feat: setup docker in docker

tsirysndr · Aug 19, 2024 · c084309 · c084309
1 parent 3c6a34b
commit c084309
Show file tree

Hide file tree

Showing 23 changed files with 147 additions and 33 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -31,6 +31,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 WORKDIR /home/${USER}
@@ -57,4 +63,8 @@ RUN if [ -n "$PACKAGES" ]; then \
   pkgx install ${PACKAGES};\
   fi
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
diff --git a/build/entry.sh b/build/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/build/main.tf b/build/main.tf
@@ -19,6 +19,7 @@ resource "docker_image" "pkgx" {
 resource "docker_container" "pkgx" {
   image = docker_image.pkgx.image_id
   name  = "pkgx-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "pkgx-workspace"

diff --git a/devbox/Dockerfile b/devbox/Dockerfile
@@ -27,6 +27,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 RUN curl --proto =https --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install linux --extra-conf "sandbox = false" --init none --no-confirm
@@ -58,4 +64,9 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://setup.atuin.sh | bash
 
 ENV BASH_ENV=/home/${USER}/.bashrc
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
+
diff --git a/devbox/entry.sh b/devbox/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/devbox/main.tf b/devbox/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     docker = {
-      source = "kreuzwerker/docker"
+      source  = "kreuzwerker/docker"
       version = "~> 3.0.2"
     }
   }
@@ -17,8 +17,9 @@ resource "docker_image" "devbox" {
 }
 
 resource "docker_container" "devbox" {
-  image = docker_image.devbox.image_id
-  name  = "devbox-workspace"
+  image      = docker_image.devbox.image_id
+  name       = "devbox-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "devbox-workspace"
@@ -27,8 +28,8 @@ resource "docker_container" "devbox" {
   }
 
   volumes {
-    volume_name = "devbox-nix"
+    volume_name    = "devbox-nix"
     container_path = "/nix"
-    read_only = false
+    read_only      = false
   }
 }
diff --git a/devenv/Dockerfile b/devenv/Dockerfile
@@ -31,6 +31,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 RUN sudo chown -R ${USER}:${USER} /nix/store /nix/var
@@ -63,4 +69,9 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://setup.atuin.sh | bash
 
 ENV BASH_ENV=/home/${USER}/.bashrc
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
+
diff --git a/devenv/entry.sh b/devenv/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/devenv/main.tf b/devenv/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     docker = {
-      source = "kreuzwerker/docker"
+      source  = "kreuzwerker/docker"
       version = "~> 3.0.2"
     }
   }
@@ -17,8 +17,9 @@ resource "docker_image" "devenv" {
 }
 
 resource "docker_container" "devenv" {
-  image = docker_image.devenv.image_id
-  name  = "devenv-workspace"
+  image      = docker_image.devenv.image_id
+  name       = "devenv-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "devenv-workspace"
@@ -27,8 +28,8 @@ resource "docker_container" "devenv" {
   }
 
   volumes {
-    volume_name = "devenv-nix"
+    volume_name    = "devenv-nix"
     container_path = "/nix"
-    read_only = false
+    read_only      = false
   }
 }
diff --git a/flox/Dockerfile b/flox/Dockerfile
@@ -31,6 +31,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 ENV PATH=${PATH}:/home/${USER}/.nix-profile/bin
@@ -58,4 +64,9 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://setup.atuin.sh | bash
 
 ENV BASH_ENV=/home/${USER}/.bashrc
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
+
diff --git a/flox/entry.sh b/flox/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/flox/main.tf b/flox/main.tf
@@ -19,6 +19,7 @@ resource "docker_image" "flox" {
 resource "docker_container" "flox" {
   image = docker_image.flox.image_id
   name  = "flox-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "flox-workspace"

diff --git a/homebrew/Dockerfile b/homebrew/Dockerfile
@@ -28,6 +28,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
   && chmod 0440 /etc/sudoers.d/${USER}
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 SHELL ["bash", "-c"]
@@ -54,4 +60,9 @@ RUN if [ -n "$PACKAGES" ]; then \
   brew install ${PACKAGES}; exit 0;\
   fi
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
+
diff --git a/homebrew/entry.sh b/homebrew/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/homebrew/main.tf b/homebrew/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     docker = {
-      source = "kreuzwerker/docker"
+      source  = "kreuzwerker/docker"
       version = "~> 3.0.2"
     }
   }
@@ -17,8 +17,9 @@ resource "docker_image" "brew" {
 }
 
 resource "docker_container" "brew" {
-  image = docker_image.brew.image_id
-  name  = "brew-workspace"
+  image      = docker_image.brew.image_id
+  name       = "brew-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "brew-workspace"

diff --git a/main.tf b/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     docker = {
-      source = "kreuzwerker/docker"
+      source  = "kreuzwerker/docker"
       version = "~> 3.0.2"
     }
   }
@@ -10,28 +10,29 @@ terraform {
 provider "docker" {}
 
 resource "docker_image" "default" {
-  name = var.image
-   count = var.context != null ? 0 : 1
+  name  = var.image
+  count = var.context != null ? 0 : 1
 }
 
 resource "docker_image" "base" {
-  name = var.workspace_name
+  name  = var.workspace_name
   count = var.context != null ? 1 : 0
 
   build {
     context = var.context
     build_args = {
-      USER = var.user
+      USER     = var.user
       PACKAGES = join(" ", var.packages)
     }
   }
 }
 
 resource "docker_container" "base" {
-  image = var.context != null ? docker_image.base[0].image_id : docker_image.default[0].image_id
-  name  = var.workspace_name
-  hostname = var.hostname
-
+  image      = var.context != null ? docker_image.base[0].image_id : docker_image.default[0].image_id
+  name       = var.workspace_name
+  hostname   = var.hostname
+  privileged = true
+
   dynamic "volumes" {
     for_each = var.volumes
     content {

diff --git a/nix/Dockerfile b/nix/Dockerfile
@@ -31,6 +31,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 RUN sudo chown -R ${USER}:${USER} /nix/store/.links /nix/var
@@ -51,4 +57,9 @@ RUN curl --proto '=https' --tlsv1.2 -sSf https://setup.atuin.sh | bash
 
 ENV BASH_ENV=/home/${USER}/.bashrc
 
-ENTRYPOINT [ "code", "-v", "tunnel" ]
+COPY entry.sh /usr/local/bin/entry.sh
+
+RUN sudo chmod a+x /usr/local/bin/entry.sh
+
+ENTRYPOINT [ "entry.sh" ]
+
diff --git a/nix/entry.sh b/nix/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/nix/main.tf b/nix/main.tf
@@ -1,7 +1,7 @@
 terraform {
   required_providers {
     docker = {
-      source = "kreuzwerker/docker"
+      source  = "kreuzwerker/docker"
       version = "~> 3.0.2"
     }
   }
@@ -17,8 +17,9 @@ resource "docker_image" "nix" {
 }
 
 resource "docker_container" "nix" {
-  image = docker_image.nix.image_id
-  name  = "nix-workspace"
+  image      = docker_image.nix.image_id
+  name       = "nix-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "nix-workspace"
@@ -27,8 +28,8 @@ resource "docker_container" "nix" {
   }
 
   volumes {
-    volume_name = "nix-store"
+    volume_name    = "nix-store"
     container_path = "/nix"
-    read_only = false
+    read_only      = false
   }
 }
diff --git a/pkgx/Dockerfile b/pkgx/Dockerfile
@@ -31,6 +31,12 @@ RUN addgroup --gid $GROUP_ID ${USER} \
 
 RUN mkdir -p /home/${USER} && chown -R ${USER}:${USER} /home/${USER}
 
+ENV DOCKER_TLS_CERTDIR=/certs
+RUN mkdir /certs /certs/client && chmod 1777 /certs /certs/client
+COPY --from=docker:27-dind /usr/local/bin/ /usr/local/bin/
+COPY --from=docker:27-dind /usr/local/libexec/ /usr/local/libexec/
+VOLUME /var/lib/docker
+
 USER ${USER}
 
 WORKDIR /home/${USER}

diff --git a/pkgx/entry.sh b/pkgx/entry.sh
@@ -0,0 +1,5 @@
+#!/usr/bin/bash
+
+sudo dockerd-entrypoint.sh >/dev/null 2>/dev/null &
+
+code -v tunnel
diff --git a/pkgx/main.tf b/pkgx/main.tf
@@ -19,6 +19,7 @@ resource "docker_image" "pkgx" {
 resource "docker_container" "pkgx" {
   image = docker_image.pkgx.image_id
   name  = "pkgx-workspace"
+  privileged = true
 
   volumes {
     volume_name    = "pkgx-workspace"