From 73d753a7253e7a6274d3c10acb74945207725623 Mon Sep 17 00:00:00 2001 From: Iulian Meghea Date: Tue, 10 Feb 2026 08:00:37 +0000 Subject: [PATCH 1/2] fix: correct sudo setuid path and sudoers file handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix two build failures: 1. chmod 4755 glob ./nix/store/*-sudo-*/bin/sudo matched nothing because symlinkJoin creates FHS symlinks (./bin/sudo), not a nix store tree. Changed to chmod 4755 ./bin/sudo — fakeroot records the permission and tar --hard-dereference preserves it. 2. writeTextDir etc/sudoers was silently ignored because symlinkJoin kept the sudo package's own etc/sudoers (first writer wins). Moved sudoers creation into fakeRootCommands where we rm the symlink and write our own file with @includedir /etc/sudoers.d. --- images/nix/flake.nix | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/images/nix/flake.nix b/images/nix/flake.nix index 34a85db..b2b0520 100644 --- a/images/nix/flake.nix +++ b/images/nix/flake.nix @@ -39,11 +39,6 @@ auth sufficient pam_rootok.so password requisite pam_unix.so nullok yescrypt session required pam_unix.so '') - # Base sudoers file — required for sudo to run and load drop-ins - (writeTextDir "etc/sudoers" '' -root ALL=(ALL:ALL) ALL -@includedir /etc/sudoers.d - '') ]; # Nix configuration with flakes enabled @@ -211,10 +206,13 @@ eval "$(direnv hook bash)" # nixpkgs deliberately strips it from the Nix store; fakeroot # records the permission and tar --hard-dereference preserves # it in the Docker layer. - chmod 4755 ./nix/store/*-sudo-*/bin/sudo + chmod 4755 ./bin/sudo - # Ensure sudoers files have correct ownership and permissions - # (sudo refuses to run if these are group/world writable) + # Replace the sudo package's default /etc/sudoers with our own. + # symlinkJoin keeps the sudo package's version (which may not + # include @includedir), so we overwrite it here. + rm -f ./etc/sudoers + printf '%s\n' 'root ALL=(ALL:ALL) ALL' '@includedir /etc/sudoers.d' > ./etc/sudoers chmod 0440 ./etc/sudoers chown 0:0 ./etc/sudoers chmod 0440 ./etc/sudoers.d/nopasswd From ab823bdf0f21474fa89429ae38cbeb51310af285 Mon Sep 17 00:00:00 2001 From: Iulian Meghea Date: Tue, 10 Feb 2026 08:00:42 +0000 Subject: [PATCH 2/2] ci: add PR build checks to catch failures before merge Add a CI workflow that triggers on pull requests and runs build-only checks (no push) for all three images: base (docker build), nix (nix build), and devops (docker build). This ensures build failures are caught during code review rather than after merge. --- .github/workflows/ci.yml | 60 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/ci.yml diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 0000000..bad35c0 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,60 @@ +name: CI + +on: + pull_request: + branches: + - main + - master + +jobs: + check-base: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Build base image + run: docker build ./images/base + + check-nix: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Install Nix + uses: cachix/install-nix-action@v31 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - name: Cache Nix store + uses: actions/cache@v4 + with: + path: | + /nix/store + ~/.cache/nix + key: nix-${{ runner.os }}-${{ hashFiles('images/nix/flake.lock') }} + restore-keys: | + nix-${{ runner.os }}- + + - name: Generate flake.lock if missing + run: | + if [ ! -f images/nix/flake.lock ]; then + nix flake lock ./images/nix + fi + + - name: Build nix image + run: nix build ./images/nix#dockerImage + + check-devops: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + + - name: Build devops image + run: docker build ./images/devops --build-arg BASE_IMAGE=ubuntu:noble