Move CA bundle detection from the Docker entrypoint to CentOS dependencies and persist it system-wide.
This ensures Nix, Git, curl, and Python HTTPS access works in virgin environments by configuring `/etc/profile.d` and `/etc/nix/nix.conf`.
Removes runtime-only CA exports from the container entrypoint and makes the setup reproducible and distro-correct.
https://chatgpt.com/share/693c5ddf-3260-800f-ac94-38c635dba307
* Switch virgin root/user workflows to use *make install* + *make setup/setup-venv*
* Add Git *safe.directory /src* to avoid flake evaluation failures on mounted repos
* Enable Nix flake run in workflows and prepare */nix* for non-root execution
* Refactor Arch packaging to build in an isolated */tmp* directory via *aur_builder*
* Rename installer scripts (*run-** → *dependencies.sh* / *package.sh*) and adjust Docker entry + env var to *REINSTALL_PKGMGR*
https://chatgpt.com/share/693c29d9-9b28-800f-a549-5661c783d968
- NixFlakeInstaller:
- Skip when running inside a Nix dev shell (IN_NIX_SHELL).
- Add PKGMGR_DISABLE_NIX_FLAKE_INSTALLER kill-switch for CI/debugging.
- Ensure run() respects supports() and handles preview/allow_failure cleanly.
- DebianControlInstaller:
- Introduce _privileged_prefix() to handle sudo vs. root vs. no elevation.
- Avoid hard-coded sudo usage and degrade gracefully when neither sudo nor
root is available.
- Improve messaging around build-dep and .deb installation.
- RpmSpecInstaller:
- Prepare rpmbuild tree and source tarball in ~/rpmbuild/SOURCES based on
Name/Version from the spec file.
- Reuse a helper to resolve the rpmbuild topdir.
- Install built RPMs via dnf/yum when available, falling back to rpm -Uvh
to avoid file conflicts during upgrades.
- PythonInstaller:
- Skip pip-based installation inside Nix dev shells (IN_NIX_SHELL).
- Add PKGMGR_DISABLE_PYTHON_INSTALLER kill-switch.
- Make pip command resolution explicit and overridable via PKGMGR_PIP.
- Type-hint supports() and run() with RepoContext/InstallContext.
- Docker entrypoint:
- Add robust CA bundle detection for Nix, Git, Python requests and curl.
- Export NIX_SSL_CERT_FILE, SSL_CERT_FILE, REQUESTS_CA_BUNDLE and
GIT_SSL_CAINFO from a single detected CA path.
- Improve logging and section comments in the entrypoint script."
https://chatgpt.com/share/69387df8-bda0-800f-a053-aa9e2999dc84
Changes included:
• GitHub Actions workflow: rename job from 'test-unit' to 'test-container' to match intent.
• RPM packaging: replace %{_libdir}/package-manager with a fixed /usr/lib/package-manager
to avoid lib/lib64 divergence on CentOS and ensure pkgmgr + Nix flake resolution works
consistently across distros.
• Docker entrypoint: add automatic CA-bundle detection and set NIX_SSL_CERT_FILE to fix
TLS issues on CentOS ('unable to get local issuer certificate') when Nix fetches flake
inputs.
These updates stabilize container-based tests and unify the runtime environment
for Fedora, CentOS, and other distributions.
Reference:
ChatGPT conversation: https://chatgpt.com/share/6937aa72-d33c-800f-a63f-c353e92de6b3
