.github/workflows/build.yaml

@@ -1,24 +1,29 @@
-name: Build and push Docker container
+name: Build and push nixos-based docker container
 on: [push]
 
+env:
+  REGISTRY: git.strudelline.net
+  PACKAGE: cascade/docker-node-red
+  REGISTRY_AUTH_FILE: ./registry-auth.json
+
 jobs:
   build:
-    runs-on: metal-docker
+    runs-on: nix
     steps:
       - name: Check out repository code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
-      - run: |
+        with:
-          ls -la
+          fetch-depth: 1
-          if [ x"$GITHUB_REF_NAME" = xmain ];then
+      - run: |-
-            NODE_RED_VERSION=latest
+          set -x
-          else
-            NODE_RED_VERSION=$GITHUB_REF_NAME
-          fi
-          docker build --build-arg NODE_RED_VERSION="$NODE_RED_VERSION" --progress plain --iidfile iid.txt .
-          stringprefix() { [ ${#1} -le $2 ] && echo $1 && return 0 || stringprefix "${1%?}" $2 ; }
-          SHORTSHA="$(stringprefix "$GITHUB_SHA" 8)"
-          for TAG in "$SHORTSHA" "$GITHUB_REF_NAME";do
-            docker tag "`cat iid.txt`" "$DOCKER_REGISTRY/$GITHUB_REPOSITORY:$TAG"
-            docker push "$DOCKER_REGISTRY/$GITHUB_REPOSITORY:$TAG"
-          done
 
+          skopeo login --username ${{ secrets.DOCKER_USER }} --password ${{ secrets.DOCKER_PASSWORD }} "$REGISTRY"
+
+          MAINTAG="sha-$(echo "$GITHUB_SHA" | cut -c 1-8)"
+          nix run --show-trace .#upload-image "docker://$REGISTRY/$PACKAGE:$MAINTAG"
+          for TAG in \
+            "$GITHUB_REF_NAME" \
+            "$GITHUB_REF_NAME-$(date +%Y%m%d-%H%M%S)" \
+          ; do
+            skopeo copy "docker://$REGISTRY/$PACKAGE:$MAINTAG" "docker://$REGISTRY/$PACKAGE:$TAG"
+          done

.github/workflows/update.yaml

@@ -0,0 +1,24 @@
+name: Update flake lock
+on:
+  schedule:
+  - cron: '47 3 * * *'
+
+jobs:
+  build:
+    runs-on: nix
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.ADMIN_ACTIONS_TOKEN }}
+          fetch-depth: 0
+      - run: |-
+          git config --local --add user.email localadmin@strudelline.net
+          git config --local --add user.name 'Admin Actions'
+          git pull
+          nix flake update
+          if ! git commit -m "Flake updates for $(date)" -a;then
+            echo "no updates to commit"
+            exit 0
+          fi
+          git push

.gitignore

@@ -3,3 +3,4 @@
 
 *~
 \#*#
+result

Dockerfile

@@ -1,22 +0,0 @@
-ARG NODE_RED_VERSION=latest
-
-FROM nodered/node-red:${NODE_RED_VERSION}
-
-USER root
-
-# Tell Puppeteer to skip installing Chrome. We'll be using the installed package.
-ENV PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
-
-RUN set -x \
-    && apk update \
-    && apk upgrade \
-    && apk add --no-cache \
-    ttf-freefont \
-    chromium \
-    # Cleanup
-    && apk del --no-cache make gcc g++ binutils-gold gnupg libstdc++ \
-    && rm -rf /usr/include \
-    && rm -rf /var/cache/apk/* /root/.node-gyp /usr/share/man /tmp/* \
-    && echo
-
-USER 1000

docker.nix

@@ -0,0 +1,74 @@
+{ config, pkgs, lib, ...}:
+let
+name = "node-red";
+packages =
+  with pkgs;
+[
+  neovim
+  nodejs
+  nodePackages.npm
+  nodePackages.node-red
+  #ungoogled-chromium
+];
+passportOIDC = pkgs.fetchFromGitHub {
+  owner = "jaredhanson";
+  repo = "passport-openidconnect";
+  rev = "c69c2137c5b49534e93008aa0645a00aba1f7f0b";
+  sha256 = "sha256-jaeEoJNcAoczZhcuhb2Uw2LKXXARBKkPDYhIDUblWRk=";
+};
+entrypoint = pkgs.writeShellApplication {
+  name = "entrypoint";
+
+  runtimeInputs = packages;
+
+  text = ''
+    DATA="''${DATA-/data}"
+    cd "$DATA"
+    node-red -u "$DATA" -s "''${SETTINGS-/data/settings.js}"
+  '';
+};
+in pkgs.dockerTools.streamLayeredImage {
+      inherit name;
+      contents = pkgs.buildEnv {
+        name = "imgroot";
+        paths = (with pkgs; [
+          shadow
+          less
+          bashInteractive
+          coreutils
+          findutils
+          dockerTools.usrBinEnv
+          dockerTools.binSh
+          dockerTools.caCertificates
+          #dockerTools.fakeNss
+        ] ++ packages);
+      };
+      config.Cmd = [ "${entrypoint}/bin/entrypoint" ];
+      config.WorkingDir = "/data";
+      config.Env = with pkgs; [ "HOME=/data" ];
+
+      enableFakechroot = true;
+      fakeRootCommands = ''
+        #    ${pkgs.runtimeShell}
+        mkdir -p tmp
+        chmod 1777 tmp
+        ${pkgs.dockerTools.shadowSetup}
+        groupadd -r node-red
+        useradd -r -g node-red node-red
+        id node-red 2>&1 > node-red.id
+        mkdir -p /farts
+        mkdir -p /farts/copy
+        cp -a ${passportOIDC}/* /farts/copy/
+        ${pkgs.nodejs}/bin/npm i --prefix /farts ${passportOIDC}
+        mkdir -p /data
+        (cd /data;${pkgs.nodejs}/bin/npm i passport-openidconnect)
+        chown -R node-red:node-red data
+        chmod -R 750 data
+        date > build-date.txt
+      '';
+      extraCommands = ''
+        #mkdir -p /data
+        #cd /data;${pkgs.nodejs}/bin/npm i passport-openidconnect
+        #(cd /data;${pkgs.nodejs}/bin/npm i passport-openidconnect)
+      '';
+}

flake.lock

@@ -0,0 +1,61 @@
+{
+  "nodes": {
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1729070438,
+        "narHash": "sha256-KOTTUfPkugH52avUvXGxvWy8ibKKj4genodIYUED+Kc=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5785b6bb5eaae44e627d541023034e1601455827",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,37 @@
+{
+  description = "docker builder for cascade's node-red";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }: flake-utils.lib.eachDefaultSystem (system:
+    let
+    lib = nixpkgs.lib;
+    pkgs = nixpkgs.legacyPackages.${system};
+    streamImage = pkgs.callPackage (import ./docker.nix) {};
+    in
+  {
+
+    packages.upload-image = pkgs.writeScriptBin "upload" ''
+      ${streamImage} | ${pkgs.skopeo}/bin/skopeo copy docker-archive:/dev/stdin "$@"
+    '';
+
+    packages.stream-image = pkgs.writeScriptBin "stream" ''
+      ${streamImage}
+    '';
+
+    packages.default = pkgs.writeScriptBin "help" ''
+      echo ${lib.escapeShellArg ''
+        nixos-based docker node-red image builder
+
+        usage:
+
+        nix run .#stream-image | docker load
+        nix run .#upload-image docker://registry.where/it/goes:its4tag
+        ''}
+
+    '';
+  });
+}