recipe-maintainers/cc-ci
0
0
Fork 0
Code Issues 1 Pull Requests 3 Actions Packages Projects Releases Wiki Activity
Files
e8e52cf4c6dba5dfd7c8a2b1438bc0a3cce303fe
cc-ci/nix/modules/swarm.nix
autonomic-bot 16d177e73a feat(2pc): PC1 conservative prune — drop autoPrune --all, add gated surgical docker-prune 
Removes virtualisation.docker.autoPrune (daily `docker system prune --all` evicted in-use base
images → cold re-pull → Hub rate-limit churn, JOURNAL-2). Adds modules/docker-prune.nix: daily
timer + oneshot that prunes only dangling+until=24h, gated on disk pressure (>=80%) AND no run-app
live AND no swarm service converging; never --all, never --volumes. Teardown unchanged (never
removes images). Registry pull-through cache dropped per operator scope correction.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-05-29 09:30:07 +01:00

48 lines
2.2 KiB
Nix
Raw Blame History

# Docker + single-node Swarm — the deploy target for recipes under test (M1).
# Traefik (modules/traefik.nix) and abra layer on top; recipes attach to the `proxy`
# overlay network, exactly as a real Co-op Cloud host expects.
{ pkgs, ... }:
{
virtualisation.docker = {
enable = true;
# Image pruning is handled by modules/docker-prune.nix (Phase 2pc / PC1), NOT by
# `virtualisation.docker.autoPrune`. The old autoPrune ran `docker system prune --all` daily;
# `--all` evicts every image not used by a *running* container — between runs that wiped the
# cached recipe base images and forced a cold re-pull → the Docker-Hub-rate-limit churn in
# JOURNAL-2. The replacement keeps Docker's local store warm (it IS our cache on this single
# host) and prunes only dangling+old layers, gated on genuine disk pressure and nothing in
# flight. NEVER --volumes either: Phase-2w keeps DATA-WARM undeployed canonical volumes, reaped
# only by the warm reconcilers. autoPrune left OFF (the default) on purpose.
};
environment.systemPackages = [ pkgs.docker ];
# Gateway forwards 80/443 to cc-ci over the public interface (enp5s0); the coop-cloud
# traefik stack (deployed via abra, see docs/install.md) publishes these ports.
networking.firewall.allowedTCPPorts = [ 80 443 ];
# Bring up a single-node swarm + the shared `proxy` overlay network. Idempotent:
# safe to re-run every boot/rebuild. advertise-addr 127.0.0.1 is fine for a lone node.
systemd.services.swarm-init = {
description = "Initialise single-node Docker Swarm + proxy overlay network";
after = [ "docker.service" ];
requires = [ "docker.service" ];
wantedBy = [ "multi-user.target" ];
path = [ pkgs.docker ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
set -eu
state="$(docker info --format '{{.Swarm.LocalNodeState}}' 2>/dev/null || echo error)"
if [ "$state" != "active" ]; then
docker swarm init --advertise-addr 127.0.0.1
fi
if ! docker network inspect proxy >/dev/null 2>&1; then
docker network create --driver overlay --attachable proxy
fi
'';
};
}
Reference in New Issue View Git Blame Copy Permalink