Merge branch 'master' into container-ubi

monocle.cabal

@@ -10,7 +10,6 @@ maintainer:          Monocle authors <fboucher@redhat.com>
 copyright:           2021,2022,2023 Monocle authors
 category:            Development
 build-type:          Simple
-extra-doc-files:     README.md
 tested-with:         GHC == 9.2.5
 extra-source-files:  schemas/monocle/config/**/*.dhall,
                      schemas/github/schema.docs.graphql,

nix/default.nix

@@ -7,9 +7,20 @@ let
   else
     throw "Refusing to build from a dirty Git tree!";
 
+  src = pkgs.lib.cleanSourceWith {
+    src = self; # The original, unfiltered source
+    filter = path: type:
+      type == "directory" || (pkgs.lib.hasSuffix ".cabal" path)
+      || (pkgs.lib.hasSuffix ".hs" path) || (pkgs.lib.hasSuffix ".dhall" path)
+      || (pkgs.lib.hasSuffix ".json" path) || (pkgs.lib.hasSuffix ".yaml" path)
+      || (pkgs.lib.hasSuffix "LICENSE" path)
+      || (pkgs.lib.hasSuffix ".graphql" path);
+
+  };
+
   # Add monocle and patch broken dependency to the haskell package set
   haskellExtend = hpFinal: hpPrev: {
-    monocle = hpPrev.callCabal2nix "monocle" self { };
+    monocle = hpPrev.callCabal2nix "monocle" src { };
 
     # upgrade to bloodhound 0.20 needs some work
     bloodhound = pkgs.haskell.lib.overrideCabal hpPrev.bloodhound {
@@ -451,35 +462,41 @@ in rec {
   monocle-exe = pkgs.haskell.lib.justStaticExecutables
     (hsPkgs.monocle.overrideAttrs (_: { MONOCLE_COMMIT = rev; }));
 
+  monocle-wrapper = pkgs.writeScriptBin "monocle" ''
+    #!/usr/bin/sh -e
+    # Use fakeroot to avoid `No user exists for uid` error
+    env LD_PRELOAD=${pkgs.fakeroot}/lib/libfakeroot.so ${monocle-exe}/bin/monocle $*
+  '';
+
   containerMonocle = let
     # Container user info
     user = "monocle";
     home = "var/lib/${user}";
 
     # Create a passwd entry so that openssh can find the .ssh config
-    createPasswd = "echo ${user}:x:0:0:monocle:/${home}:/bin/bash > etc/passwd";
-
-    # Make ca-bundles.crt available to HSOpenSSL as plain file
-    # https://hackage.haskell.org/package/HsOpenSSL-x509-system-0.1.0.4/docs/src/OpenSSL.X509.SystemStore.Unix.html#contextLoadSystemCerts
-    fixCABundle =
-      "mkdir -p etc/pki/tls/certs/ && cp etc/ssl/certs/ca-bundle.crt etc/pki/tls/certs/ca-bundle.crt";
+    createPasswd =
+      "mkdir etc; echo ${user}:x:0:0:monocle:/${home}:/bin/bash >> etc/passwd";
 
     # Ensure the home directory is r/w for any uid
     rwHome = "mkdir -p -m 1777 ${home}";
   in pkgs.dockerTools.buildLayeredImage {
     name = "quay.io/change-metrics/monocle-exe";
-    contents = [ pkgs.coreutils pkgs.cacert pkgs.bash pkgs.curl monocle-exe ];
-    extraCommands = "${createPasswd} && ${fixCABundle} && ${rwHome}";
+    contents = [ monocle-wrapper ];
+    extraCommands = "${createPasswd} && ${rwHome}";
     tag = "latest";
     created = "now";
     config = {
       USER = "1000";
-      Env = [
-        "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
-        "HOME=/${home}"
-        # Use fakeroot to avoid `No user exists for uid` error
-        "LD_PRELOAD=${pkgs.fakeroot}/lib/libfakeroot.so"
-      ];
+      Env = [ "HOME=/${home}" ];
+    };
+    # To update, run: nix run github:TristanCacqueray/nixpkgs/skopeo-fix#nix-prefetch-docker -- -c nix-prefetch-docker --image-name registry.access.redhat.com/ubi8/ubi --image-tag 8.8-1067
+    fromImage = pkgs.dockerTools.pullImage {
+      imageName = "registry.access.redhat.com/ubi8/ubi";
+      imageDigest =
+        "sha256:269e9753043a4066af12649e921c6ad3201702fda5b2652f7a4aa010c2ed4c1a";
+      sha256 = "0wc566pph59mwn1dyw9h06lmfzc4x2p665lxffplpgqc10cr3w2c";
+      finalImageName = "registry.access.redhat.com/ubi8/ubi";
+      finalImageTag = "8.8-1067";
     };
   };