# angie-arm64

OCI image for [Angie](https://angie.software/) (an nginx fork) on aarch64.
Upstream `runalsh/angie` only publishes amd64 images, so we rebuild from the
`pkgs.angie` package in nixpkgs and push the result to the private Gitea
registry.

## Output

| Tag | Pushed when |
| --- | --- |
| `git.oleks.space/oleks/angie:<version>-arm64` | every successful CI run |
| `git.oleks.space/oleks/angie:latest-arm64` | every successful CI run |

The version string comes from `pkgs.angie.version` in nixpkgs unstable; bump
the flake input to roll it forward.

## Build / publish locally

CI and local runs share one entrypoint (emmett#44, archetype oci-image-skopeo):

```bash
# dry-run: build the arm64 image and print the refs it would push (no registry contact)
nix run .#publish-arm64

# actually push :<version>-arm64 and mirror to :latest-arm64
PUBLISH=1 nix run .#publish-arm64
```

The registry token is read from `$REGISTRY_TOKEN`, falling back to
`pass infra/gitea/personal_access_token_packages_rw`. The token is never
printed. `.woodpecker.yaml` runs the exact same app with `PUBLISH=1`, so CI
and local cannot drift.

Just the raw build (no push):

```bash
nix build .#default
./result | skopeo copy docker-archive:/dev/stdin oci-archive:angie.tar
```

## Trigger CI

Push to `main`/`master` or push a `v*` tag in the corresponding Gitea repo
(`oleks/angie-arm64` — match the directory name when seeding it).