add option to build+run stuff with Nix

* add flake.nix
* update .gitignore
* add .envrc to allow direnv autoloading
* describe how to use this in the README.md
This commit is contained in:
leo 2023-03-09 16:48:11 +01:00
parent 8edea6262f
commit 3baa6fc079
Signed by: wanderer
SSH Key Fingerprint: SHA256:Dp8+iwKHSlrMEHzE3bJnPng70I7LEsa3IJXRH/U+idQ
7 changed files with 365 additions and 8 deletions

3
.envrc Normal file

@ -0,0 +1,3 @@
use flake
# vim: ff=unix ft=sh

4
.gitignore vendored

@ -1 +1,5 @@
certs-test certs-test
# nix symlink.
result
# ignore direnv folder.
.direnv/

@ -10,11 +10,17 @@ therefore the program should fail with the following:
> 2023/03/08 18:31:00 connecting to https://\<endpoint\> > 2023/03/08 18:31:00 connecting to https://\<endpoint\>
> panic: Get "https://\<endpoint\>": tls: failed to verify certificate: x509: certificate signed by unknown authority > panic: Get "https://\<endpoint\>": tls: failed to verify certificate: x509: certificate signed by unknown authority
### build and run ### build and run using Go
to manually build and run the app, run:
```sh
go build -v . && ./certs-test -endpoint=<yoursite.tld>
```
### build and run using podman
to build a container in which the app will be able to connect to a TLS to build a container in which the app will be able to connect to a TLS
connected endpoint, run: connected endpoint, run:
``` ```sh
podman build -tcerts-test:success -f Dockerfile . podman build -tcerts-test:success -f Dockerfile .
``` ```
alternatively, run `make` or `make certsuccess` alternatively, run `make` or `make certsuccess`
@ -22,16 +28,11 @@ alternatively, run `make` or `make certsuccess`
to build a container that will yield a CA cert validation failure (because of to build a container that will yield a CA cert validation failure (because of
the missing **ca-cert** bundle), run: the missing **ca-cert** bundle), run:
``` ```sh
podman build -tcerts-test:fail -f Dockerfile . podman build -tcerts-test:fail -f Dockerfile .
``` ```
alternatively, run `make certfail` alternatively, run `make certfail`
to manually build and run the app, run:
```
go build -v . && ./certs-test -endpoint=<yoursite.tld>
```
to run the container, do to run the container, do
``` ```
podman run localhost/certs-test:success podman run localhost/certs-test:success
@ -43,5 +44,29 @@ podman run localhost/certs-test:fail
``` ```
based on which one you'd like to run. based on which one you'd like to run.
### build and run using Nix
build the flake's `success` and `failure` containers:
```sh
# build "success" first.
nix build .#success
podman load <result
# run the container loaded in the previous step.
podman run --rm localhost/certs-test:nix-success
# build the "failure".
nix build .#failure
# load the newly built container and run it.
podman load <result && \
podman run --rm localhost/certs-test:nix-fail
# inspect the containers.
podman inspect localhost/certs-test:nix-{success,fail}
```
build and run the app directly:
```sh
nix build .#certs-test && ./result/bin/certs-test
```
### LICENSE ### LICENSE
CC0 CC0

16
default.nix Normal file

@ -0,0 +1,16 @@
(
import
(
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{
src = ./.;
}
)
.defaultNix

60
flake.lock Normal file

@ -0,0 +1,60 @@
{
"nodes": {
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"nix-filter": {
"locked": {
"lastModified": 1678109515,
"narHash": "sha256-C2X+qC80K2C1TOYZT8nabgo05Dw2HST/pSn6s+n6BO8=",
"owner": "numtide",
"repo": "nix-filter",
"rev": "aa9ff6ce4a7f19af6415fb3721eaa513ea6c763c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "nix-filter",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1678268259,
"narHash": "sha256-q+ZWNJfXKgIKwsZBir0yXrmIV/4tOv5BflxDAfGISps=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "90ef5c3c337d8d9f0c97e7641ece70a41f6c16a2",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"flake-compat": "flake-compat",
"nix-filter": "nix-filter",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

233
flake.nix Normal file

@ -0,0 +1,233 @@
{
description = "test that the ca-certs bundle works in scratch containers";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-compat = {
url = "github:edolstra/flake-compat";
flake = false;
};
nix-filter = {
url = "github:numtide/nix-filter";
};
};
outputs = {
self,
nixpkgs,
nix-filter,
...
}: let
projname = "certs-test";
# to work with older version of flakes
lastModifiedDate =
self.lastModifiedDate or self.lastModified or "19700101";
# Generate a user-friendly version number.
version = "v0.0.0";
supportedSystems = ["x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin"];
forAllSystems = nixpkgs.lib.genAttrs supportedSystems;
pkgs = forAllSystems (system: nixpkgs.legacyPackages.${system});
# Nixpkgs instantiated for supported system types.
nixpkgsFor = forAllSystems (system:
import nixpkgs {
inherit system;
overlays = [
# no overlay imports atm
# (import ./overlay.nix)
];
});
in {
formatter = forAllSystems (
system:
nixpkgsFor.${system}.alejandra
);
packages = forAllSystems (system: let
baseurl = "https://git.dotya.ml/wanderer/certs-test/";
pkgs = nixpkgsFor.${system};
inherit (pkgs) lib overlays;
in rec {
certs-test = with pkgs;
buildGo120Module rec {
pname = "certs-test";
buildInputs = [
go_1_20
gcc
];
nativeBuildInputs = [pkgconfig];
overrideModAttrs = _: {
# GOPROXY = "direct";
GOFLAGS = "-buildmode=pie -trimpath -mod=readonly -modcacherw";
CGO_ENABLED = "0";
};
inherit version;
doCheck = false;
# use go.mod for managing go deps, instead of vendor-only dir
proxyVendor = true;
tags = []; # go "-tags" to build with
ldflags = [
"-s"
"-w"
"-X main.version=${version}"
];
# dont't forget to update vendorSha256 whenever go.mod or go.sum change
# vendorSha256 = "sha256-Ns3ohAzZliK75fM6ryWubhfLBCVwU7CsZbuuzZrGaRY=";
vendorSha256 = null;
# In 'nix develop', we don't need a copy of the source tree
# in the Nix store.
src = nix-filter.lib.filter {
# when in doubt, check out
# https://github.com/numtide/nix-filter#design-notes
# tl;dr: it'd be best to include folders, however there are
# currently issues with that approach.
root = lib.cleanSource ./.;
exclude = [
./README.md
./certs-test
./flake.nix
./flake.lock
./default.nix
./shell.nix
./README.md
./.envrc
./.gitattributes
./.gitignore
# nix result symlink
./result
# the entire .git folder
./.git
];
};
meta = {
description = "certs-test";
homepage = baseurl;
license = lib.licenses.gpl3;
maintainers = ["wanderer"];
platforms = lib.platforms.linux ++ lib.platforms.darwin;
};
};
scratch-with-cacerts = with pkgs;
pkgs.dockerTools.pullImage {
imageName = "ghcr.io/mariouhrik/scratch-with-cacerts";
imageDigest = "sha256:4c95be74f178c9230587a557a1429f4bd10c4fdf24ddcc70a090d42f462ece55";
sha256 = "sha256-1yLq1KcAl6xxFhRCPcWrCXzDs0Ik6+VAcfi/1MVDq38=";
os = "linux";
arch = "${system}";
};
success = with pkgs;
pkgs.dockerTools.buildLayeredImage {
name = "certs-test";
tag = "nix-success";
fromImage = scratch-with-cacerts;
contents = [
certs-test
];
config = {
Cmd = ["/bin/certs-test"];
};
};
failure = with pkgs;
dockerTools.buildLayeredImage {
name = "certs-test";
tag = "nix-fail";
contents = [
certs-test
];
config = {
Cmd = ["/bin/certs-test"];
};
};
default = certs-test;
});
apps = forAllSystems (system: rec {
certs-test = {
type = "app";
program = "${self.packages.${system}.${projname}}/bin/certs-test";
};
success = {
type = "app";
program = "${self.packages.${system}.${projname}}/bin/success";
};
failure = {
type = "app";
program = "${self.packages.${system}.${projname}}/bin/failure";
};
default = certs-test;
});
devShells = forAllSystems (
system: let
pkgs = import nixpkgs {
inherit system;
overlays = [
# (import ./overlay.nix)
];
};
upcache = pkgs.writeShellScriptBin "upcache" ''
## refs:
## https://fzakaria.com/2020/08/11/caching-your-nix-shell.html
## https://nixos.wiki/wiki/Caching_nix_shell_build_inputs
nix-store --query --references $(nix-instantiate shell.nix) | \
xargs nix-store --realise | \
xargs nix-store --query --requisites | \
cachix push ${projname}
nix build --json \
| jq -r '.[].outputs | to_entries[].value' \
| cachix push ${projname}
'';
add-license = pkgs.writeShellScriptBin "add-license" ''
go run github.com/google/addlicense@v1.0.0 -v \
-c "wanderer <a_mirre at utb dot cz>" \
-l "CC0" -s .
'';
in {
default = with pkgs;
mkShellNoCC {
name = "${projname}-" + version;
GOFLAGS = "-buildmode=pie -trimpath -mod=readonly -modcacherw";
GOLDFLAGS = "-s -w -X main.version=${version}";
# CGO_CFLAGS = "-g0 -Ofast -mtune=native -flto";
# CGO_LDFLAGS = "-Wl,-O1,-sort-common,-as-needed,-z,relro,-z,now,-flto -pthread";
CGO_ENABLED = "0";
shellHook = ''
echo " -- in ${projname} dev shell..."
'';
packages = [
pre-commit
statix
# built-in
upcache
addlicense
# deps
go_1_20
go-tools
gopls
gofumpt
];
};
}
);
};
}

16
shell.nix Normal file

@ -0,0 +1,16 @@
(
import
(
let
lock = builtins.fromJSON (builtins.readFile ./flake.lock);
in
fetchTarball {
url = "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
sha256 = lock.nodes.flake-compat.locked.narHash;
}
)
{
src = ./.;
}
)
.shellNix