Erich Blume
0e2c10176d
## Summary - Enable OIDC + API key authentication on zot with anonymous pull preserved - Enforce tag immutability for version tags - Adopt commit-SHA-based container image tagging Details in the [[harden-zot-registry]] Mikado chain (`mise run docs-mikado harden-zot-registry`). ## Test plan - [ ] Anonymous pull still works - [ ] Unauthenticated push fails (401) - [ ] CI container builds pass with new auth and tagging - [ ] `mise run services-check` passes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: https://forge.ops.eblu.me/eblume/blumeops/pulls/231
87 lines
1.9 KiB
Nix
87 lines
1.9 KiB
Nix
# Nix-built ntfy push notification server
|
|
# Builds v2.17.0 from forge mirror (nixpkgs has 2.15.0)
|
|
# Built with dockerTools.buildLayeredImage for efficient layer caching
|
|
{ pkgs ? import <nixpkgs> { } }:
|
|
|
|
let
|
|
version = "2.17.0";
|
|
|
|
src = pkgs.fetchgit {
|
|
url = "https://forge.ops.eblu.me/eblume/ntfy.git";
|
|
rev = "v${version}";
|
|
hash = "sha256-/dxILAkye1HwYcybnx1WrMRK2jXZMrxal2ZKm6y2bWc=";
|
|
};
|
|
|
|
ui = pkgs.buildNpmPackage {
|
|
inherit src version;
|
|
pname = "ntfy-sh-ui";
|
|
npmDepsHash = "sha256-d73rymqCKalsjAwHSJshEovmUHJStfGt8wcZYN49sHY=";
|
|
|
|
prePatch = ''
|
|
cd web/
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
mv build/index.html build/app.html
|
|
rm build/config.js
|
|
mkdir -p $out
|
|
mv build/ $out/site
|
|
runHook postInstall
|
|
'';
|
|
};
|
|
|
|
ntfy = pkgs.buildGoModule {
|
|
inherit src version;
|
|
pname = "ntfy-sh";
|
|
vendorHash = "sha256-/mQ+UwBYz78mPVVwYgsSYatE00ce2AKXJdx+nl6oT8E=";
|
|
|
|
doCheck = false;
|
|
|
|
ldflags = [
|
|
"-s"
|
|
"-w"
|
|
"-X main.version=${version}"
|
|
];
|
|
|
|
postPatch = ''
|
|
sed -i 's# /bin/echo# echo#' Makefile
|
|
'';
|
|
|
|
# Copy pre-built web UI; skip docs (create placeholder for go:embed)
|
|
preBuild = ''
|
|
cp -r ${ui}/site/ server/
|
|
mkdir -p server/docs && touch server/docs/placeholder
|
|
'';
|
|
|
|
meta = with pkgs.lib; {
|
|
description = "Send push notifications to your phone or desktop via PUT/POST";
|
|
homepage = "https://ntfy.sh";
|
|
license = licenses.asl20;
|
|
mainProgram = "ntfy";
|
|
};
|
|
};
|
|
in
|
|
|
|
pkgs.dockerTools.buildLayeredImage {
|
|
name = "blumeops/ntfy";
|
|
tag = "latest";
|
|
|
|
contents = [
|
|
ntfy
|
|
pkgs.cacert
|
|
pkgs.tzdata
|
|
];
|
|
|
|
config = {
|
|
Entrypoint = [ "${ntfy}/bin/ntfy" ];
|
|
Env = [
|
|
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
|
|
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
|
|
];
|
|
ExposedPorts = {
|
|
"80/tcp" = { };
|
|
};
|
|
User = "65534";
|
|
};
|
|
}
|