mirror of
https://codeberg.org/muon/home.git
synced 2026-07-03 23:49:35 +00:00
Update hermes
This commit is contained in:
parent
609b3384c0
commit
637619cb38
2 changed files with 36 additions and 1 deletions
|
|
@ -19,7 +19,7 @@ let
|
|||
postBuild = ''
|
||||
wrapProgram $out/bin/auth2api \
|
||||
--add-flags "--config=${cfg.stateDir}/config.yaml" \
|
||||
--run "umask 027"
|
||||
--run "umask 007"
|
||||
'';
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -71,6 +71,35 @@ with lib; {
|
|||
};
|
||||
|
||||
config = mkIf cfg.enable {
|
||||
# Write the nix-store overlay script into the stateDir so it's available
|
||||
# at /data/nix-store-overlay inside the container. Run it once with:
|
||||
# docker exec hermes-agent sudo /data/nix-store-overlay
|
||||
# This mounts a writable overlay over the read-only /nix/store so the Nix
|
||||
# daemon can build new derivations without touching the host store.
|
||||
# Upper/work dirs live on /data (persistent volume) so builds survive restarts.
|
||||
system.activationScripts.hermes-nix-overlay-script = {
|
||||
text = ''
|
||||
install -m 0755 -o root -g root /dev/stdin \
|
||||
'${cfg.stateDir}/nix-store-overlay' << 'OVERLAY_EOF'
|
||||
#!/bin/sh
|
||||
set -e
|
||||
UPPER=/data/nix-store-upper
|
||||
WORK=/data/nix-store-work
|
||||
if ! touch /nix/store/.rw-test 2>/dev/null; then
|
||||
mkdir -p "$UPPER" "$WORK"
|
||||
mount -t overlay overlay \
|
||||
-o lowerdir=/nix/store,upperdir="$UPPER",workdir="$WORK" \
|
||||
/nix/store
|
||||
echo "nix-store overlay mounted (upper=$UPPER)"
|
||||
else
|
||||
rm -f /nix/store/.rw-test
|
||||
echo "nix-store already writable, skipping overlay"
|
||||
fi
|
||||
OVERLAY_EOF
|
||||
'';
|
||||
deps = [ "users" "groups" ];
|
||||
};
|
||||
|
||||
# Hermes needs auth2api running to have a backend to call.
|
||||
assertions = [
|
||||
{
|
||||
|
|
@ -130,6 +159,12 @@ with lib; {
|
|||
enable = true;
|
||||
backend = "docker";
|
||||
inherit (cfg.container) hostUsers extraVolumes;
|
||||
|
||||
# SYS_ADMIN is required for the overlay mount over /nix/store.
|
||||
# The nix-store-overlay script (written to stateDir by tmpfiles) mounts
|
||||
# a writable overlay so the Nix daemon can build inside the container
|
||||
# without touching the host store.
|
||||
extraOptions = [ "--cap-add=SYS_ADMIN" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue