nixfiles-emily/pkgs/build-worker-oci/default.nix

# I hate this so much aaa
{
  callPackage,
  dockerTools,
  openssh,
  bash,
  gnused,
  util-linux,
}:

dockerTools.buildLayeredImage {
  name = "build-worker-oci";
  tag = "latest";

  fromImage = callPackage ./source.nix {};

  maxLayers = 110;

  passthru.updateScript = ./update.sh;

  enableFakechroot = true;

  contents = [ openssh util-linux bash gnused ];

  config.Cmd = [ "/entrypoint.sh" ];

  fakeRootCommands = ''
    mkdir -p /root
    cat <<EOF > /root/nix.conf
    build-users-group = nixbld
    experimental-features = nix-command flakes
    sandbox = true
    substituters = https://cache.kyouma.net https://cache.nixos.org
    trusted-public-keys = cache.kyouma.net:Frjwu4q1rnwE/MnSTmX9yx86GNA/z3p/oElGvucLiZg= cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=
    max-substitution-jobs = 20
    max-silent-time = 14400
    min-free = 17179869184
    max-free = 34359738368
    system-features = benchmark big-parallel kvm nixos-test uid-range gccarch-x86-64 gccarch-x86-64-v2 gccarch-x86-64-v3
    EOF

    mkdir -p /root/.ssh
    cat <<EOF > /root/.ssh/authorized_keys
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA/+iN407+HsfHbbC3tfdA8Yf4TZ08qXQMb4tb/SDAs+ emily@card
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE/vCXM3IaxJP9v2Y+xcQrQD2IcffgdzqtWhpMjj9Xl5 hydra@seras
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICT0dGyLUjxFnvqUmex+5xUGQ7D4yGHKo267JgApcq0k root@ryuuko
    ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIDTwCSWYODyvTJxwB6Rahuy0j6s/YYwtQta8bjzG/We root@ryuuko-arch
    EOF

    cat <<EOF > /root/.ssh/environment
    PATH=/root/.nix-profile/bin:/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin
    EOF

    cat <<EOF > /root/sshd_config
    AcceptEnv GIT_PROTOCOL
    AuthenticationMethods publickey
    AuthorizedPrincipalsFile none
    Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com
    GatewayPorts no
    HostKeyAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
    KbdInteractiveAuthentication no
    KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org
    LogLevel INFO
    Macs umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
    PasswordAuthentication no
    PermitRootLogin prohibit-password
    PermitUserEnvironment yes
    PrintMotd no
    PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ssh-ed25519,sk-ssh-ed25519-cert-v01@openssh.com,sk-ssh-ed25519@openssh.com
    StreamLocalBindUnlink yes
    StrictModes yes
    UseDns no
    UsePAM no
    X11Forwarding no
    Banner none
    AddressFamily any
    Port 2222

    Subsystem sftp ${openssh}/libexec/sftp-server
    AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys.d/%u
    HostKey /mnt/data/ssh/ssh_host_ed25519_key
    EOF
    
    mkdir -p /etc/keys
    mkdir -p /var/empty
    mkdir -p /var/log

    cp ${./entrypoint.sh} /entrypoint.sh
    chmod +x /entrypoint.sh
  '';
}