diff --git a/docs/changelog.d/feature-nettest-nix-container.feature.md b/docs/changelog.d/feature-nettest-nix-container.feature.md index 6bf24fb..b529de2 100644 --- a/docs/changelog.d/feature-nettest-nix-container.feature.md +++ b/docs/changelog.d/feature-nettest-nix-container.feature.md @@ -1 +1 @@ -Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. Updated container-list and container-tag-and-release to support containers with both Dockerfile and default.nix. +Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. One git tag now triggers both Dockerfile and Nix workflows — each skips if its build file is absent. Rewrote container-tag-and-release as a typer CLI with --dry-run support. Added container policy.json and registries.conf to ringtail for skopeo. diff --git a/docs/how-to/deployment/build-container-image.md b/docs/how-to/deployment/build-container-image.md index 3086b23..18233eb 100644 --- a/docs/how-to/deployment/build-container-image.md +++ b/docs/how-to/deployment/build-container-image.md @@ -1,6 +1,6 @@ --- title: Build Container Image -modified: 2026-02-15 +modified: 2026-02-19 last-reviewed: 2026-02-15 tags: - how-to @@ -14,30 +14,35 @@ How to create a custom container image in BlumeOps, build it locally, and releas ## Prerequisites -- [Dagger CLI](https://docs.dagger.io/install) installed locally -- A Dockerfile for the service you want to build +- [Dagger CLI](https://docs.dagger.io/install) installed locally (for Dockerfile builds) +- A `Dockerfile` and/or `default.nix` for the service ## 1. Create the container directory -Add a `Dockerfile` (and any supporting files) under `containers//`: +Add build files under `containers//`: ``` containers// -├── Dockerfile +├── Dockerfile (built by Dagger on the k8s runner) +├── default.nix (built by nix-build on the ringtail runner) └── (optional scripts, configs) ``` -The directory name becomes the image name: `registry.ops.eblu.me/blumeops/`. +A container can have one or both build files. The directory name becomes the image name: `registry.ops.eblu.me/blumeops/`. ## 2. Build locally -Test your image with Dagger: +**Dockerfile** — test with Dagger: ```bash dagger call build --src=. --container-name= ``` -This builds `containers//Dockerfile` using the Dagger `docker_build()` function. Fix any build errors before proceeding. +**Nix** — test with nix-build (requires nix, e.g. on [[ringtail]]): + +```bash +nix-build containers//default.nix -o result +``` ## 3. Release @@ -47,7 +52,14 @@ Once the image builds cleanly, create a tagged release: mise run container-tag-and-release v1.0.0 ``` -This creates a git tag `-v1.0.0` and pushes it. The `build-container` Forgejo workflow triggers on the tag, builds the image via Dagger, and publishes it to the registry as `registry.ops.eblu.me/blumeops/:v1.0.0`. +Use `--dry-run` to preview without creating tags. + +This creates a single git tag `-v1.0.0` and pushes it. Both Forgejo workflows trigger on the tag — each checks for its build file and skips if not present: + +| Build file | Workflow | Runner | Registry tag | +|------------|----------|--------|--------------| +| `Dockerfile` | `build-container.yaml` | `k8s` (indri) | `:v1.0.0` | +| `default.nix` | `build-container-nix.yaml` | `nix-container-builder` ([[ringtail]]) | `:v1.0.0-nix` | Check available images and tags with: @@ -76,6 +88,7 @@ Existing containers demonstrate several build approaches: | Multi-stage with Node + Go | [[#navidrome]] | Separate UI and backend build stages | | Multi-stage Elixir | [[#teslamate]] | Elixir release with Node assets | | Runtime tarball download | [[#kiwix-serve]] | Download pre-built binary with arch detection | +| Nix `dockerTools` | [[#nettest-nix]] | `buildLayeredImage` with nixpkgs tools | ### transmission @@ -97,6 +110,10 @@ Existing containers demonstrate several build approaches: `containers/kiwix-serve/Dockerfile` — Downloads a pre-built binary from upstream, with architecture detection for cross-platform support. +### nettest (nix) + +`containers/nettest/default.nix` — Uses `dockerTools.buildLayeredImage` with `buildEnv` to merge nixpkgs tools (curl, jq, dnsutils, bash). Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry. + ## Related - [[deploy-k8s-service]] — Deploying the service that uses the image diff --git a/docs/reference/infrastructure/ringtail.md b/docs/reference/infrastructure/ringtail.md index 45bc757..f6e0cc3 100644 --- a/docs/reference/infrastructure/ringtail.md +++ b/docs/reference/infrastructure/ringtail.md @@ -1,6 +1,6 @@ --- title: Ringtail -modified: 2026-02-18 +modified: 2026-02-19 tags: - infrastructure - host @@ -81,7 +81,7 @@ argocd cluster add default --name k3s-ringtail ### Forgejo Actions Runner -A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix build` and pushes them to Zot via `skopeo`. +A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd service via the NixOS `services.gitea-actions-runner` module. It builds containers using `nix-build` and pushes them to Zot via `skopeo`. | Property | Value | |----------|-------| @@ -89,6 +89,9 @@ A native Forgejo Actions runner (`ringtail-nix-builder`) runs as a systemd servi | **Execution** | Host (no containers) | | **Token** | `/etc/forgejo-runner/token.env` (provisioned by Ansible) | | **Service unit** | `gitea-runner-nix_container_builder.service` | +| **Host packages** | bash, coreutils, curl, gawk, git, gnused, jq, nodejs, wget, nix, skopeo | + +The runner resolves `` from the flake registry at build time. Container trust policy (`/etc/containers/policy.json`) and registry search order (`/etc/containers/registries.conf`) are configured minimally in `configuration.nix` for skopeo — no full `virtualisation.containers` module needed. ## Maintenance Notes diff --git a/docs/reference/services/forgejo.md b/docs/reference/services/forgejo.md index db84339..e7c0b10 100644 --- a/docs/reference/services/forgejo.md +++ b/docs/reference/services/forgejo.md @@ -1,6 +1,6 @@ --- title: Forgejo -modified: 2026-02-08 +modified: 2026-02-19 tags: - service - git @@ -31,15 +31,20 @@ Git forge and CI/CD platform. **Primary source of truth for blumeops** (mirrored ## CI/CD (Forgejo Actions) -**Runner:** Kubernetes pod with Docker-in-Docker sidecar -- Namespace: `forgejo-runner` -- Labels: `k8s` -- ArgoCD app: `forgejo-runner` +**Runners:** + +| Runner | Host | Labels | Purpose | +|--------|------|--------|---------| +| k8s DinD pod | [[indri]] (minikube) | `k8s` | Dockerfile builds via Dagger | +| ringtail-nix-builder | [[ringtail]] (native) | `nix-container-builder` | Nix builds via `nix-build` + `skopeo` | **Workflows:** `.forgejo/workflows/` -- `build-container.yaml` - Container image builds on tag +- `build-container.yaml` - Dockerfile builds on tag (runs on `k8s`) +- `build-container-nix.yaml` - Nix builds on tag (runs on `nix-container-builder`) - `build-blumeops.yaml` - Documentation builds and releases +Both container workflows trigger on the same tag pattern (`*-v[0-9]*`). Each checks for its build file (`Dockerfile` or `default.nix`) and skips if not present. See [[build-container-image]]. + ## Secrets (Forgejo Config) Server configuration secrets managed via 1Password → Ansible: