Fix container tests, unify RPM install path, and ensure Nix TLS truststore detection

Changes included: • GitHub Actions workflow: rename job from 'test-unit' to 'test-container' to match intent. • RPM packaging: replace %{_libdir}/package-manager with a fixed /usr/lib/package-manager to avoid lib/lib64 divergence on CentOS and ensure pkgmgr + Nix flake resolution works consistently across distros. • Docker entrypoint: add automatic CA-bundle detection and set NIX_SSL_CERT_FILE to fix TLS issues on CentOS ('unable to get local issuer certificate') when Nix fetches flake inputs. These updates stabilize container-based tests and unify the runtime environment for Fedora, CentOS, and other distributions. Reference: ChatGPT conversation: https://chatgpt.com/share/6937aa72-d33c-800f-a63f-c353e92de6b3
2025-12-09 05:50:08 +01:00
parent f9943fafae
commit da9d5cfa6b
3 changed files with 40 additions and 21 deletions
--- a/scripts/docker/entry.sh
+++ b/scripts/docker/entry.sh
@@ -1,23 +1,41 @@
 #!/usr/bin/env bash
 set -euo pipefail

+# ---------------------------------------------------------------------------
+# Ensure Nix has access to a valid CA bundle (TLS trust store)
+# ---------------------------------------------------------------------------
+if [[ -z "${NIX_SSL_CERT_FILE:-}" ]]; then
+  if [[ -f /etc/ssl/certs/ca-certificates.crt ]]; then
+    # Debian/Ubuntu-style path
+    export NIX_SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt
+    echo "[docker] Using CA bundle: ${NIX_SSL_CERT_FILE}"
+  elif [[ -f /etc/pki/tls/certs/ca-bundle.crt ]]; then
+    # Fedora/RHEL/CentOS-style path
+    export NIX_SSL_CERT_FILE=/etc/pki/tls/certs/ca-bundle.crt
+    echo "[docker] Using CA bundle: ${NIX_SSL_CERT_FILE}"
+  else
+    echo "[docker] WARNING: No CA bundle found for Nix (NIX_SSL_CERT_FILE not set)."
+    echo "[docker] HTTPS access for Nix flakes may fail."
+  fi
+fi
+
 SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

 echo "[docker] Starting package-manager container"

-# Distro-Info nur für Logging
+# Distro info for logging
 if [[ -f /etc/os-release ]]; then
  # shellcheck disable=SC1091
  . /etc/os-release
  echo "[docker] Detected distro: ${ID:-unknown} (like: ${ID_LIKE:-})"
 fi

-# Wir arbeiten immer aus /src (vom Host gemountet)
+# Always use /src (mounted from host) as working directory
 echo "[docker] Using /src as working directory"
 cd /src

 # ------------------------------------------------------------
-# DEV-Mode: aus dem aktuellen /src heraus Paket bauen/installieren
+# DEV mode: build/install package-manager from current /src
 # ------------------------------------------------------------
 if [[ "${PKGMGR_DEV:-0}" == "1" ]]; then
  echo "[docker] DEV mode enabled (PKGMGR_DEV=1)"
@@ -32,7 +50,7 @@ if [[ "${PKGMGR_DEV:-0}" == "1" ]]; then
 fi

 # ------------------------------------------------------------
-# Hand-off zu pkgmgr / beliebigem Kommando
+# Hand-off to pkgmgr / arbitrary command
 # ------------------------------------------------------------
 if [[ $# -eq 0 ]]; then
  echo "[docker] No arguments provided. Showing pkgmgr help..."