From 02f73c8ee2ef787e4936a91c064afaf40ceb7437 Mon Sep 17 00:00:00 2001
From: Dominik Polakovics <dominik.polakovics@cloonar.com>
Date: Sun, 3 Dec 2023 15:15:29 +0100
Subject: [PATCH] add sysbox

---
 hosts/fw.cloonar.com/configuration.nix        |  5 ++
 hosts/fw.cloonar.com/modules/gitea.nix        |  2 -
 .../fw.cloonar.com/modules/home-assistant.nix |  6 --
 .../git.cloonar.com/modules/drone/runner.nix  |  3 +-
 .../git.cloonar.com/modules/drone/server.nix  |  3 +-
 utils/overlays/packages.nix                   |  1 +
 utils/pkgs/sysbox.nix                         | 82 +++++++++++++++++++
 7 files changed, 90 insertions(+), 12 deletions(-)
 create mode 100644 utils/pkgs/sysbox.nix

diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix
index a44f1b5..a726a9a 100644
--- a/hosts/fw.cloonar.com/configuration.nix
+++ b/hosts/fw.cloonar.com/configuration.nix
@@ -39,6 +39,10 @@
     ./hardware-configuration.nix
   ];
 
+  nixpkgs.overlays = [
+    (import ./utils/overlays/packages.nix)
+  ];
+
   nixpkgs.config.permittedInsecurePackages = [
     "openssl-1.1.1w"
   ];
@@ -57,6 +61,7 @@
     ethtool             # manage NIC settings (offload, NIC feeatures, ...)
     tcpdump             # view network traffic
     conntrack-tools     # view network connection states
+    sysbox
   ];
 
   nix.gc = {
diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix
index a76f295..4022eb1 100644
--- a/hosts/fw.cloonar.com/modules/gitea.nix
+++ b/hosts/fw.cloonar.com/modules/gitea.nix
@@ -69,8 +69,6 @@ in
           "/var/lib/gitea:/data"
           "/etc/gitea/app.ini:/data/custom/conf/app.ini:ro"
           "/var/lib/acme/git.cloonar.com:/ssl:ro"
-          "/etc/timezone:/etc/timezone:ro"
-          "/etc/localtime:/etc/localtime:ro"
         ];
         environment = {
           USER_UID = builtins.toString config.users.users.gitea.uid;
diff --git a/hosts/fw.cloonar.com/modules/home-assistant.nix b/hosts/fw.cloonar.com/modules/home-assistant.nix
index 91e972e..d136d9c 100644
--- a/hosts/fw.cloonar.com/modules/home-assistant.nix
+++ b/hosts/fw.cloonar.com/modules/home-assistant.nix
@@ -29,11 +29,5 @@
       proxy_set_header Connection $connection_upgrade;
     '';
   };
-
-  # networking.firewall = {
-  #   allowedUDPPorts = [
-  #     5683 # shelly coiot
-  #   ];
-  # };
 }
 
diff --git a/hosts/git.cloonar.com/modules/drone/runner.nix b/hosts/git.cloonar.com/modules/drone/runner.nix
index 0b2c4a0..d72488c 100644
--- a/hosts/git.cloonar.com/modules/drone/runner.nix
+++ b/hosts/git.cloonar.com/modules/drone/runner.nix
@@ -26,8 +26,7 @@
       Restart = "always";
       ExecStartPre= ''
         -${pkgs.docker}/bin/docker stop %n \
-        -${pkgs.docker}/bin/docker rm %n \
-        ${pkgs.docker}/bin/docker pull drone/drone:2.20.0
+        ${pkgs.docker}/bin/docker rm %n
       '';
       ExecStart= ''
         ${pkgs.docker}/bin/docker run --rm --name %n \
diff --git a/hosts/git.cloonar.com/modules/drone/server.nix b/hosts/git.cloonar.com/modules/drone/server.nix
index d13f349..47865ce 100644
--- a/hosts/git.cloonar.com/modules/drone/server.nix
+++ b/hosts/git.cloonar.com/modules/drone/server.nix
@@ -26,8 +26,7 @@
       Restart = "always";
       ExecStartPre= ''
         -${pkgs.docker}/bin/docker stop %n \
-        -${pkgs.docker}/bin/docker rm %n \
-        ${pkgs.docker}/bin/docker pull drone/drone:2.20.0
+        ${pkgs.docker}/bin/docker rm %n
       '';
       ExecStart= ''
         ${pkgs.docker}/bin/docker run --rm --name %n \
diff --git a/utils/overlays/packages.nix b/utils/overlays/packages.nix
index 7d9bdb6..04baf2b 100644
--- a/utils/overlays/packages.nix
+++ b/utils/overlays/packages.nix
@@ -1,5 +1,6 @@
 self: super: {
   bento = (super.callPackage ../pkgs/bento { });
   ykfde = (super.callPackage ../pkgs/ykfde { });
+  sysbox = (super.callPackage ../pkgs/sysbox { });
   wow-addon-manager = (super.callPackage ../pkgs/wow-addon-manager { });
 }
diff --git a/utils/pkgs/sysbox.nix b/utils/pkgs/sysbox.nix
new file mode 100644
index 0000000..4bae266
--- /dev/null
+++ b/utils/pkgs/sysbox.nix
@@ -0,0 +1,82 @@
+{ lib
+, stdenv
+, buildGoModule
+, fetchurl
+, makeWrapper
+, git
+, bash
+, coreutils
+, gitea
+, gzip
+, openssh
+, pam
+, sqliteSupport ? true
+, pamSupport ? true
+, runCommand
+, brotli
+, xorg
+, nixosTests
+}:
+
+buildGoModule rec {
+  pname = "sysbox";
+  version = "0.6.2";
+
+  # not fetching directly from the git repo, because that lacks several vendor files for the web UI
+  src = fetchurl {
+    url = "https://github.com/nestybox/sysbox/archive/refs/tags/v${version}.tar.gz";
+    hash = "sha256-cH/AHsFXOdvfSfj9AZUd3l/RlYE06o1ByZu0vvGQuXw=";
+  };
+
+  vendorHash = null;
+
+  # subPackages = [ "." ];
+
+  nativeBuildInputs = [ makeWrapper ];
+
+  # buildInputs = lib.optional pamSupport pam;
+
+  # tags = lib.optional pamSupport "pam"
+  #   ++ lib.optionals sqliteSupport [ "sqlite" "sqlite_unlock_notify" ];
+
+  # ldflags = [
+  #   "-s"
+  #   "-w"
+  #   "-X main.Version=${version}"
+  #   "-X 'main.Tags=${lib.concatStringsSep " " tags}'"
+  # ];
+
+  outputs = [ "out" ];
+
+  postInstall = ''
+    mkdir -p $out
+    # cp -R ./options/locale $out/locale
+
+    wrapProgram $out/bin/gitea \
+      --prefix PATH : ${lib.makeBinPath [ ]}
+  '';
+
+  # passthru = {
+  #   data-compressed = runCommand "gitea-data-compressed" {
+  #     nativeBuildInputs = [ brotli xorg.lndir ];
+  #   } ''
+  #     mkdir $out
+  #     lndir ${gitea.data}/ $out/
+  #
+  #     # Create static gzip and brotli files
+  #     find -L $out -type f -regextype posix-extended -iregex '.*\.(css|html|js|svg|ttf|txt)' \
+  #       -exec gzip --best --keep --force {} ';' \
+  #       -exec brotli --best --keep --no-copy-stat {} ';'
+  #   '';
+  #
+  #   tests = nixosTests.gitea;
+  # };
+
+  meta = with lib; {
+    description = "Improves container isolation";
+    homepage = "https://github.com/nestybox/sysbox";
+    license = licenses.apache;
+    broken = stdenv.isDarwin;
+    mainProgram = "sysbox-runc";
+  };
+}