"; + EntryPoint = [ + "wormhole" + ]; + }; + contents = [ pyenv ]; +} From b68716c7593792cbd8ba7233a09f5c220eeb2704 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sat, 13 May 2023 15:27:00 +0200 Subject: [PATCH 02/21] Try better tag based on version Signed-off-by: Benoit Donneaux --- mailbox/docker-image.nix | 13 ++++++++++--- nixpkgs.nix | 1 + relay/docker-image.nix | 13 ++++++++++--- wormhole/docker-image.nix | 13 ++++++++++--- 4 files changed, 31 insertions(+), 9 deletions(-) diff --git a/mailbox/docker-image.nix b/mailbox/docker-image.nix index 354228c..7a8af0f 100644 --- a/mailbox/docker-image.nix +++ b/mailbox/docker-image.nix @@ -1,14 +1,21 @@ -{ dockerTools, python3 }: +{ dockerTools, python3, lib }: let + pname = "magic-wormhole-mailbox-server"; # Inject mailbox in the standard Python env pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.magic-wormhole-mailbox-server ]; + extraLibs = [ python3.pkgs.${pname} ]; ignoreCollisions = true; }; + ver = { + py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); + pkg = python3.pkgs.${pname}.version; + nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); + }; in # Build the image with our custom CMD dockerTools.buildLayeredImage { - name = "magic-wormhole-mailbox"; + name = pname; + tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; config = { WorkingDir = "/app"; Volumes = { "/db" = { }; }; diff --git a/nixpkgs.nix b/nixpkgs.nix index a49c447..a2ee68d 100644 --- a/nixpkgs.nix +++ b/nixpkgs.nix @@ -1 +1,2 @@ +# Import local nixpkg.json which pins all our Nix packages import (builtins.fetchTarball (builtins.fromJSON (builtins.readFile ./nixpkgs.json))) diff --git a/relay/docker-image.nix b/relay/docker-image.nix index ba757dd..9fd0ffc 100644 --- a/relay/docker-image.nix +++ b/relay/docker-image.nix @@ -1,14 +1,21 @@ -{ dockerTools, python3 }: +{ dockerTools, python3, lib }: let + pname = "magic-wormhole-transit-relay"; # Inject mailbox in the standard Python env pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.magic-wormhole-transit-relay ]; + extraLibs = [ python3.pkgs.${pname} ]; ignoreCollisions = true; }; + ver = { + py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); + pkg = python3.pkgs.${pname}.version; + nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); + }; in # Build the image with our custom CMD dockerTools.buildLayeredImage { - name = "magic-wormhole-relay"; + name = pname; + tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; config = { WorkingDir = "/app"; Volumes = { "/db" = { }; }; diff --git a/wormhole/docker-image.nix b/wormhole/docker-image.nix index e368f6c..cce8738 100644 --- a/wormhole/docker-image.nix +++ b/wormhole/docker-image.nix @@ -1,14 +1,21 @@ -{ dockerTools, python3 }: +{ dockerTools, python3, lib }: let + pname = "magic-wormhole"; # Inject mailbox in the standard Python env pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.magic-wormhole ]; + extraLibs = [ python3.pkgs.${pname} ]; ignoreCollisions = true; }; + ver = { + py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); + pkg = python3.pkgs.${pname}.version; + nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); + }; in # Build the image with our custom CMD dockerTools.buildLayeredImage { - name = "magic-wormhole"; + name = pname; + tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; config = { WorkingDir = "/app"; EntryPoint = [ From 2867d337a85fc57fb74c6d9083e750847277408e Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 01:25:09 +0200 Subject: [PATCH 03/21] Try to scan the vulnerabilities Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 14 ++++++++++++++ helpers/list-dependencies.py | 7 +++++++ 2 files changed, 21 insertions(+) create mode 100644 helpers/list-dependencies.py diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 0c3b0c5..638e951 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -41,3 +41,17 @@ jobs: - name: List images run: docker images + + - name: Extract requirements + run: | + docker run --rm -t --entrypoint python -v $(pwd)/helpers:/tmp/helpers \ + magic-wormhole:0.12.0-python39-nix2111 /tmp/helpers/list-dependencies.py \ + | grep -E "python3\.9" \ + | sed -r -e 's/python3.9-//' -e 's/-([0-9])/==\1/' \ + | sort \ + > requirements.txt + + - name: Scan images + uses: pypa/gh-action-pip-audit@v1.0.0 + with: + inputs: requirements.txt diff --git a/helpers/list-dependencies.py b/helpers/list-dependencies.py new file mode 100644 index 0000000..63b74a1 --- /dev/null +++ b/helpers/list-dependencies.py @@ -0,0 +1,7 @@ +#!/usr/bin/env python + +import os + +for dir in os.listdir("/nix/store"): + print(dir[33:]) + From b20aa90fa074b668ca4f487f771d596d095b19a6 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 01:30:31 +0200 Subject: [PATCH 04/21] Ignore dup dep from dev Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 638e951..e65b588 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -48,6 +48,7 @@ jobs: magic-wormhole:0.12.0-python39-nix2111 /tmp/helpers/list-dependencies.py \ | grep -E "python3\.9" \ | sed -r -e 's/python3.9-//' -e 's/-([0-9])/==\1/' \ + | grep -vE '\-dev$' \ | sort \ > requirements.txt From 47a8fe79628054e0b01f6151e53ae3674d1f3dac Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 01:35:38 +0200 Subject: [PATCH 05/21] Fix grep expr Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index e65b588..1ff4156 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -48,7 +48,7 @@ jobs: magic-wormhole:0.12.0-python39-nix2111 /tmp/helpers/list-dependencies.py \ | grep -E "python3\.9" \ | sed -r -e 's/python3.9-//' -e 's/-([0-9])/==\1/' \ - | grep -vE '\-dev$' \ + | grep -vE '==[0-9]+(\.[0-9]+){0,2}-dev' \ | sort \ > requirements.txt From 5c44ae39bc9078c7a3047a0fd6325524ccc9ab75 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 10:05:46 +0200 Subject: [PATCH 06/21] Remove unwanted spaces Signed-off-by: Benoit Donneaux --- mailbox/docker-image.nix | 3 ++- relay/docker-image.nix | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/mailbox/docker-image.nix b/mailbox/docker-image.nix index 7a8af0f..4e27088 100644 --- a/mailbox/docker-image.nix +++ b/mailbox/docker-image.nix @@ -20,7 +20,8 @@ dockerTools.buildLayeredImage { WorkingDir = "/app"; Volumes = { "/db" = { }; }; Cmd = [ - "twist wormhole-mailbox" + "twist" + "wormhole-mailbox" "--usage-db=/db/usage-relay.sqlite" "--blur-usage=3600" "--channel-db=/db/relay.sqlite" diff --git a/relay/docker-image.nix b/relay/docker-image.nix index 9fd0ffc..18cd08f 100644 --- a/relay/docker-image.nix +++ b/relay/docker-image.nix @@ -20,7 +20,8 @@ dockerTools.buildLayeredImage { WorkingDir = "/app"; Volumes = { "/db" = { }; }; Cmd = [ - "twist transitrelay" + "twist" + "transitrelay" "--usage-db=/db/usage-transitrelay.sqlite" "--blur-usage=3600" "--port=tcp:4001" From fee2bae1c296abfd30de71187a97f4f3ea8a3a62 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 22:18:34 +0200 Subject: [PATCH 07/21] Use a lib and sub-packages Signed-off-by: Benoit Donneaux --- default.nix | 7 ++++--- mailbox/default.nix | 19 +++++++++++++++++++ mailbox/docker-image.nix | 31 ------------------------------- nix/lib/docker-image.nix | 20 ++++++++++++++++++++ relay/default.nix | 19 +++++++++++++++++++ relay/docker-image.nix | 32 -------------------------------- wormhole/default.nix | 14 ++++++++++++++ wormhole/docker-image.nix | 26 -------------------------- 8 files changed, 76 insertions(+), 92 deletions(-) create mode 100644 mailbox/default.nix delete mode 100644 mailbox/docker-image.nix create mode 100644 nix/lib/docker-image.nix create mode 100644 relay/default.nix delete mode 100644 relay/docker-image.nix create mode 100644 wormhole/default.nix delete mode 100644 wormhole/docker-image.nix diff --git a/default.nix b/default.nix index 8a2f5ab..2c58e6c 100644 --- a/default.nix +++ b/default.nix @@ -1,6 +1,7 @@ { pkgs ? import ./nixpkgs.nix { } }: { - mailbox = pkgs.callPackage ./mailbox/docker-image.nix { }; - relay = pkgs.callPackage ./relay/docker-image.nix { }; - wormhole = pkgs.callPackage ./wormhole/docker-image.nix { }; + # Build our Docker images + mailbox = pkgs.callPackage ./mailbox { }; + relay = pkgs.callPackage ./relay { }; + wormhole = pkgs.callPackage ./wormhole { }; } diff --git a/mailbox/default.nix b/mailbox/default.nix new file mode 100644 index 0000000..95f8437 --- /dev/null +++ b/mailbox/default.nix @@ -0,0 +1,19 @@ +{ pkgs ? import ../nixpkgs.nix { } }: +let + # Call our lib to build the image + output = pkgs.callPackage ../nix/lib/docker-image.nix { + pname = "magic-wormhole-mailbox-server"; + iname = "leastauthority/magic-wormhole-mailbox"; + config = { + WorkingDir = "/app"; + Volumes = { "/db" = { }; }; + Cmd = [ + "twist" + "wormhole-mailbox" + "--usage-db=/db/usage-relay.sqlite" + "--blur-usage=3600" + "--channel-db=/db/relay.sqlite" + ]; + }; + }; +in output diff --git a/mailbox/docker-image.nix b/mailbox/docker-image.nix deleted file mode 100644 index 4e27088..0000000 --- a/mailbox/docker-image.nix +++ /dev/null @@ -1,31 +0,0 @@ -{ dockerTools, python3, lib }: -let - pname = "magic-wormhole-mailbox-server"; - # Inject mailbox in the standard Python env - pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.${pname} ]; - ignoreCollisions = true; - }; - ver = { - py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); - pkg = python3.pkgs.${pname}.version; - nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); - }; -in -# Build the image with our custom CMD -dockerTools.buildLayeredImage { - name = pname; - tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; - config = { - WorkingDir = "/app"; - Volumes = { "/db" = { }; }; - Cmd = [ - "twist" - "wormhole-mailbox" - "--usage-db=/db/usage-relay.sqlite" - "--blur-usage=3600" - "--channel-db=/db/relay.sqlite" - ]; - }; - contents = [ pyenv ]; -} diff --git a/nix/lib/docker-image.nix b/nix/lib/docker-image.nix new file mode 100644 index 0000000..64295df --- /dev/null +++ b/nix/lib/docker-image.nix @@ -0,0 +1,20 @@ +{ dockerTools, python3, lib, pname, iname ? pname, config ? {} }: +let + # Inject mailbox in the standard Python env + pyenv = python3.buildEnv.override { + extraLibs = [ python3.pkgs.${pname} ]; + ignoreCollisions = true; + }; + # Parse package, Python and NixOS versions to tag the image + pkgVersion = python3.pkgs.${pname}.version; + libVersion = lib.lists.flatten (lib.lists.sublist 1 1 (builtins.split "([^.]+)\.([^.]+)\.([^.]+)\.([^.]+)" lib.version)); + nixVersion = builtins.concatStringsSep "." (lib.lists.take 3 libVersion); + nixRev = lib.lists.last libVersion; +in +# Build the image with our custom CMD +dockerTools.buildLayeredImage { + name = iname; + tag = "${pkgVersion}-nixos-${nixVersion}"; + config = config; + contents = [ pyenv ]; +} diff --git a/relay/default.nix b/relay/default.nix new file mode 100644 index 0000000..e8d7cc1 --- /dev/null +++ b/relay/default.nix @@ -0,0 +1,19 @@ +{ pkgs ? import ../nixpkgs.nix { } }: +let + output = pkgs.callPackage ../nix/lib/docker-image.nix { + pname = "magic-wormhole-transit-relay"; + iname = "leastauthority/magic-wormhole-relay"; + config = { + WorkingDir = "/app"; + Volumes = { "/db" = { }; }; + Cmd = [ + "twist" + "transitrelay" + "--usage-db=/db/usage-transitrelay.sqlite" + "--blur-usage=3600" + "--port=tcp:4001" + "--websocket=tcp:4002" + ]; + }; + }; +in output diff --git a/relay/docker-image.nix b/relay/docker-image.nix deleted file mode 100644 index 18cd08f..0000000 --- a/relay/docker-image.nix +++ /dev/null @@ -1,32 +0,0 @@ -{ dockerTools, python3, lib }: -let - pname = "magic-wormhole-transit-relay"; - # Inject mailbox in the standard Python env - pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.${pname} ]; - ignoreCollisions = true; - }; - ver = { - py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); - pkg = python3.pkgs.${pname}.version; - nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); - }; -in -# Build the image with our custom CMD -dockerTools.buildLayeredImage { - name = pname; - tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; - config = { - WorkingDir = "/app"; - Volumes = { "/db" = { }; }; - Cmd = [ - "twist" - "transitrelay" - "--usage-db=/db/usage-transitrelay.sqlite" - "--blur-usage=3600" - "--port=tcp:4001" - "--websocket=tcp:4002" - ]; - }; - contents = [ pyenv ]; -} diff --git a/wormhole/default.nix b/wormhole/default.nix new file mode 100644 index 0000000..efb3898 --- /dev/null +++ b/wormhole/default.nix @@ -0,0 +1,14 @@ +{ pkgs ? import ../nixpkgs.nix { } }: +let + # Call our lib to build the image + output = pkgs.callPackage ../nix/lib/docker-image.nix { + pname = "magic-wormhole"; + iname = "leastauthority/wormhole"; + config = { + WorkingDir = "/app"; + EntryPoint = [ + "wormhole" + ]; + }; + }; +in output diff --git a/wormhole/docker-image.nix b/wormhole/docker-image.nix deleted file mode 100644 index cce8738..0000000 --- a/wormhole/docker-image.nix +++ /dev/null @@ -1,26 +0,0 @@ -{ dockerTools, python3, lib }: -let - pname = "magic-wormhole"; - # Inject mailbox in the standard Python env - pyenv = python3.buildEnv.override { - extraLibs = [ python3.pkgs.${pname} ]; - ignoreCollisions = true; - }; - ver = { - py = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." python3.version ) ); - pkg = python3.pkgs.${pname}.version; - nix = lib.concatStringsSep "" ( lib.lists.sublist 0 2 ( lib.strings.splitString "." lib.version ) ); - }; -in -# Build the image with our custom CMD -dockerTools.buildLayeredImage { - name = pname; - tag = "${ver.pkg}-python${ver.py}-nix${ver.nix}"; - config = { - WorkingDir = "/app"; - EntryPoint = [ - "wormhole" - ]; - }; - contents = [ pyenv ]; -} From 25b219d8cbfa40cb3f685f59a847bbc03b154f77 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 22:19:39 +0200 Subject: [PATCH 08/21] Ignore nix build results Signed-off-by: Benoit Donneaux --- .gitignore | 1 + 1 file changed, 1 insertion(+) diff --git a/.gitignore b/.gitignore index a09c56d..03a4783 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ /.idea +result* From 4fc323bf1e0a7843ac259c6d29f5ff51a57bf37b Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 22:33:01 +0200 Subject: [PATCH 09/21] Fix image name Signed-off-by: Benoit Donneaux --- wormhole/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wormhole/default.nix b/wormhole/default.nix index efb3898..a6aff79 100644 --- a/wormhole/default.nix +++ b/wormhole/default.nix @@ -3,7 +3,7 @@ let # Call our lib to build the image output = pkgs.callPackage ../nix/lib/docker-image.nix { pname = "magic-wormhole"; - iname = "leastauthority/wormhole"; + iname = "leastauthority/magic-wormhole"; config = { WorkingDir = "/app"; EntryPoint = [ From ed8f9ef3a73e00c1ecec463cdac2293ab46d3f0b Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:29:03 +0200 Subject: [PATCH 10/21] Use matrix build and improve scan Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 37 +++++++++++++++++++------------- helpers/list-dependencies.py | 7 ------ helpers/requirements-from-nix.py | 20 +++++++++++++++++ 3 files changed, 42 insertions(+), 22 deletions(-) delete mode 100644 helpers/list-dependencies.py create mode 100644 helpers/requirements-from-nix.py diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 1ff4156..48e2858 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -1,4 +1,3 @@ - --- name: Docker Nix Images @@ -21,7 +20,17 @@ on: - '*/*.nix' jobs: - build-nix: + runs-on: ubuntu-latest + strategy: + matrix: + target: + - directory: mailbox + image: leastauthority/magic-wormhole-mailbox + - directory: relay + image: leastauthority/magic-wormhole-relay + - directory: wormhole + image: leastauthority/magic-wormhole + build: name: Build Docker images with Nix runs-on: ubuntu-latest steps: @@ -33,26 +42,24 @@ jobs: with: nix_path: nixpkgs=channel:nixos-22.11 - - name: Build the Docker images with nix + - name: Build image with Nix run: | - nix-build | while read IMG; do - docker load --input ${IMG} - done + docker load --input $(nix-build {{ matrix.target.directory }}) - - name: List images - run: docker images + - name: List image + run: docker images "{{ matrix.target.image }}" - - name: Extract requirements + - name: Extract Python requirements run: | - docker run --rm -t --entrypoint python -v $(pwd)/helpers:/tmp/helpers \ - magic-wormhole:0.12.0-python39-nix2111 /tmp/helpers/list-dependencies.py \ - | grep -E "python3\.9" \ - | sed -r -e 's/python3.9-//' -e 's/-([0-9])/==\1/' \ + docker run --rm -t \ + --entrypoint python \ + -v $(pwd)/helpers:/helpers \ + {{ matrix.target.image }} /helpers/requirements-from-nix.py \ | grep -vE '==[0-9]+(\.[0-9]+){0,2}-dev' \ - | sort \ > requirements.txt + # The grep above avoids dupplicated requirements from dev!? - - name: Scan images + - name: Scan Python requirements uses: pypa/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt diff --git a/helpers/list-dependencies.py b/helpers/list-dependencies.py deleted file mode 100644 index 63b74a1..0000000 --- a/helpers/list-dependencies.py +++ /dev/null @@ -1,7 +0,0 @@ -#!/usr/bin/env python - -import os - -for dir in os.listdir("/nix/store"): - print(dir[33:]) - diff --git a/helpers/requirements-from-nix.py b/helpers/requirements-from-nix.py new file mode 100644 index 0000000..813012e --- /dev/null +++ b/helpers/requirements-from-nix.py @@ -0,0 +1,20 @@ +#!/usr/bin/env python + +import os +import re + +# Pattern for Python modules +p = re.compile('python[0-9]+\.[0-9]+-(.+)-([0-9]+(\.[0-9]+){0,2})(-.+)?') + +# Iterate through Nix store +for dir in os.listdir("/nix/store"): + # Remove the fix hash part + pkg = dir[33:] + # Match Python modules + m = p.match(pkg) + # Print as requirement + if m: + name = m.group(1) + version = m.group(2) + suffix = m.group(4) or "" + print('{}={}{}'.format(name, version, suffix)) From 2cf882d4008c6bfb9c5ec6d1e4448a3178f44c0f Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:32:04 +0200 Subject: [PATCH 11/21] Fix workflow syntax Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 48e2858..6e566c9 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -1,5 +1,5 @@ --- -name: Docker Nix Images +name: Nix Build Images on: push: @@ -31,8 +31,7 @@ jobs: - directory: wormhole image: leastauthority/magic-wormhole build: - name: Build Docker images with Nix - runs-on: ubuntu-latest + name: Build images steps: - name: Checkout uses: actions/checkout@v3 From e9db7d5098468a98412b06bc8448ae1b73cd694c Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:33:39 +0200 Subject: [PATCH 12/21] Fix workflow again Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 6e566c9..6973168 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -20,18 +20,18 @@ on: - '*/*.nix' jobs: - runs-on: ubuntu-latest - strategy: - matrix: - target: - - directory: mailbox - image: leastauthority/magic-wormhole-mailbox - - directory: relay - image: leastauthority/magic-wormhole-relay - - directory: wormhole - image: leastauthority/magic-wormhole build: name: Build images + runs-on: ubuntu-latest + strategy: + matrix: + target: + - directory: mailbox + image: leastauthority/magic-wormhole-mailbox + - directory: relay + image: leastauthority/magic-wormhole-relay + - directory: wormhole + image: leastauthority/magic-wormhole steps: - name: Checkout uses: actions/checkout@v3 From a83724390d6e6f03d075fafd44d1359d789b15fc Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:38:06 +0200 Subject: [PATCH 13/21] Fix interpolation Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 6973168..9832f7a 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -43,17 +43,17 @@ jobs: - name: Build image with Nix run: | - docker load --input $(nix-build {{ matrix.target.directory }}) + docker load --input $(nix-build ${{ matrix.target.directory }}) - name: List image - run: docker images "{{ matrix.target.image }}" + run: docker images "${{ matrix.target.image }}" - name: Extract Python requirements run: | docker run --rm -t \ --entrypoint python \ -v $(pwd)/helpers:/helpers \ - {{ matrix.target.image }} /helpers/requirements-from-nix.py \ + ${{ matrix.target.image }} /helpers/requirements-from-nix.py \ | grep -vE '==[0-9]+(\.[0-9]+){0,2}-dev' \ > requirements.txt # The grep above avoids dupplicated requirements from dev!? From f7be978871d90c79330dd92a4fb72abe1f5d79e4 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:45:00 +0200 Subject: [PATCH 14/21] Move and fix the nix helper Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 4 +++- {helpers => nix/helpers}/requirements-from-nix.py | 2 +- 2 files changed, 4 insertions(+), 2 deletions(-) rename {helpers => nix/helpers}/requirements-from-nix.py (88%) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 9832f7a..1247ce3 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -10,6 +10,7 @@ on: - 'nixpkgs.json' - '*.nix' - '*/*.nix' + - 'nix/**' pull_request: branches: - main @@ -18,6 +19,7 @@ on: - 'nixpkgs.json' - '*.nix' - '*/*.nix' + - 'nix/**' jobs: build: @@ -52,7 +54,7 @@ jobs: run: | docker run --rm -t \ --entrypoint python \ - -v $(pwd)/helpers:/helpers \ + -v $(pwd)/nix/helpers:/helpers \ ${{ matrix.target.image }} /helpers/requirements-from-nix.py \ | grep -vE '==[0-9]+(\.[0-9]+){0,2}-dev' \ > requirements.txt diff --git a/helpers/requirements-from-nix.py b/nix/helpers/requirements-from-nix.py similarity index 88% rename from helpers/requirements-from-nix.py rename to nix/helpers/requirements-from-nix.py index 813012e..5c8e67f 100644 --- a/helpers/requirements-from-nix.py +++ b/nix/helpers/requirements-from-nix.py @@ -17,4 +17,4 @@ name = m.group(1) version = m.group(2) suffix = m.group(4) or "" - print('{}={}{}'.format(name, version, suffix)) + print('{}=={}{}'.format(name, version, suffix)) From 263f076fe5fe2e3354c4d2eb2abd02a1ae97970d Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Sun, 14 May 2023 23:56:05 +0200 Subject: [PATCH 15/21] Run local image Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 1247ce3..9c48114 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -47,15 +47,15 @@ jobs: run: | docker load --input $(nix-build ${{ matrix.target.directory }}) - - name: List image - run: docker images "${{ matrix.target.image }}" + - name: Get image tag + run: echo "tag=$(docker images "${{ matrix.target.image }}" --format "{{.Tag}}")" >> $GITHUB_ENV - name: Extract Python requirements run: | docker run --rm -t \ --entrypoint python \ -v $(pwd)/nix/helpers:/helpers \ - ${{ matrix.target.image }} /helpers/requirements-from-nix.py \ + ${{ matrix.target.image }}:${{ env.tag }} /helpers/requirements-from-nix.py \ | grep -vE '==[0-9]+(\.[0-9]+){0,2}-dev' \ > requirements.txt # The grep above avoids dupplicated requirements from dev!? From c498a36e14aaa8a834d9325ab000d787ee239ccd Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 00:00:44 +0200 Subject: [PATCH 16/21] Do not fail on scan result Signed-off-by: Benoit Donneaux --- .github/workflows/docker-nix.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index 9c48114..ceb13cc 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -64,3 +64,4 @@ jobs: uses: pypa/gh-action-pip-audit@v1.0.0 with: inputs: requirements.txt + continue-on-error: true # TODO: comment on PR and run weekly From c243e00d38901a0ff392f4b31f266fce84c8863c Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 00:07:10 +0200 Subject: [PATCH 17/21] Rename workflows and avoid useless build Signed-off-by: Benoit Donneaux --- .github/workflows/docker-image.yml | 16 ++++++++++++---- .github/workflows/docker-nix.yml | 2 +- 2 files changed, 13 insertions(+), 5 deletions(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 824b4a6..f84344d 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,15 +1,23 @@ --- -name: Magic Wormhole Images +name: Debian Images on: push: - branches: [ "main" ] - tags: [ "*" ] + branches: + - main + paths: + - '.github/workflows/docker-image.yml' + - '*/Dockerfile' pull_request: - branches: [ "main" ] + branches: + - main + paths: + - '.github/workflows/docker-nix.yml' + - '*/Dockerfile' jobs: build: + name: Build images runs-on: ubuntu-latest strategy: matrix: diff --git a/.github/workflows/docker-nix.yml b/.github/workflows/docker-nix.yml index ceb13cc..bb6e367 100644 --- a/.github/workflows/docker-nix.yml +++ b/.github/workflows/docker-nix.yml @@ -1,5 +1,5 @@ --- -name: Nix Build Images +name: NixOS Images on: push: From 4def9cfbe65e668edd66b6d48cd92acb8c292b03 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 00:10:48 +0200 Subject: [PATCH 18/21] Cover relevant all files as today Signed-off-by: Benoit Donneaux --- .github/workflows/docker-image.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index f84344d..0de9de1 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -8,12 +8,16 @@ on: paths: - '.github/workflows/docker-image.yml' - '*/Dockerfile' + - '*/Pipfile*' + - 'mailbox/welcome.motd' pull_request: branches: - main paths: - '.github/workflows/docker-nix.yml' - '*/Dockerfile' + - '*/Pipfile*' + - 'mailbox/welcome.motd' jobs: build: From 3b1e15eb3db5a7a8e1514a711e59b7d46523eee8 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 00:35:20 +0200 Subject: [PATCH 19/21] Fix build filter Signed-off-by: Benoit Donneaux --- .github/workflows/docker-image.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 0de9de1..59351eb 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -14,7 +14,7 @@ on: branches: - main paths: - - '.github/workflows/docker-nix.yml' + - '.github/workflows/docker-image.yml' - '*/Dockerfile' - '*/Pipfile*' - 'mailbox/welcome.motd' From 788675ebe7d1a8122e913f2e52f7190b2159ebcf Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 00:40:46 +0200 Subject: [PATCH 20/21] Update comment and drop unused nixRev Signed-off-by: Benoit Donneaux --- nix/lib/docker-image.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nix/lib/docker-image.nix b/nix/lib/docker-image.nix index 64295df..3a76018 100644 --- a/nix/lib/docker-image.nix +++ b/nix/lib/docker-image.nix @@ -5,11 +5,10 @@ let extraLibs = [ python3.pkgs.${pname} ]; ignoreCollisions = true; }; - # Parse package, Python and NixOS versions to tag the image + # Parse Python package and NixOS versions to tag the image pkgVersion = python3.pkgs.${pname}.version; libVersion = lib.lists.flatten (lib.lists.sublist 1 1 (builtins.split "([^.]+)\.([^.]+)\.([^.]+)\.([^.]+)" lib.version)); nixVersion = builtins.concatStringsSep "." (lib.lists.take 3 libVersion); - nixRev = lib.lists.last libVersion; in # Build the image with our custom CMD dockerTools.buildLayeredImage { From d0fe09a18d17253dd07f45aca5b67ba6dc722965 Mon Sep 17 00:00:00 2001 From: Benoit Donneaux Date: Mon, 15 May 2023 07:40:05 +0200 Subject: [PATCH 21/21] Use environment variable for store first Signed-off-by: Benoit Donneaux --- nix/helpers/requirements-from-nix.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nix/helpers/requirements-from-nix.py b/nix/helpers/requirements-from-nix.py index 5c8e67f..7ae942a 100644 --- a/nix/helpers/requirements-from-nix.py +++ b/nix/helpers/requirements-from-nix.py @@ -7,7 +7,7 @@ p = re.compile('python[0-9]+\.[0-9]+-(.+)-([0-9]+(\.[0-9]+){0,2})(-.+)?') # Iterate through Nix store -for dir in os.listdir("/nix/store"): +for dir in os.listdir(os.getenv("NIX_STORE_DIR","/nix/store")): # Remove the fix hash part pkg = dir[33:] # Match Python modules