add CI images to repo

.forgejo/default-policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}

.forgejo/tags.txt

@@ -0,0 +1 @@
+nix-with-node:nix

.forgejo/workflows/images.yaml

@@ -0,0 +1,19 @@
+on: [push]
+jobs:
+  check:
+    runs-on: nix-upstream-latest
+    permissions:
+      id-token: "write"
+      contents: "read"
+    steps:
+      - run: echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+      - run: nix-env -i nodejs skopeo # bootstrap
+      - uses: actions/checkout@v4
+      - run: mkdir -p /etc/containers && cp .forgejo/default-policy.json /etc/containers/policy.json
+      - run: |-
+          for line in $(cat .forgejo/tags.txt); do
+            IFS=: read -r pkg tag <<< $line
+            cp $(nix build .#$pkg --print-out-paths) /tmp/img.tar.gz
+            gunzip /tmp/img.tar.gz
+            skopeo copy --dest-creds="${{ secrets.FJ_USER }}:${{ secrets.FJ_PASS }}" docker-archive:///tmp/img.tar docker://git.10110110.xyz/ci/$tag:latest
+          done

.forgejo/workflows/main.yml

@@ -12,8 +12,7 @@ jobs:
         package_name: ["nvim"]
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
-      - name: check
+      - name: nix flake check
         run: nix flake check
       - name: Run `nix bundle`
         if: github.ref == 'refs/heads/main'

nixos/zen/configuration.nix

@@ -1,4 +1,9 @@
-{ host, config, pkgs, ... }:
+{
+  host,
+  config,
+  pkgs,
+  ...
+}:
 {
   imports = [
     ./hardware-configuration.nix
@@ -18,20 +23,32 @@
       allowedTCPPorts = [
         22
         10250
-        25565 #mc
-        25566 #mc
+        25565 # mc
+        25566 # mc
       ];
+      interfaces."podman+" = {
+        allowedTCPPorts = [ 33393 ];
+      };
     };
   };
-  virtualisation.docker = {
+  virtualisation.podman = {
     enable = true;
-    extraOptions = "--dns 1.1.1.1";
   };
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances.default = {
       enable = true;
       name = host.hostName;
+      settings = {
+        runner = {
+          capacity = 3;
+        };
+        cache = {
+          enable = true;
+          host = "host.containers.internal";
+          proxy_port = 33393;
+        };
+      };
       url = "https://git.10110110.xyz";
       tokenFile = config.sops.secrets.forgejo-runner.path;
       labels = [

pkgs/default.nix

@@ -7,5 +7,6 @@
     nativeBuildInputs = [ pkgs.jujutsu ];
     doCheck = false;
   };
+  nix-with-node = import ./nix-with-node { inherit pkgs; };
 }
 // import ./nvim { inherit inputs pkgs; }

pkgs/nix-with-node/default.nix

@@ -0,0 +1,38 @@
+{ pkgs, ... }:
+pkgs.dockerTools.buildLayeredImage {
+  name = "nix-with-node";
+  contents = with pkgs; [
+    ./root
+    bashInteractive
+    cacert
+    coreutils
+    git
+    gnutar
+    gzip
+    jq
+    nix
+    nodejs
+    openssh
+    shadow
+    xz
+  ];
+
+  config = {
+    Cmd = [ "/bin/bash" ];
+    WorkingDir = "/home/nixbld";
+    Env = [
+      "ENV=/etc/profile.d/nix.sh"
+      "NIX_BUILD_SHELL=/bin/bash"
+      "PATH=/usr/bin:/bin"
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "USER=root"
+    ];
+  };
+
+  fakeRootCommands = ''
+    ${pkgs.dockerTools.shadowSetup}
+    groupadd -r nixbld
+    useradd -r -g nixbld nixbld
+  '';
+  enableFakechroot = true;
+}

pkgs/nix-with-node/root/etc/nix/nix.conf

@@ -0,0 +1,3 @@
+accept-flake-config = true
+experimental-features = nix-command flakes
+max-jobs = auto