From ff503e09781340f9569b5c08c6e898f7dca149a8 Mon Sep 17 00:00:00 2001
From: emily <ek@kyouma.net>
Date: Tue, 16 Jan 2024 12:58:23 +0100
Subject: [PATCH] build should work now

---
 flake.lock | 12 +++++-----
 flake.nix  | 69 ++++++++++++++++++++++++++++++++++++------------------
 2 files changed, 52 insertions(+), 29 deletions(-)

diff --git a/flake.lock b/flake.lock
index 03fe2ca..f2680c1 100644
--- a/flake.lock
+++ b/flake.lock
@@ -5,11 +5,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701680307,
-        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "lastModified": 1705309234,
+        "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
         "owner": "numtide",
         "repo": "flake-utils",
-        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
         "type": "github"
       },
       "original": {
@@ -20,11 +20,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1704722960,
-        "narHash": "sha256-mKGJ3sPsT6//s+Knglai5YflJUF2DGj7Ai6Ynopz0kI=",
+        "lastModified": 1705133751,
+        "narHash": "sha256-rCIsyE80jgiOU78gCWN3A0wE0tR2GI5nH6MlS+HaaSQ=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "317484b1ead87b9c1b8ac5261a8d2dd748a0492d",
+        "rev": "9b19f5e77dd906cb52dade0b7bd280339d2a1f3d",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index a5155b2..afd29fa 100644
--- a/flake.nix
+++ b/flake.nix
@@ -30,7 +30,7 @@
       };
       packages.default = packages.kyouma-www;
       nixosModules.default = 
-        { config, options, pkgs, ... }: with lib; 
+        { config, options, pkgs, lib, ... }: with lib; 
         let 
           cfg = config.services.vyosBld;
           bldFlags = (attrsets.mapAttrsToList (flag: opt: "--" + flag + " " + opt) cfg.buildFlags);
@@ -70,8 +70,31 @@
                 { build-by = 'mail@server.tld' }";
             };
           };
-          config = with lib; mkIf cfg.enable rec {
-            bldScript = writeShellScrip "build-vyos" ''
+          config = with lib; mkIf cfg.enable {
+            users = { 
+              users.vyos-bld = {
+                isSystemUser = true;
+                group = "vyos-bld";
+              };
+              groups.vyos-bld = {};
+            };
+            virtualisation.docker = {
+              daemon.settings = {
+                ipv6 = true;
+                fixed-cidr-v6 = "fd00::/80";
+              };
+              autoPrune = {
+                enable = true;
+                flags = [ "--all" "--filter until=24h" ];
+              };
+              rootless = {
+                enable = true;
+                setSocketVariable = true;
+              };
+            };
+            networking.firewall.extraCommands = ''ip6tables -t nat -A POSTROUTING -s fd00::/80 ! -o docker0 -j MASQUERADE'';
+
+            cfg.bldScript = pkgs.writeShellScrip "build-vyos" ''
               cleanup() {
                 rmdir "$root"
               }
@@ -79,39 +102,39 @@
               trap cleanup EXIT
               iso_name="vyos-${cfg.buildFlags.version}-${cfg.buildFlags.architecture}.iso"
               bld_dir="$root/vyos-build"
+              docker_cmd="${pkgs.docker}/bin/docker run --rm -it --privileged -v $bld_dir:/vyos -w /vyos vyos/vyos-build:current"
 
               git clone -b current --single-branch https://github.com/vyos/vyos-build $root
-              docker run --rm -it --privileged -v $bld_dir:/vyos -w /vyos vyos/vyos-build:current /usr/bin/sudo ./build-vyos-image ${flavor} ${builtins.concatStringsSep " " bldFlags}
-              docker run --rm -it --privileged -v $bld_dir:/vyos -w /vyos vyos/vyos-build:current sudo chown -R ${config.users.users.vyos-bld.uid}:${config.users.groups.vyos-bld.uid}
+              $docker_cmd sudo ./build-vyos-image ${flavor} ${builtins.concatStringsSep " " bldFlags}
+              $docker_cmd sudo chown -R ${config.users.users.vyos-bld.uid}:${config.users.groups.vyos-bld.gid} /vyos
 
               cp $bld_dir/build/$iso_name ${cfg.output}
-              mapfile -t old_isos < <(ls ${cfg.output} | head -n -${cfg.keep})
+              mapfile -t old_isos < <(ls ${cfg.output} | head -n -${builtins.toString cfg.keep})
               for i in $\{old_isos[@]}; do
                 rm -r ${cfg.output}/$\{old_iso[$i]}
               done
             '';
+            systemd = {
+              services.docker.after = [ "firewall.service" ];
+              services.vyosBld = {
+                serviceConfig = {
+                  User = "vyos-bld";
+                  Group = "vyos-bld";
+                  ExecStart = cfg.bldScript;
 
-            virtualisation.docker.rootless = {
-              enable = true;
-              setSocketVariable = true;
-            };
-            
-            systemd.services.vyosBld = {
-              wantedBy = [ "multi-user.target" ];
-              serviceConfig = {
-                ExecStart = "${pkgs.nix-shell} ${bldScript} -p docker git"
-                Type = "onshot";
+                  PrivateTmp = true;
+                  ProtectHome = true;
+                };
               };
-            };
-            systemd.timer.vyosBld-time = {
-              wantedBy = [ "timers.target" ];
-              timerConfig = {
-                Unit = "vyosBld.service";
-                OnCalendar = cfg.buildFreq;
+              timers.vyosBld = {
+                wantedBy = [ "timers.target" ];
+                timerConfig = {
+                  OnCalendar = cfg.buildFreq;
+                };
               };
             };
           };
-        };
+        }
       ;
     });
 }