refactor(nixery): expose launch script derivation

Simplifies reusing the launch script in other use-cases than the "official" Nixery image. Relates to nixery#166 Change-Id: Iaf1dff385ce270792253551081c1b2fca6400037 Reviewed-on: https://cl.tvl.fyi/c/depot/+/11046 Autosubmit: tazjin <[email protected]> Reviewed-by: flokli <[email protected]> Tested-by: BuildkiteCI
tazjin · Feb 28, 2024 · e9f7c1f · e9f7c1f
1 parent 65b4513
commit e9f7c1f
Showing 1 changed file with 51 additions and 53 deletions.
diff --git a/default.nix b/default.nix
@@ -72,60 +72,58 @@ depot.nix.readTree.drvTargets rec {
     };
   };
 
+  # Wrapper script for the wrapper script (meta!) which configures
+  # the container environment appropriately.
+  #
+  # Most importantly, sandboxing is disabled to avoid privilege
+  # issues in containers.
+  nixery-launch-script = writeShellScriptBin "nixery" ''
+    set -e
+    export PATH=${coreutils}/bin:$PATH
+    export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
+    mkdir -p /tmp
+
+    # Create the build user/group required by Nix
+    echo 'nixbld:x:30000:nixbld' >> /etc/group
+    echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
+    echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
+    echo 'root:x:0:' >> /etc/group
+
+    # Disable sandboxing to avoid running into privilege issues
+    mkdir -p /etc/nix
+    echo 'sandbox = false' >> /etc/nix/nix.conf
+
+    # In some cases users building their own image might want to
+    # customise something on the inside (e.g. set up an environment
+    # for keys or whatever).
+    #
+    # This can be achieved by setting a 'preLaunch' script.
+    ${preLaunch}
+
+    exec ${nixery}/bin/server
+  '';
+
   # Container image containing Nixery and Nix itself. This image can
   # be run on Kubernetes, published on AppEngine or whatever else is
   # desired.
-  nixery-image =
-    let
-      # Wrapper script for the wrapper script (meta!) which configures
-      # the container environment appropriately.
-      #
-      # Most importantly, sandboxing is disabled to avoid privilege
-      # issues in containers.
-      nixery-launch-script = writeShellScriptBin "nixery" ''
-        set -e
-        export PATH=${coreutils}/bin:$PATH
-        export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt
-        mkdir -p /tmp
-
-        # Create the build user/group required by Nix
-        echo 'nixbld:x:30000:nixbld' >> /etc/group
-        echo 'nixbld:x:30000:30000:nixbld:/tmp:/bin/bash' >> /etc/passwd
-        echo 'root:x:0:0:root:/root:/bin/bash' >> /etc/passwd
-        echo 'root:x:0:' >> /etc/group
-
-        # Disable sandboxing to avoid running into privilege issues
-        mkdir -p /etc/nix
-        echo 'sandbox = false' >> /etc/nix/nix.conf
-
-        # In some cases users building their own image might want to
-        # customise something on the inside (e.g. set up an environment
-        # for keys or whatever).
-        #
-        # This can be achieved by setting a 'preLaunch' script.
-        ${preLaunch}
-
-        exec ${nixery}/bin/server
-      '';
-    in
-    dockerTools.buildLayeredImage {
-      name = "nixery";
-      config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
-
-      inherit maxLayers;
-      contents = [
-        bashInteractive
-        cacert
-        coreutils
-        git
-        gnutar
-        gzip
-        iana-etc
-        nix
-        nixery-prepare-image
-        nixery-launch-script
-        openssh
-        zlib
-      ] ++ extraPackages;
-    };
+  nixery-image = dockerTools.buildLayeredImage {
+    name = "nixery";
+    config.Cmd = [ "${nixery-launch-script}/bin/nixery" ];
+
+    inherit maxLayers;
+    contents = [
+      bashInteractive
+      cacert
+      coreutils
+      git
+      gnutar
+      gzip
+      iana-etc
+      nix
+      nixery-prepare-image
+      nixery-launch-script
+      openssh
+      zlib
+    ] ++ extraPackages;
+  };
 }