extract n2c args for nix support to function

Author: dermetfan

nix/cloud/library.nix

@@ -4,4 +4,81 @@
 }: {
   ociNamer = oci: builtins.unsafeDiscardStringContext "${oci.imageName}:${oci.imageTag}";
   pp = v: builtins.trace (builtins.toJSON v) v;
+
+  # Adds arguments that enable nix support inside the container.
+  addN2cNixArgs =
+    # This must include all dependencies used in the image to allow nix builds
+    # in the container (Nix won't know about paths otherwise and fail on trying
+    # to write read-only data).
+    closureRootPaths:
+    # The arguments to nix2container's buildImage or buildLayer function to enrich.
+    args: let
+      inherit (inputs.nixpkgs) lib cacert symlinkJoin closureInfo runCommandNoCC;
+
+      closure = closureInfo {
+        rootPaths = {inherit cacert;} // closureRootPaths;
+      };
+
+      global = runCommandNoCC "global" {} ''
+        mkdir -p $out $out/etc
+        cp ${closure}/registration $out
+
+        echo 'root:x:0:' > $out/etc/group
+        echo 'nixbld:x:30000:nixbld1' > $out/etc/group
+
+        echo 'root:!:0:0::/local:/bin/bash' > $out/etc/passwd
+        echo 'nixbld1:!:30001:30000:Nix build user 1:/var/empty:/bin/nologin' >> $out/etc/passwd
+      '';
+
+      nixConf = runCommandNoCC "nix.conf" {} ''
+        mkdir -p $out/etc/nix
+        cat > $out/etc/nix/nix.conf <<'EOF'
+        # If /dev/kvm does not actually exist in the container
+        # we would rather build without KVM than fail.
+        extra-system-features = kvm
+
+        experimental-features = nix-command flakes
+        EOF
+      '';
+
+      tmp = runCommandNoCC "tmp" {} ''
+        mkdir -p $out/tmp
+      '';
+    in
+      args
+      // {
+        config =
+          args.config
+          or {}
+          // {
+            Env = lib.mapAttrsToList (n: v: "${n}=${v}") {
+              SSL_CERT_FILE = "/etc/ssl/certs/ca-bundle.crt";
+            };
+          };
+        contents =
+          args.contents
+          or []
+          ++ [
+            (symlinkJoin {
+              name = "deps";
+              paths = with inputs.nixpkgs; [
+                cacert
+                gitMinimal
+              ];
+            })
+            global
+            nixConf
+            tmp
+          ];
+        perms =
+          args.perms
+          or []
+          ++ [
+            {
+              path = tmp;
+              regex = ".*";
+              mode = "1777";
+            }
+          ];
+      };
 }

nix/cloud/oci-images.nix

@@ -2,83 +2,31 @@
   inputs,
   cell,
 }: let
-  inherit (inputs.cicero.packages) cicero-entrypoint cicero webhook-trigger cicero-evaluator-nix;
-  inherit (inputs.nixpkgs) lib cacert symlinkJoin closureInfo runCommandNoCC;
-  inherit (inputs.n2c.packages.nix2container) buildImage buildLayer;
+  inherit (inputs.cicero.packages) webhook-trigger;
+  inherit (inputs.nixpkgs) symlinkJoin;
+  inherit (inputs.n2c.packages.nix2container) buildImage;
 in {
   # jq < result '.layers | map({size: .size, paths: .paths | map(.path)}) | sort_by(.size) | .[11].paths[]' -r | xargs du -sch
-  cicero = let
-    # This must include all dependencies used in the image to allow nix builds
-    # in the container (Nix won't know about paths otherwise and fail on trying
-    # to write read-only data).
-    closure = closureInfo {
-      rootPaths = {
-        inherit (cell.entrypoints) cicero;
-        inherit cacert;
-      };
-    };
-
-    global = runCommandNoCC "global" {} ''
-      mkdir -p $out $out/etc
-      cp ${closure}/registration $out
-
-      echo 'root:x:0:' > $out/etc/group
-      echo 'nixbld:x:30000:nixbld1' > $out/etc/group
-
-      echo 'root:!:0:0::/local:/bin/bash' > $out/etc/passwd
-      echo 'nixbld1:!:30001:30000:Nix build user 1:/var/empty:/bin/nologin' >> $out/etc/passwd
-    '';
-
-    nixConf = runCommandNoCC "nix.conf" {} ''
-      mkdir -p $out/etc/nix
-      cat > $out/etc/nix/nix.conf <<'EOF'
-      # If /dev/kvm does not actually exist in the container
-      # we would rather build without KVM than fail.
-      extra-system-features = kvm
-
-      experimental-features = nix-command flakes
-      EOF
-    '';
-
-    tmp = runCommandNoCC "tmp" {} ''
-      mkdir -p $out/tmp
-    '';
-  in
-    buildImage {
+  cicero = buildImage (
+    cell.library.addN2cNixArgs {
+      inherit (cell.entrypoints) cicero;
+    } {
       name = "registry.ci.iog.io/cicero";
       tag = "main"; # keep in sync with branch name of flake input
       config.Cmd = ["${cell.entrypoints.cicero}/bin/entrypoint"];
-      config.Env = lib.mapAttrsToList (n: v: "${n}=${v}") {
-        SSL_CERT_FILE = "${cacert}/etc/ssl/certs/ca-bundle.crt";
-      };
       maxLayers = 60;
       contents = [
         (symlinkJoin {
           name = "root";
           paths = with inputs.nixpkgs; [
             # for transformers
             jq
-            # `bash` would also be ok for transformers
-            # but we may as well get the interactive version
-            # for manual debugging
-            bashInteractive
-
-            coreutils
-            strace
+            bash
           ];
         })
-        global
-        nixConf
-        tmp
-      ];
-      perms = [
-        {
-          path = tmp;
-          regex = ".*";
-          mode = "0777";
-        }
       ];
-    };
+    }
+  );
 
   webhook-trigger = buildImage {
     name = "registry.ci.iog.io/webhook-trigger";