add CI images to repo

.forgejo/default-policy.json

@@ -0,0 +1,14 @@
+{
+    "default": [
+        {
+            "type": "insecureAcceptAnything"
+        }
+    ],
+    "transports":
+        {
+            "docker-daemon":
+                {
+                    "": [{"type":"insecureAcceptAnything"}]
+                }
+        }
+}

.forgejo/tags.txt

@@ -0,0 +1 @@
+nix-with-node:nix

.forgejo/workflows/images.yaml

@@ -0,0 +1,21 @@
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: "0 0 * * 0"
+  workflow_dispatch:
+jobs:
+  check:
+    runs-on: nix-upstream-latest
+    steps:
+      - run: echo "experimental-features = nix-command flakes" >> /etc/nix/nix.conf
+      - run: nix-env -i nodejs skopeo # bootstrap
+      - uses: actions/checkout@v4
+      - run: mkdir -p /etc/containers && cp .forgejo/default-policy.json /etc/containers/policy.json
+      - run: |-
+          for line in $(cat .forgejo/tags.txt); do
+            IFS=: read -r pkg tag <<< $line
+            cp $(nix build .#$pkg --print-out-paths) /tmp/img.tar.gz
+            gunzip /tmp/img.tar.gz
+            skopeo copy --dest-creds="${{ secrets.FJ_USER }}:${{ secrets.FJ_PASS }}" docker-archive:///tmp/img.tar docker://git.10110110.xyz/ci/$tag:latest
+          done

.forgejo/workflows/nvim-bundle.yml

@@ -2,23 +2,22 @@ name: build
 
 on:
   push:
-    branches:
+    branches: [main]
-      - main
 jobs:
-  build:
+  nvim-bundle:
     runs-on: nix-latest
     strategy:
       matrix:
         package_name: ["nvim"]
     steps:
       - uses: actions/checkout@v4
-      - uses: DeterminateSystems/nix-installer-action@main
+      - name: nix flake check
-      - name: check
         run: nix flake check
       - name: Run `nix bundle`
         if: github.ref == 'refs/heads/main'
         id: build
         run: |
+          groups nixbld1
           nix bundle \
               -o ${{ matrix.package_name }}.AppImage \
               --bundler github:ralismark/nix-appimage \

nixos/zen/configuration.nix

@@ -1,4 +1,9 @@
-{ host, config, pkgs, ... }:
+{
+  host,
+  config,
+  pkgs,
+  ...
+}:
 {
   imports = [
     ./hardware-configuration.nix
@@ -21,17 +26,32 @@
         25565 # mc
         25566 # mc
       ];
+      interfaces."podman+" = {
+        allowedTCPPorts = [ 33393 ];
       };
     };
-  virtualisation.docker = {
+  };
+  virtualisation.podman = {
     enable = true;
-    extraOptions = "--dns 1.1.1.1";
   };
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances.default = {
       enable = true;
       name = host.hostName;
+      settings = {
+        runner = {
+          capacity = 3;
+        };
+        cache = {
+          enable = true;
+          host = "host.containers.internal";
+          port = 33393;
+        };
+        container = {
+          force_pull = true;
+        };
+      };
       url = "https://git.10110110.xyz";
       tokenFile = config.sops.secrets.forgejo-runner.path;
       labels = [

pkgs/default.nix

@@ -7,5 +7,6 @@
     nativeBuildInputs = [ pkgs.jujutsu ];
     doCheck = false;
   };
+  nix-with-node = import ./nix-with-node { inherit pkgs; };
 }
 // import ./nvim { inherit inputs pkgs; }

pkgs/nix-with-node/default.nix

@@ -0,0 +1,39 @@
+{ pkgs, ... }:
+pkgs.dockerTools.buildLayeredImage {
+  name = "nix-with-node";
+  contents = with pkgs; [
+    ./root
+    bashInteractive
+    cacert
+    coreutils
+    git
+    gnutar
+    gzip
+    jq
+    nix
+    nodejs
+    openssh
+    shadow
+    xz
+    pkgs.dockerTools.fakeNss
+  ];
+
+  config = {
+    Cmd = [ "/bin/bash" ];
+    WorkingDir = "/home/nixbld1";
+    Env = [
+      "ENV=/etc/profile.d/nix.sh"
+      "NIX_BUILD_SHELL=/bin/bash"
+      "PATH=/usr/bin:/bin"
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "USER=root"
+    ];
+  };
+
+  fakeRootCommands = ''
+    ${pkgs.dockerTools.shadowSetup}
+    groupadd -r nixbld
+    useradd -r -g nixbld nixbld1
+  '';
+  enableFakechroot = true;
+}

pkgs/nix-with-node/root/etc/nix/nix.conf

@@ -0,0 +1,3 @@
+accept-flake-config = true
+experimental-features = nix-command flakes
+max-jobs = auto