Oleks
0ebf925bf3
Replaces dockerTools.streamLayeredImage (no .copyTo) with nix2container buildImage so angie consumes the shared parity-lib mkNix2ContainerPublish (stage/publish/publish-index/push-staged/verify-digest) instead of inline skopeo/token/guard. Image content preserved (angie + conf-dir + runtime dirs, runs as root); .woodpecker.yaml thinned to nix run .#publish. Tags move from :latest-arm64 to :<ver>-arm64 + index :<ver>/:latest (no consumer pinned :latest-arm64). pipeline-doctor --strict 9/9.
angie-arm64
OCI image for Angie (an nginx fork) on aarch64.
Upstream runalsh/angie only publishes amd64 images, so we rebuild from the
pkgs.angie package in nixpkgs and push the result to the private Gitea
registry.
Output
| Tag | Pushed when |
|---|---|
git.oleks.space/oleks/angie:<version>-arm64 |
every successful CI run |
git.oleks.space/oleks/angie:latest-arm64 |
every successful CI run |
The version string comes from pkgs.angie.version in nixpkgs unstable; bump
the flake input to roll it forward.
Build / publish locally
CI and local runs share one entrypoint (emmett#44, archetype oci-image-skopeo):
# dry-run: build the arm64 image and print the refs it would push (no registry contact)
nix run .#publish-arm64
# actually push :<version>-arm64 and mirror to :latest-arm64
PUBLISH=1 nix run .#publish-arm64
The registry token is read from $REGISTRY_TOKEN, falling back to
pass infra/gitea/personal_access_token_packages_rw. The token is never
printed. .woodpecker.yaml runs the exact same app with PUBLISH=1, so CI
and local cannot drift.
Just the raw build (no push):
nix build .#default
./result | skopeo copy docker-archive:/dev/stdin oci-archive:angie.tar
Trigger CI
Push to main/master or push a v* tag in the corresponding Gitea repo
(oleks/angie-arm64 — match the directory name when seeding it).