Erich Blume
fd0bebb0fc
All checks were successful
Build Container / detect (push) Successful in 3s
Build Container / build-dockerfile (alloy) (push) Successful in 12s
Build Container / build-dockerfile (ntfy) (push) Successful in 11s
Build Container / build-nix (alloy) (push) Successful in 20s
Build Container / build-nix (authentik) (push) Successful in 6m10s
Build Container / build-nix (authentik-redis) (push) Successful in 20s
Build Container / build-nix (ntfy) (push) Successful in 6s
## Summary - Replace upstream `docker.io/library/redis:7-alpine` (Redis 7.4.8) with a nix-built container using Redis 8.2.3 from nixpkgs - Introduce **attached service pattern**: `parent` field in service-versions.yaml, `<parent>-<component>` naming convention, and `assert pkgs.redis.version == version` in default.nix to prevent silent version drift on `flake.lock` updates - Document the pattern in [[review-services]] so future attached services slot in cleanly - Backfill `parent: grafana` on existing `grafana-sidecar` entry ## Version drift protection 1. `flake.lock` update bumps nixpkgs redis → `assert` in `default.nix` breaks `nix-build` 2. Developer updates `version` in `default.nix` → prek's `container-version-check` demands matching `service-versions.yaml` update 3. Both must agree before commit succeeds ## Test plan - [ ] Build container from branch on ringtail (`mise run container-build-and-release authentik-redis`) - [ ] Update kustomization `newTag` to branch-built image tag - [ ] Sync authentik ArgoCD app from branch (`argocd app set authentik --revision localize-redis && argocd app sync authentik`) - [ ] Verify Authentik login, session persistence, and task queue still work - [ ] After merge: C0 follow-up to update `newTag` to the main-built image tag 🤖 Generated with [Claude Code](https://claude.com/claude-code) Reviewed-on: #309
87 lines
1.9 KiB
Nix
87 lines
1.9 KiB
Nix
# Nix-built ntfy push notification server
|
|
# Builds v2.19.2 from forge mirror
|
|
# Built with dockerTools.buildLayeredImage for efficient layer caching
|
|
{ pkgs ? import <nixpkgs> { } }:
|
|
|
|
let
|
|
version = "2.19.2";
|
|
|
|
src = pkgs.fetchgit {
|
|
url = "https://forge.ops.eblu.me/mirrors/ntfy.git";
|
|
rev = "v${version}";
|
|
hash = "sha256-HISQnb6LkKGujZsWCzVD3dTuobhUXqrmTFuov7dU+lY=";
|
|
};
|
|
|
|
ui = pkgs.buildNpmPackage {
|
|
inherit src version;
|
|
pname = "ntfy-sh-ui";
|
|
npmDepsHash = "sha256-PmhWzktybM6Cg7yYRfbxWE83C+XkmHh4garHhsydwwE=";
|
|
|
|
prePatch = ''
|
|
cd web/
|
|
'';
|
|
|
|
installPhase = ''
|
|
runHook preInstall
|
|
mv build/index.html build/app.html
|
|
rm build/config.js
|
|
mkdir -p $out
|
|
mv build/ $out/site
|
|
runHook postInstall
|
|
'';
|
|
};
|
|
|
|
ntfy = pkgs.buildGoModule {
|
|
inherit src version;
|
|
pname = "ntfy-sh";
|
|
vendorHash = "sha256-mr2PbxT5QWf4HZGgUg+oUjauqmZ6bh6N3f0ytwPDppU=";
|
|
|
|
doCheck = false;
|
|
|
|
subPackages = [ "." ];
|
|
|
|
ldflags = [
|
|
"-s"
|
|
"-w"
|
|
"-X main.version=${version}"
|
|
];
|
|
|
|
postPatch = ''
|
|
sed -i 's# /bin/echo# echo#' Makefile
|
|
'';
|
|
|
|
# Copy pre-built web UI; skip docs (create placeholder for go:embed)
|
|
preBuild = ''
|
|
cp -r ${ui}/site/ server/
|
|
mkdir -p server/docs && touch server/docs/placeholder
|
|
'';
|
|
|
|
meta = with pkgs.lib; {
|
|
description = "Send push notifications to your phone or desktop via PUT/POST";
|
|
homepage = "https://ntfy.sh";
|
|
license = licenses.asl20;
|
|
mainProgram = "ntfy";
|
|
};
|
|
};
|
|
in
|
|
|
|
pkgs.dockerTools.buildLayeredImage {
|
|
name = "blumeops/ntfy";
|
|
contents = [
|
|
ntfy
|
|
pkgs.cacert
|
|
pkgs.tzdata
|
|
];
|
|
|
|
config = {
|
|
Entrypoint = [ "${ntfy}/bin/ntfy" ];
|
|
Env = [
|
|
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
|
|
"TZDIR=${pkgs.tzdata}/share/zoneinfo"
|
|
];
|
|
ExposedPorts = {
|
|
"80/tcp" = { };
|
|
};
|
|
User = "65534";
|
|
};
|
|
}
|