C0: drop fix-ntfy-nix-version mikado card
Historical one-shot fix from the zot hardening chain — knowledge is self-evident in containers/ntfy/default.nix and container-version-check regex. Should have been removed at mikado finalization. Scrubbed the two wiki-link references in add-container-version-sync-check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
51a878cddb
commit
53a7374ac1
2 changed files with 2 additions and 44 deletions
|
|
@ -52,7 +52,7 @@ Filled in `current-version` for all hybrid services: navidrome (v0.60.3), minifl
|
|||
|
||||
### ntfy nix version skew (resolved)
|
||||
|
||||
The check discovered that ntfy's Dockerfile pins v2.17.0 but nixpkgs has ntfy-sh 2.15.0. This was resolved in [[fix-ntfy-nix-version]] by building a custom nix derivation from the forge mirror. The version check now extracts the version from local nix files via regex, falling back to Dagger for unmodified nixpkgs packages.
|
||||
The check discovered that ntfy's Dockerfile pinned a newer version than nixpkgs `ntfy-sh` provided. Resolved by replacing the nixpkgs reference in `containers/ntfy/default.nix` with a custom derivation built from the forge mirror. The version check now extracts the version from local nix files via regex, falling back to Dagger for unmodified nixpkgs packages.
|
||||
|
||||
## Key Files
|
||||
|
||||
|
|
@ -68,12 +68,11 @@ The check discovered that ntfy's Dockerfile pins v2.17.0 but nixpkgs has ntfy-sh
|
|||
- [x] Intentionally changing a Dockerfile ARG without updating `service-versions.yaml` fails the check
|
||||
- [x] `service-versions.yaml` has `current-version` populated for all hybrid services
|
||||
- [x] Nix-only container versions (authentik) checked via Dagger
|
||||
- [x] ntfy nix version resolved via [[fix-ntfy-nix-version]]
|
||||
- [x] ntfy nix version resolved via custom derivation in `containers/ntfy/default.nix`
|
||||
|
||||
## Related
|
||||
|
||||
- [[pin-container-versions]] — Prereq: containers need parseable version ARGs first
|
||||
- [[add-dagger-nix-build]] — Prereq: nix version extraction
|
||||
- [[fix-ntfy-nix-version]] — Prereq: ntfy nix derivation version skew
|
||||
- [[adopt-commit-based-container-tags]] — Parent: CI uses the same version extraction at build time
|
||||
- [[harden-zot-registry]] — Root goal
|
||||
|
|
|
|||
|
|
@ -1,41 +0,0 @@
|
|||
---
|
||||
title: Fix ntfy Nix Version
|
||||
modified: 2026-02-20
|
||||
tags:
|
||||
- how-to
|
||||
- containers
|
||||
- nix
|
||||
- zot
|
||||
---
|
||||
|
||||
# Fix ntfy Nix Version
|
||||
|
||||
Override the nixpkgs ntfy-sh derivation to build v2.17.0 from the forge mirror, aligning the nix-built container with the Dockerfile version.
|
||||
|
||||
## Context
|
||||
|
||||
Discovered during [[add-container-version-sync-check]]: the ntfy container has both a Dockerfile and a `default.nix`. The Dockerfile builds v2.17.0 from `forge.ops.eblu.me/mirrors/ntfy.git`, but the nix derivation uses `pkgs.ntfy-sh` from nixpkgs which is pinned at 2.15.0. The version sync check currently excludes ntfy from nix version validation as a workaround.
|
||||
|
||||
## What Was Done
|
||||
|
||||
Replaced the nixpkgs `pkgs.ntfy-sh` reference in `containers/ntfy/default.nix` with a custom derivation that builds v2.17.0 from the forge mirror using `fetchgit`, `buildNpmPackage` (web UI), and `buildGoModule` (server). Docs are skipped (placeholder for `go:embed`, matching the Dockerfile approach).
|
||||
|
||||
The `container-version-check` script was updated to extract versions from local nix files via regex (`version = "X.Y.Z"`) before falling back to the Dagger `nix-version` function for unmodified nixpkgs packages. This avoids the issue where `nix eval nixpkgs#ntfy-sh.version` returns the upstream 2.15.0 instead of our overridden 2.17.0.
|
||||
|
||||
## Key Files
|
||||
|
||||
| File | Change |
|
||||
|------|--------|
|
||||
| `containers/ntfy/default.nix` | Custom derivation building v2.17.0 from forge |
|
||||
| `mise-tasks/container-version-check` | Regex-based local nix version extraction |
|
||||
|
||||
## Verification
|
||||
|
||||
- [x] `dagger call build-nix --src=. --container-name=ntfy` produces a working image
|
||||
- [x] Version extractable from local `default.nix` via regex (2.17.0)
|
||||
- [x] `mise run container-version-check --all-files` passes with ntfy included
|
||||
|
||||
## Related
|
||||
|
||||
- [[add-container-version-sync-check]] — Parent: needs ntfy in NIX_PACKAGE_MAP
|
||||
- [[harden-zot-registry]] — Root goal
|
||||
Loading…
Add table
Add a link
Reference in a new issue