# ABOUTME: Flake to build a custom Nix Docker image for Gitea Actions.
# ABOUTME: Includes coreutils (/bin/sleep), modern Nix with flakes, and CI tools.
{
  description = "Nix runner image for Gitea Actions";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
  };

  outputs = { self, nixpkgs, flake-utils }:
    flake-utils.lib.eachDefaultSystem (system:
      let
        pkgs = import nixpkgs { inherit system; };
      in {
        packages.default = pkgs.dockerTools.buildImage {
          name = "gitea.v.paler.net/alo/nix-runner";
          tag = "v4";

          copyToRoot = pkgs.buildEnv {
            name = "image-root";
            paths = with pkgs; [
              # Core utilities (provides /bin/sleep that act_runner needs)
              coreutils-full
              bash
              # Nix itself
              nix
              # For actions that need node
              nodejs_20
              # Common CI tools
              git
              curl
              jq
              skopeo
              # CA certificates for HTTPS
              cacert
            ];
            pathsToLink = [ "/bin" "/etc" ];
          };

          # Create temp directories without runAsRoot (which needs KVM)
          extraCommands = ''
            mkdir -p -m 1777 tmp
            mkdir -p -m 1777 var/tmp
          '';

          config = {
            Env = [
              "NIX_PAGER=cat"
              "USER=root"
              "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
              "NIX_SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
              "NIX_CONFIG=experimental-features = nix-command flakes\nsandbox = false\nbuild-users-group =\nsubstituters = http://c3.mule-stork.ts.net:8501 https://cache.nixos.org\ntrusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= c3:sI3l1RN80xdehzXLA8u2P6352B0SyRPs2XiYy/YWYro="
            ];
          };
        };
      });
}