diff --git a/.forgejo/workflows/build-container.yaml b/.forgejo/workflows/build-container.yaml index 7f09630..36134b8 100644 --- a/.forgejo/workflows/build-container.yaml +++ b/.forgejo/workflows/build-container.yaml @@ -139,18 +139,12 @@ jobs: CONTAINER="${{ matrix.container }}" NIX_FILE="containers/$CONTAINER/default.nix" - # Try extracting version = "..." from the nix file + # Extract version = "..." from the nix file VERSION=$(grep -m1 '^\s*version\s*=\s*"' "$NIX_FILE" \ | sed 's/.*"\(.*\)".*/\1/' || true) - # Fall back to nix eval for nixpkgs packages if [ -z "$VERSION" ]; then - VERSION=$(nix --extra-experimental-features "nix-command flakes" \ - eval --raw "nixpkgs#${CONTAINER}.version") - fi - - if [ -z "$VERSION" ]; then - echo "Error: Could not determine version for $CONTAINER" + echo "Error: No version declaration found in $NIX_FILE" exit 1 fi diff --git a/containers/nettest/Dockerfile b/containers/nettest/Dockerfile deleted file mode 100644 index 4bb1284..0000000 --- a/containers/nettest/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# Network connectivity test container for blumeops CI/CD debugging -# -# This container tests connectivity to tailnet services from various environments: -# - Docker on indri (during CI build) -# - Minikube pods (manual testing) - -ARG CONTAINER_APP_VERSION=0.1.0 - -FROM alpine:3.22 - -ARG CONTAINER_APP_VERSION -LABEL org.opencontainers.image.title="nettest" -LABEL org.opencontainers.image.description="Network connectivity test container for CI/CD debugging" -LABEL org.opencontainers.image.version="${CONTAINER_APP_VERSION}" -LABEL org.opencontainers.image.source="https://forge.eblu.me/eblume/blumeops" -LABEL org.opencontainers.image.vendor="blumeops" - -RUN apk add --no-cache \ - curl \ - ca-certificates \ - jq \ - bind-tools - -COPY test-connectivity.sh /test-connectivity.sh -RUN chmod +x /test-connectivity.sh - -ENTRYPOINT ["/test-connectivity.sh"] diff --git a/containers/nettest/default.nix b/containers/nettest/default.nix deleted file mode 100644 index 4520804..0000000 --- a/containers/nettest/default.nix +++ /dev/null @@ -1,39 +0,0 @@ -# Nix-built nettest container -# Equivalent to the Dockerfile: curl, jq, bind (nslookup), ca-certs, bash -# Built with dockerTools.buildLayeredImage for efficient layer caching -{ pkgs ? import { } }: - -let - testScript = ./test-connectivity.sh; - - tools = pkgs.buildEnv { - name = "nettest-tools"; - paths = [ - pkgs.curl - pkgs.jq - pkgs.dnsutils # provides nslookup, dig - pkgs.cacert - pkgs.coreutils - pkgs.hostname - pkgs.bashInteractive - ]; - }; -in -pkgs.dockerTools.buildLayeredImage { - name = "blumeops/nettest"; - tag = "latest"; - - contents = [ tools ]; - - extraCommands = '' - cp ${testScript} test-connectivity.sh - chmod +x test-connectivity.sh - ''; - - config = { - Entrypoint = [ "/bin/bash" "/test-connectivity.sh" ]; - Env = [ - "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" - ]; - }; -} diff --git a/containers/nettest/test-connectivity.sh b/containers/nettest/test-connectivity.sh deleted file mode 100644 index e97f417..0000000 --- a/containers/nettest/test-connectivity.sh +++ /dev/null @@ -1,115 +0,0 @@ -#!/bin/ash -# shellcheck shell=dash -# Network connectivity test script for blumeops -# Tests access to tailnet services from within the container - -set -e - -echo "========================================" -echo "BlumeOps Network Connectivity Test" -echo "========================================" -echo "" -echo "Timestamp: $(date -Iseconds)" -echo "Hostname: $(hostname)" -echo "" - -# Test targets -FORGE_HOST="forge.ops.eblu.me" -REGISTRY_HOST="registry.ops.eblu.me" - -test_dns() { - local host="$1" - echo "--- DNS: $host ---" - if nslookup "$host" 2>/dev/null; then - echo "DNS: OK" - return 0 - else - echo "DNS: FAILED" - return 1 - fi -} - -test_https() { - local url="$1" - local name="$2" - echo "" - echo "--- HTTPS: $name ---" - echo "URL: $url" - - # Try to fetch with verbose output - http_code=$(curl -s -o /dev/null -w "%{http_code}" --max-time 10 "$url" 2>&1) || true - - if [ "$http_code" = "200" ] || [ "$http_code" = "401" ] || [ "$http_code" = "302" ]; then - echo "HTTP Status: $http_code" - echo "Result: OK (service reachable)" - return 0 - elif [ -n "$http_code" ] && [ "$http_code" != "000" ]; then - echo "HTTP Status: $http_code" - echo "Result: OK (service reachable, status $http_code)" - return 0 - else - echo "HTTP Status: $http_code" - echo "Result: FAILED (could not connect)" - return 1 - fi -} - -test_registry_api() { - local host="$1" - echo "" - echo "--- Registry API: $host ---" - - # Try to query the registry API - response=$(curl -sf --max-time 10 "https://$host/v2/_catalog" 2>/dev/null) || true - - if [ -n "$response" ]; then - echo "Response: $response" - repo_count=$(echo "$response" | jq -r '.repositories | length' 2>/dev/null) || repo_count="unknown" - echo "Repository count: $repo_count" - echo "Result: OK" - return 0 - else - echo "Result: FAILED (no response from /v2/_catalog)" - return 1 - fi -} - -echo "========================================" -echo "Testing DNS Resolution" -echo "========================================" -dns_ok=0 -test_dns "$FORGE_HOST" && dns_ok=$((dns_ok + 1)) || true -echo "" -test_dns "$REGISTRY_HOST" && dns_ok=$((dns_ok + 1)) || true - -echo "" -echo "========================================" -echo "Testing HTTPS Connectivity" -echo "========================================" -https_ok=0 -test_https "https://$FORGE_HOST" "Forgejo" && https_ok=$((https_ok + 1)) || true -test_https "https://$REGISTRY_HOST/v2/" "Zot Registry" && https_ok=$((https_ok + 1)) || true - -echo "" -echo "========================================" -echo "Testing Registry API" -echo "========================================" -api_ok=0 -test_registry_api "$REGISTRY_HOST" && api_ok=1 || true - -echo "" -echo "========================================" -echo "Summary" -echo "========================================" -echo "DNS tests passed: $dns_ok/2" -echo "HTTPS tests passed: $https_ok/2" -echo "Registry API: $([ $api_ok -eq 1 ] && echo 'OK' || echo 'FAILED')" -echo "" - -if [ "$dns_ok" -eq 2 ] && [ "$https_ok" -eq 2 ] && [ "$api_ok" -eq 1 ]; then - echo "OVERALL: ALL TESTS PASSED" - exit 0 -else - echo "OVERALL: SOME TESTS FAILED" - exit 1 -fi diff --git a/docs/changelog.d/unify-container-workflows.infra.md b/docs/changelog.d/unify-container-workflows.infra.md index 4c79798..2225297 100644 --- a/docs/changelog.d/unify-container-workflows.infra.md +++ b/docs/changelog.d/unify-container-workflows.infra.md @@ -1 +1 @@ -Unified Dockerfile and Nix container build workflows into a single workflow that auto-classifies containers by build type and routes to the correct runner (k8s for Dockerfile, nix-container-builder for Nix). +Unified Dockerfile and Nix container build workflows into a single workflow that auto-classifies containers by build type and routes to the correct runner (k8s for Dockerfile, nix-container-builder for Nix). Removed nettest container (outgrown). Nix builds now require an explicit `version = "..."` declaration — no implicit nixpkgs fallback. diff --git a/docs/how-to/deployment/build-container-image.md b/docs/how-to/deployment/build-container-image.md index b3b9cbe..4b47b3f 100644 --- a/docs/how-to/deployment/build-container-image.md +++ b/docs/how-to/deployment/build-container-image.md @@ -117,7 +117,7 @@ Existing containers demonstrate several build approaches: | Multi-stage with Node + Go | [[#navidrome]] | Separate UI and backend build stages | | Multi-stage Elixir | [[#teslamate]] | Elixir release with Node assets | | Runtime tarball download | [[#kiwix-serve]] | Download pre-built binary with arch detection | -| Nix `dockerTools` | [[#nettest-nix]] | `buildLayeredImage` with nixpkgs tools | +| Nix `dockerTools` | [[#ntfy-nix]] | `buildLayeredImage` with nix-built app | ### transmission @@ -139,9 +139,9 @@ Existing containers demonstrate several build approaches: `containers/kiwix-serve/Dockerfile` — Downloads a pre-built binary from upstream, with architecture detection for cross-platform support. -### nettest (nix) +### ntfy (nix) -`containers/nettest/default.nix` — Uses `dockerTools.buildLayeredImage` with `buildEnv` to merge nixpkgs tools (curl, jq, dnsutils, bash). Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry. +`containers/ntfy/default.nix` — Builds ntfy from source using `buildGoModule` and packages it with `dockerTools.buildLayeredImage`. Runs alongside the existing Dockerfile; the nix variant is tagged `:version-nix` in the registry. ## Related diff --git a/docs/how-to/zot/add-container-version-sync-check.md b/docs/how-to/zot/add-container-version-sync-check.md index 7c98492..ebf1056 100644 --- a/docs/how-to/zot/add-container-version-sync-check.md +++ b/docs/how-to/zot/add-container-version-sync-check.md @@ -30,7 +30,7 @@ A typer-based uv-script that iterates over `containers/*/` and validates five ru Scoping: by default only checks containers changed vs main. `--all-files` checks everything. If `service-versions.yaml` itself changed, all containers are checked. -Blacklisted containers (utility images, not tracked services): `kubectl`, `nettest`. +Blacklisted containers (utility images, not tracked services): `kubectl`. Container-to-service name mapping: `quartz` → `docs`, `kiwix-serve` → `kiwix`. diff --git a/docs/how-to/zot/add-dagger-nix-build.md b/docs/how-to/zot/add-dagger-nix-build.md index 40841a8..fa5f261 100644 --- a/docs/how-to/zot/add-dagger-nix-build.md +++ b/docs/how-to/zot/add-dagger-nix-build.md @@ -15,7 +15,7 @@ Add Dagger functions for building nix container images and extracting version in ## Context -Discovered during analysis of [[adopt-commit-based-container-tags]]: nix containers (authentik, ntfy, nettest) derive their bundled app version from the nixpkgs pin, not from an explicit declaration. To validate that a VERSION file matches the actual nix-built version, we need a way to query the version from nix. +Discovered during analysis of [[adopt-commit-based-container-tags]]: nix containers (authentik, ntfy) derive their bundled app version from the nixpkgs pin, not from an explicit declaration. To validate that a VERSION file matches the actual nix-built version, we need a way to query the version from nix. Currently, nix containers can only be built on ringtail (the `nix-container-builder` runner). There is no local build path for developers — the only option is to push and wait for CI. Adding a Dagger-based nix build gives both local evaluation and version extraction. @@ -84,7 +84,7 @@ The `flake_lock` function already demonstrates running nix inside Dagger using ` ## Verification -- [ ] `dagger call build-nix --src=. --container-name=nettest` produces a valid docker-archive tarball +- [ ] `dagger call build-nix --src=. --container-name=ntfy` produces a valid docker-archive tarball - [ ] `dagger call nix-version --src=. --package=ntfy-sh` returns the correct version string - [ ] `dagger call nix-version --src=. --package=authentik` returns the Authentik version - [ ] Tarball from `build-nix` can be loaded with `docker load` and run locally diff --git a/docs/how-to/zot/pin-container-versions.md b/docs/how-to/zot/pin-container-versions.md index 714523c..4d0a64c 100644 --- a/docs/how-to/zot/pin-container-versions.md +++ b/docs/how-to/zot/pin-container-versions.md @@ -29,7 +29,6 @@ Specific changes: - **devpi**: Pinned devpi-server==6.19.1 and devpi-web==5.0.1 - **cv**: `CONTAINER_APP_VERSION=1.0.3` (matches latest Forgejo package release) - **quartz**: `CONTAINER_APP_VERSION=1.28.2` (pinned nginx:1.28.2-alpine base) -- **nettest**: `CONTAINER_APP_VERSION=0.1.0` (internal, no upstream) - **All others**: Existing versions carried forward with new uniform ARG pattern ## Key Files diff --git a/docs/reference/tools/dagger.md b/docs/reference/tools/dagger.md index 5d8a46d..b07ed78 100644 --- a/docs/reference/tools/dagger.md +++ b/docs/reference/tools/dagger.md @@ -49,7 +49,7 @@ dagger call --interactive build --src=. --container-name=devpi dagger call publish --src=. --container-name=devpi --version=v1.1.0 # Build a nix container (no local nix required) -dagger call build-nix --src=. --container-name=nettest export --path=./nettest.tar.gz +dagger call build-nix --src=. --container-name=ntfy export --path=./ntfy.tar.gz # Check a nixpkgs package version dagger call nix-version --package=authentik diff --git a/mise-tasks/container-version-check b/mise-tasks/container-version-check index 29be3ab..87eed64 100755 --- a/mise-tasks/container-version-check +++ b/mise-tasks/container-version-check @@ -37,7 +37,7 @@ CONTAINERS_DIR = REPO_ROOT / "containers" SERVICE_VERSIONS_FILE = REPO_ROOT / "service-versions.yaml" # Containers that are utility/test images, not tracked services -BLACKLIST = {"kubectl", "nettest"} +BLACKLIST = {"kubectl"} # Container dir name → service-versions.yaml name (when they differ) CONTAINER_TO_SERVICE = {