Oleks
089bd03264
Lift the nix2container reproducible=false layer-chain helper (duplicated verbatim across ii-agent, ii-researcher, temporal-based-ci, mempalace image, ComfyUI) into parity.lib.foldImageLayers so the rationale lives in one place. Add nixfmt-rfc-style formatter and a foldImageLayers contract probe to the smoke check. Bump fleet-pins input to current HEAD.
38 lines
1.5 KiB
Nix
38 lines
1.5 KiB
Nix
# Pkgs-independent nix2container layer helpers, shared across the parity image
|
|
# repos (ii-agent, ii-researcher, temporal-based-ci, mempalace image,
|
|
# ComfyUI, …) so the reproducible=false rationale lives in exactly one place.
|
|
{
|
|
# foldImageLayers buildLayer layers
|
|
#
|
|
# buildLayer : nix2container's buildLayer function. Pass whichever attr the
|
|
# consumer's nix2container input exposes —
|
|
# `n2c.nix2container.buildLayer` or `n2c.buildLayer`.
|
|
# layers : list of buildLayer component attrsets (deps / copyToRoot /
|
|
# perms / …) in base→top order.
|
|
#
|
|
# Each layer is built referencing all prior layers, with reproducible = false.
|
|
# That is a DELIBERATE choice: it materialises each layer tar into the store so
|
|
# the image streams verbatim from any host (remote-builder + binary-cache safe)
|
|
# and avoids the cross-host "Digest did not match" that non-reproducible layer
|
|
# deps (fenix rust, libllvm, …) otherwise trigger via nix2container's lazy tar
|
|
# regeneration. Parity is asserted at the published digest, not byte-identical
|
|
# tars — mkNix2ContainerPublish enforces that contract downstream.
|
|
foldImageLayers =
|
|
buildLayer: layers:
|
|
let
|
|
mergeToLayer =
|
|
priorLayers: component:
|
|
priorLayers
|
|
++ [
|
|
(buildLayer (
|
|
component
|
|
// {
|
|
layers = priorLayers;
|
|
reproducible = false;
|
|
}
|
|
))
|
|
];
|
|
in
|
|
builtins.foldl' mergeToLayer [ ] layers;
|
|
}
|