URLs, mount paths, and LAN host bindings parameterized via env or relative paths
so the repo stands up from a clean clone anywhere. Drop cross-codebase refs
("mirrors clawdforge's pattern"), Sulkta-Coop client/merchant test fixtures,
and audit-changelog scaffolding from comments. README terser, technical content
preserved.
A docker-managed named volume lives at /var/lib/docker/volumes/,
which is INSIDE docker.img (a 200 GB loop file shared with all
images, container layers, and every other docker volume on the
host). The Plutarch + haskell-nix closure for Liqwid-Labs/agora
is tens of GB.
Running nix develop against agora ONCE was enough to fill docker.img
to 100% (196/200 GB used, 2 GB free). Every container on Lucy was
about to start failing writes. Recovery: kill nix process, docker
compose down, free 66 GB of BuildKit cache via `docker builder
prune -a`, switch /nix to /mnt/cache bind mount (88+ GB free on
that pool, completely separate from docker.img).
Bind mount caveat: bare bind to an empty host dir shadows the
image's /nix install (the previous bug we caught with the
named-volume fix). One-time seed required:
mkdir -p /mnt/cache/appdata/crafting-table/nix
chown 1000:1000 /mnt/cache/appdata/crafting-table/nix
docker create --name ct-seed crafting-table:local
docker cp ct-seed:/nix/. /mnt/cache/appdata/crafting-table/nix/
docker rm ct-seed
After seed, the bind mount works because the host path has the
nix tree already populated. Subsequent docker compose up -d picks
up the populated /nix and `nix --version` works in-container.
Bind-mount to an empty host dir was shadowing the image's
pre-installed /nix tree at runtime — `nix --version` returned
"sh: nix: not found" inside the live container even though the
binary was baked into the image at build time.
Docker auto-populates a fresh named volume from the image's
content on first mount. So the named-volume version preserves
the install AND persists across container recreations.
Volume name `crafting-table-nix`. Lives at the docker default
volume path on Lucy. Backups/migration-out: `docker run --rm
-v crafting-table-nix:/src -v /tmp:/dst alpine tar cf /dst/nix.tar /src`.
Two coupled changes:
1. Add a single-user Nix install at section 19.5 so the container can
`nix develop` / `nix run` / `nix build` for the Cardano smart-
contract toolchain stack (Plutarch, plutus-core, Liqwid Agora's
`agora-scripts` exporter — all ship as IOG haskell-nix flakes
with pinned GHC). Without Nix, building any of those is a manual-
version-pinning fight.
Single-user mode (no daemon), sandbox=false (containers can't nest
sandboxes cleanly), flakes + nix-command experimental features
enabled. /nix is owned by `crafter` and bind-mounted from
/mnt/user/appdata/crafting-table/nix in compose so the multi-GB
haskell-nix downloads survive container rebuilds.
2. Bump GO_VERSION 1.22.10 → 1.25.9. govulncheck@latest (v1.3.0) and
staticcheck@latest (v0.7.0) both now require Go ≥ 1.25 — building
with 1.22 hits "requires go >= 1.25.0" and the per-step retry loop
exhausts. Go's auto-toolchain-switch tries to download 1.25.9 on
the fly but staticcheck's parent build then runs in 1.22 and
re-fails. Pinning to 1.25.9 (current Go release) sidesteps the
wedge.
PATH bump: prepend /home/crafter/.nix-profile/bin so nix-installed
binaries (cabal, ghc inside dev shells, cardano-cli, etc) take
precedence over system tooling without per-recipe prefixing.
Build invocation unchanged — nothing required at the docker run /
docker compose layer beyond the new /nix bind mount in compose.yml.
- Dockerfile: pip-install requirements.txt and copy crafting_table/ into
/app, switch CMD from /bin/bash to uvicorn server (port 8810). pip lands
in /usr/local/bin so the crafter user runs uvicorn without elevation.
- compose.yml: replace smoke.sh entrypoint with the API server command;
bind 192.168.0.5:8810:8810 (LAN-only); switch named volumes to real
Lucy appdata paths so /data + /workspace + /caches survive recreate.
env_file marked optional so a fresh checkout boots without copying
.env.example.
- README.md: tick steps 1-4 done, document API surface table, add
curl-based quickstart (mint token → register project → kick off job →
poll → stream log), and an architecture-notes section covering the
recipe-immutability snapshot, process-group SIGTERM/SIGKILL escalation,
WAL+single-writer trade-off, and the recipe-security stance.
Smoke remains runnable on demand:
docker compose run --rm crafting-table /usr/local/bin/smoke.sh
