C0: drop fix-ntfy-nix-version mikado card
Historical one-shot fix from the zot hardening chain — knowledge is self-evident in containers/ntfy/default.nix and container-version-check regex. Should have been removed at mikado finalization. Scrubbed the two wiki-link references in add-container-version-sync-check. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
51a878cddb
commit
53a7374ac1
2 changed files with 2 additions and 44 deletions
|
|
@ -52,7 +52,7 @@ Filled in `current-version` for all hybrid services: navidrome (v0.60.3), minifl
|
||||||
|
|
||||||
### ntfy nix version skew (resolved)
|
### ntfy nix version skew (resolved)
|
||||||
|
|
||||||
The check discovered that ntfy's Dockerfile pins v2.17.0 but nixpkgs has ntfy-sh 2.15.0. This was resolved in [[fix-ntfy-nix-version]] by building a custom nix derivation from the forge mirror. The version check now extracts the version from local nix files via regex, falling back to Dagger for unmodified nixpkgs packages.
|
The check discovered that ntfy's Dockerfile pinned a newer version than nixpkgs `ntfy-sh` provided. Resolved by replacing the nixpkgs reference in `containers/ntfy/default.nix` with a custom derivation built from the forge mirror. The version check now extracts the version from local nix files via regex, falling back to Dagger for unmodified nixpkgs packages.
|
||||||
|
|
||||||
## Key Files
|
## Key Files
|
||||||
|
|
||||||
|
|
@ -68,12 +68,11 @@ The check discovered that ntfy's Dockerfile pins v2.17.0 but nixpkgs has ntfy-sh
|
||||||
- [x] Intentionally changing a Dockerfile ARG without updating `service-versions.yaml` fails the check
|
- [x] Intentionally changing a Dockerfile ARG without updating `service-versions.yaml` fails the check
|
||||||
- [x] `service-versions.yaml` has `current-version` populated for all hybrid services
|
- [x] `service-versions.yaml` has `current-version` populated for all hybrid services
|
||||||
- [x] Nix-only container versions (authentik) checked via Dagger
|
- [x] Nix-only container versions (authentik) checked via Dagger
|
||||||
- [x] ntfy nix version resolved via [[fix-ntfy-nix-version]]
|
- [x] ntfy nix version resolved via custom derivation in `containers/ntfy/default.nix`
|
||||||
|
|
||||||
## Related
|
## Related
|
||||||
|
|
||||||
- [[pin-container-versions]] — Prereq: containers need parseable version ARGs first
|
- [[pin-container-versions]] — Prereq: containers need parseable version ARGs first
|
||||||
- [[add-dagger-nix-build]] — Prereq: nix version extraction
|
- [[add-dagger-nix-build]] — Prereq: nix version extraction
|
||||||
- [[fix-ntfy-nix-version]] — Prereq: ntfy nix derivation version skew
|
|
||||||
- [[adopt-commit-based-container-tags]] — Parent: CI uses the same version extraction at build time
|
- [[adopt-commit-based-container-tags]] — Parent: CI uses the same version extraction at build time
|
||||||
- [[harden-zot-registry]] — Root goal
|
- [[harden-zot-registry]] — Root goal
|
||||||
|
|
|
||||||
|
|
@ -1,41 +0,0 @@
|
||||||
---
|
|
||||||
title: Fix ntfy Nix Version
|
|
||||||
modified: 2026-02-20
|
|
||||||
tags:
|
|
||||||
- how-to
|
|
||||||
- containers
|
|
||||||
- nix
|
|
||||||
- zot
|
|
||||||
---
|
|
||||||
|
|
||||||
# Fix ntfy Nix Version
|
|
||||||
|
|
||||||
Override the nixpkgs ntfy-sh derivation to build v2.17.0 from the forge mirror, aligning the nix-built container with the Dockerfile version.
|
|
||||||
|
|
||||||
## Context
|
|
||||||
|
|
||||||
Discovered during [[add-container-version-sync-check]]: the ntfy container has both a Dockerfile and a `default.nix`. The Dockerfile builds v2.17.0 from `forge.ops.eblu.me/mirrors/ntfy.git`, but the nix derivation uses `pkgs.ntfy-sh` from nixpkgs which is pinned at 2.15.0. The version sync check currently excludes ntfy from nix version validation as a workaround.
|
|
||||||
|
|
||||||
## What Was Done
|
|
||||||
|
|
||||||
Replaced the nixpkgs `pkgs.ntfy-sh` reference in `containers/ntfy/default.nix` with a custom derivation that builds v2.17.0 from the forge mirror using `fetchgit`, `buildNpmPackage` (web UI), and `buildGoModule` (server). Docs are skipped (placeholder for `go:embed`, matching the Dockerfile approach).
|
|
||||||
|
|
||||||
The `container-version-check` script was updated to extract versions from local nix files via regex (`version = "X.Y.Z"`) before falling back to the Dagger `nix-version` function for unmodified nixpkgs packages. This avoids the issue where `nix eval nixpkgs#ntfy-sh.version` returns the upstream 2.15.0 instead of our overridden 2.17.0.
|
|
||||||
|
|
||||||
## Key Files
|
|
||||||
|
|
||||||
| File | Change |
|
|
||||||
|------|--------|
|
|
||||||
| `containers/ntfy/default.nix` | Custom derivation building v2.17.0 from forge |
|
|
||||||
| `mise-tasks/container-version-check` | Regex-based local nix version extraction |
|
|
||||||
|
|
||||||
## Verification
|
|
||||||
|
|
||||||
- [x] `dagger call build-nix --src=. --container-name=ntfy` produces a working image
|
|
||||||
- [x] Version extractable from local `default.nix` via regex (2.17.0)
|
|
||||||
- [x] `mise run container-version-check --all-files` passes with ntfy included
|
|
||||||
|
|
||||||
## Related
|
|
||||||
|
|
||||||
- [[add-container-version-sync-check]] — Parent: needs ntfy in NIX_PACKAGE_MAP
|
|
||||||
- [[harden-zot-registry]] — Root goal
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue