[ { "path": ".github/dependabot.yml", "content": "version: 2\nupdates:\n - package-ecosystem: \"github-actions\"\n directory: \"/\"\n schedule:\n interval: \"weekly\"\n" }, { "path": ".github/workflows/nix.yml", "content": "name: Nix\non:\n push:\n branches:\n - main\n pull_request:\n workflow_dispatch:\n schedule:\n # Run once per day\n - cron: '0 0 * * *'\n\njobs:\n build:\n strategy:\n # Keep building the other channels if one fails\n fail-fast: false\n matrix:\n channel:\n - nixos-unstable\n - nixos-25.05\n - nixos-25.11\n system:\n - aarch64-linux\n - x86_64-linux\n runs-on: ubuntu-latest\n\n permissions:\n contents: read\n packages: write\n\n steps:\n - uses: actions/checkout@v6\n - name: Set up QEMU\n uses: docker/setup-qemu-action@v3\n with:\n platforms: arm64\n - uses: DeterminateSystems/nix-installer-action@main\n with:\n extra-conf: |\n extra-platforms = aarch64-linux\n - uses: DeterminateSystems/magic-nix-cache-action@main\n\n - name: Push to Docker Hub\n run: nix-shell --run ./ci.sh\n env:\n CI_PROJECT_PATH: 'nixpkgs'\n CI_REGISTRY: 'docker.io'\n CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'\n NIXPKGS_CHANNEL: '${{ matrix.channel }}'\n NIX_SYSTEM_NAME: '${{ matrix.system }}'\n\n - name: Push to GitHub Pages\n run: nix-shell --run ./ci.sh\n env:\n CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'\n CI_REGISTRY: 'ghcr.io'\n CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'\n NIXPKGS_CHANNEL: '${{ matrix.channel }}'\n NIX_SYSTEM_NAME: '${{ matrix.system }}'\n\n push-manifest:\n needs: [build]\n strategy:\n fail-fast: false\n matrix:\n channel:\n - nixos-unstable\n - nixos-25.05\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v6\n - uses: DeterminateSystems/nix-installer-action@main\n with:\n extra-conf: |\n extra-platforms = aarch64-linux\n - uses: DeterminateSystems/magic-nix-cache-action@main\n\n - run: nix-shell --run ./ci-manifests.sh\n env:\n CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'\n NIXPKGS_CHANNEL: '${{ matrix.channel }}'\n NIX_SYSTEM_NAME: '${{ matrix.system }}'\n" }, { "path": ".gitignore", "content": "# Nix\nresult\nresult-*\n" }, { "path": ".gitlab-ci.yml", "content": "stages:\n - build\n\nbuild:\n stage: build\n image: nixpkgs/nix:nixos-25.05\n script: nix-shell --run ./ci.sh\n parallel:\n matrix:\n - NIXPKGS_CHANNEL: nixos-unstable\n IMAGE_TAG: latest\n - NIXPKGS_CHANNEL:\n - nixos-25.05\n - nixos-25.11\n" }, { "path": "LICENSE", "content": "MIT License\n\nCopyright (c) 2019 zimbatm and contributors\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to deal\nin the Software without restriction, including without limitation the rights\nto use, copy, modify, merge, publish, distribute, sublicense, and/or sell\ncopies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\nThe above copyright notice and this permission notice shall be included in all\ncopies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,\nOUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE\nSOFTWARE.\n" }, { "path": "README.md", "content": "# docker-nixpkgs: docker images from nixpkgs\n\nThis project is a collection of docker images automatically produced with Nix\nand the latest nixpkgs package set. All the images are refreshed daily with\nthe latest versions of nixpkgs.\n\nIt's also a good demonstration on how to build and publish Docker images with\nNix.\n\nAlways keep your docker images fresh!\n\n## Why use Nix to build docker images?\n\nNix has a number of advantages over Dockerfile when producing docker images:\n\n* builds are more likely to be repeatable and binary reproducible\n* Nix will only rebuild the minimum set of changes with no manual intervention\n* Nix produces optimised layers with no manual intervention\n* nixpkgs provides automatic security updates\n\n## Example usage\n\nHere is an example of using one of the docker images. Usage will change from\nimage to image.\n\n```\n# run the curl image which has curl as an entry-point\n$ docker run -ti --rm nixpkgs/curl curl http://ifconfig.co\n180.52.248.114\n```\n\n## Channels\n\nEach image is built with the following nixpkgs channels and map to the\nfollowing image tag.\n\nThe version of the packages included in each image depends on what version the\nnixpkgs channel describes.\n\n| Channel | Image Tag | Description |\n| --- | --- | --- |\n| nixos-25.05 | nixos-25.05 | only minor versions that include security updates |\n| nixos-25.11 | nixos-25.11 | only minor versions that include security updates |\n| nixos-unstable | latest | latest and greatest, major versions might change |\n\n## List of images\n\nHere is the current list of images that are provided. Missing one? Send an\n[image request](#image-request).\n\nAll images are automatically built and published to Docker Hub, and served\non our custom domain, courtesy of [Scarf](https://scarf.sh).\n\n`> ./readme-image-matrix`\n\n\n| Image / Tag | Pull |\n| --- | --- |\n| [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` |\n| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |\n| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |\n| [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |\n| [nixpkgs/cachix-flakes](https://hub.docker.com/r/nixpkgs/cachix-flakes)| `docker pull docker.nix-community.org/nixpkgs/cachix-flakes` |\n| [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |\n| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |\n| [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |\n| [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |\n| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |\n| [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |\n| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |\n| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |\n| [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |\n| [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |\n| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |\n| [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |\n| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |\n| [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |\n| [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |\n| [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |\n\n## Adding new images\n\nTo add a new image to the project, create a new folder under\n`./images/` with a default.nix that returns the docker image.\n\nThen run `nix-build -A ` to test that it builds, and\nthen use\n`docker load -i /nix/store/....tar.gz` to load and test the image.\n\n## User Feedback\n\n### Issues\n\nIf you have any problems with or questions about this project, please contact\nus through a [GitHub issue](https://github.com/nix-community/docker-nixpkgs/issues/new)\n\n### Image request\n\n[Submit a request](https://github.com/nix-community/docker-nixpkgs/issues/new)\nwith an accompanying use-case for an image that you would like to see.\n\n### Contributing\n\nYou are invited to contribute new features, fixes or updates, large or small;\nwe are always thrilled to receive pull requests, and do our best to process\nthem as fast as we can.\n\n## Related projects\n\n* The [docker-library](https://github.com/docker-library/official-images#readme)\n is an image set maintained by the Docker Inc. team and contain\n officially-supported images.\n\n* [Nixery](https://nixery.dev/) is a pretty cool service that builds docker\n images from nixpkgs attributes on the fly.\n\n## License\n\nCopyright (c) 2021 @zimbatm and contributors.\n\nLicensed under the MIT.\n" }, { "path": "ci-manifests.sh", "content": "#!/usr/bin/env bash\n#\n# CI specific build script.\n#\nset -euo pipefail\n\nchannel=${NIXPKGS_CHANNEL:-nixos-unstable}\nregistry=${CI_REGISTRY:-docker.io}\nregistry_auth=${CI_REGISTRY_AUTH:-}\nimage_prefix=${CI_PROJECT_PATH:-nixpkgs}\n\nif [[ $channel == nixos-unstable ]]; then\n image_tag=latest\nelse\n image_tag=$channel\nfi\n\nexport NIX_PATH=channel:$channel\n\nbanner() {\n echo \"========================================================\"\n echo \" $*\"\n echo \"========================================================\"\n}\n\ncd \"$(dirname \"$0\")\"\n\nif [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then\n banner \"Skipping push on non-main branch\"\n exit\nfi\n\nif [[ -n \"${registry_auth}\" ]]; then\n banner \"docker login\"\n ./docker-login \"$registry_auth\" \"$registry\"\nfi\n\nbanner \"generate manifests\"\n./generate-manifests \"$registry\" \"$image_prefix\" \"$image_tag\"\n" }, { "path": "ci.sh", "content": "#!/usr/bin/env bash\n#\n# CI specific build script.\n#\nset -euo pipefail\n\nchannel=${NIXPKGS_CHANNEL:-nixos-unstable}\nregistry=${CI_REGISTRY:-docker.io}\nregistry_auth=${CI_REGISTRY_AUTH:-}\nimage_prefix=${CI_PROJECT_PATH:-nixpkgs}\nsystem_name=${NIX_SYSTEM_NAME:-x86_64-linux}\n\nif [[ $channel == nixos-unstable ]]; then\n image_tag=latest\nelse\n image_tag=$channel\nfi\n\nexport NIX_PATH=channel:$channel\n\nbanner() {\n echo \"========================================================\"\n echo \" $*\"\n echo \"========================================================\"\n}\n\ncd \"$(dirname \"$0\")\"\n\nbanner \"Building images\"\n# Build all the docker images\nnix-build \\\n --no-out-link \\\n --option sandbox true \\\n --argstr system \"$system_name\"\n\nif [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then\n banner \"Skipping push on non-main branch\"\n exit\nfi\n\nif [[ -n \"${registry_auth}\" ]]; then\n banner \"docker login\"\n ./docker-login \"$registry_auth\" \"$registry\"\nfi\n\nbanner \"docker push\"\n./push-all \"$registry\" \"$image_prefix\" \"$image_tag\"\n\nif [[ -n \"${registry_auth}\" && $registry = *docker.io ]]; then\n banner \"docker metadata update\"\n ./dockerhub-metadata \"$registry_auth\" \"$image_prefix\"\nfi\n" }, { "path": "default.nix", "content": "{\n system ? builtins.currentSystem\n}: let\n _parts = builtins.split \"-\" system;\n arch = builtins.elemAt _parts 0;\n os = builtins.elemAt _parts 2;\n system' =\n if os == \"darwin\"\n then \"${arch}-linux\"\n else system;\n pkgs =\n import ./pkgs.nix system';\nin\npkgs.docker-nixpkgs\n" }, { "path": "docker-login", "content": "#!/usr/bin/env bash\n#\n# A simplified docker login approach that doesn't depends on the docker binary\n#\n# Usage: ./docker-login [registry]\nset -euo pipefail\n\nauth=$1\nregistry=${2:-docker.io}\n\n# Encode some funky docker heuristic\nif [[ $registry = *docker.io ]]; then\n # use the v2 registry so that skopeo can do noop layer copies\n registry=https://index.docker.io/v2/\nfi\n\nmkdir -p ~/.docker\n\ncat < ~/.docker/config.json\n{\n \"auths\": {\n \"$registry\": {\n \"auth\": \"$(echo -n \"$auth\" | base64)\"\n }\n }\n}\nDOCKER_CONF\n" }, { "path": "dockerhub-metadata", "content": "#!/usr/bin/env bash\n#\n# Update docker hub image descriptions. The API is not documented and might\n# break in the future.\n#\n# Usage: ./dockerhub-metadata [org]\nset -euo pipefail\n\nuser=$1\norg=${2:-nixpkgs}\nsystem_name=${NIX_SYSTEM_NAME:-x86_64-linux}\n\nnix_eval() {\n nix-instantiate --strict --eval --argstr system \"$system_name\" --json \"$@\"\n}\n\nreleases_json=$(nix_eval)\n\nto_json() {\n local desc=$1 full_desc=$2\n jq -n \\\n --arg desc \"$desc\" \\\n --arg full_desc \"$full_desc\" \\\n '.description=$desc | .full_description=$full_desc'\n}\n\necho \"=== Updating Docker Hub project descriptions\"\n\nfor attr in $(echo \"$releases_json\" | jq -r \"keys[]\") ; do\n echo \"--- $attr\"\n desc=$(nix_eval -A \"$attr.meta.description\" | jq -r .)\n\n if [[ -f \"$attr/README.md\" ]]; then\n full_desc=$(< \"$attr/README.md\")\n else\n full_desc=$(< \"README.md\")\n fi\n\n data=$(to_json \"$desc\" \"$full_desc\")\n echo \"data: $data\"\n url=https://cloud.docker.com/v2/repositories/$org/$attr/\n\n curl -XPATCH -H \"Content-Type: application/json\" --user \"$user\" --data \"$data\" \"$url\"\ndone\n\necho OK\n" }, { "path": "generate-manifests", "content": "#!/usr/bin/env bash\n#\n# Usage: ./push-all \nset -euo pipefail\n\nregistry=${1:-docker.io}\nimage_prefix=${2:-nixpkgs}\nimage_tag=${3:-latest}\nsystem_name=${NIX_SYSTEM_NAME:-x86_64-linux}\n\nreleases_json=$(nix-instantiate --strict --argstr system \"$system_name\" --eval --json)\n\necho \"=== Generating manifests for $registry\"\n\nfor attr in $(echo \"$releases_json\" | jq -r \"keys[]\") ; do\n repository=$registry/$image_prefix/$attr\n target_image=${repository}:${image_tag}\n echo \"--- attr=$attr target=$target_image\"\n podman manifest create \"$target_image\"\n podman manifest add \"$target_image\" \"docker://$repository:${image_tag}-x86_64-linux\"\n podman manifest add \"$target_image\" \"docker://$repository:${image_tag}-aarch64-linux\"\n podman manifest push --all \"$target_image\" \"docker://$target_image\"\ndone\n\necho OK\n" }, { "path": "images/attic/default.nix", "content": "{ docker-nixpkgs\n, attic-client\n}:\n(docker-nixpkgs.nix.override {\n extraContents = [ attic-client ];\n}).overrideAttrs (prev: {\n meta = (prev.meta or { }) // {\n description = \"Nix and Attic client image\";\n };\n})\n" }, { "path": "images/bash/default.nix", "content": "{ buildCLIImage\n, bash\n}:\nbuildCLIImage {\n drv = bash;\n}\n" }, { "path": "images/busybox/default.nix", "content": "{ buildCLIImage\n, busybox\n}:\nbuildCLIImage {\n drv = busybox;\n}\n" }, { "path": "images/cachix/default.nix", "content": "{ docker-nixpkgs\n, cachix\n}:\n(docker-nixpkgs.nix.override {\n extraContents = [ cachix ];\n}).overrideAttrs (prev: {\n meta = (prev.meta or { }) // {\n description = \"Nix and Cachix image\";\n };\n})\n" }, { "path": "images/cachix-flakes/default.nix", "content": "{ docker-nixpkgs\n, cachix\n}:\n(docker-nixpkgs.nix-flakes.override {\n extraContents = [ cachix ];\n}).overrideAttrs (prev: {\n meta = (prev.meta or { }) // {\n description = \"Nix and Cachix image\";\n };\n})\n" }, { "path": "images/caddy/default.nix", "content": "{ buildCLIImage\n, caddy\n}:\nbuildCLIImage {\n drv = caddy;\n}\n" }, { "path": "images/curl/default.nix", "content": "{ buildCLIImage\n, curl\n}:\nbuildCLIImage {\n drv = curl;\n}\n" }, { "path": "images/devcontainer/README.md", "content": "# Nix VSCode DevContainer\n\nWIP\n\nRelated to https://github.com/zimbatm/vscode-devcontainer-nix\n\n" }, { "path": "images/devcontainer/default.nix", "content": "# A fat and modifiable Nix image\n{ dockerTools\n, bashInteractive\n, cacert\n, closureInfo\n, coreutils\n, curl\n, direnv\n, gcc-unwrapped\n, gitReallyMinimal\n, glibc\n, gnugrep\n, gnused\n, gnutar\n, gzip\n, iana-etc\n, iproute2\n, less\n, lib\n, nix\n, openssh\n, procps\n, shadow\n, xz\n, mkUserEnvironment\n}:\nlet\n channel = builtins.getEnv (\"NIXPKGS_CHANNEL\");\n\n # generate a user profile for the image\n profile = mkUserEnvironment {\n derivations = [\n # core utils\n coreutils\n procps\n gnugrep\n gnused\n less\n\n # add /bin/sh\n bashInteractive\n nix\n\n # runtime dependencies of nix\n # HACK: don't include the \"hashed\" output. It has overlapping files with\n # the \"unbundled\" output, and that breaks the build.\n (cacert // {\n outputs = builtins.filter (x: x != \"hashed\") cacert.outputs;\n })\n gitReallyMinimal\n gnutar\n gzip\n xz\n\n # for haskell binaries\n iana-etc\n\n # for user management\n shadow\n\n # for the vscode extension\n\n # HACK: don't include the \"libgcc\" output. It has overlapping files with\n # the \"lib\" output, and that breaks the build.\n (gcc-unwrapped // {\n outputs = builtins.filter (x: x != \"libgcc\") gcc-unwrapped.outputs;\n })\n iproute2\n ];\n };\n\n image = dockerTools.buildImage {\n name = \"devcontainer\";\n\n contents = [ ];\n\n extraCommands = ''\n # create the Nix DB\n export NIX_REMOTE=local?root=$PWD\n export USER=nobody\n ${nix}/bin/nix-store --load-db < ${closureInfo { rootPaths = [ profile ]; }}/registration\n\n # set the user profile\n ${profile}/bin/nix-env --profile nix/var/nix/profiles/default --set ${profile}\n\n # minimal\n mkdir -p bin usr/bin\n ln -s /nix/var/nix/profiles/default/bin/sh bin/sh\n ln -s /nix/var/nix/profiles/default/bin/env usr/bin/env\n\n # might as well...\n ln -s /nix/var/nix/profiles/default/bin/bash bin/bash\n\n # setup shadow, bashrc\n mkdir home\n cp -r ${./root/etc} etc\n chmod +w etc etc/group etc/passwd etc/shadow\n\n # setup iana-etc for haskell binaries\n ln -s /nix/var/nix/profiles/default/etc/protocols etc/protocols\n ln -s /nix/var/nix/profiles/default/etc/services etc/services\n\n # make sure /tmp exists\n mkdir -m 0777 tmp\n\n # allow ubuntu ELF binaries to run. VSCode copies it's own.\n mkdir -p lib64\n ln -s ${glibc}/lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2\n\n # VSCode assumes that /sbin/ip exists\n mkdir sbin\n ln -s /nix/var/nix/profiles/default/bin/ip sbin/ip\n '';\n\n config = {\n Cmd = [ \"/nix/var/nix/profiles/default/bin/bash\" ];\n Env = [\n \"ENV=/nix/var/nix/profiles/default/etc/profile.d/nix.sh\"\n \"GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt\"\n \"LD_LIBRARY_PATH=/nix/var/nix/profiles/default/lib\"\n \"PAGER=less\"\n \"PATH=/nix/var/nix/profiles/default/bin\"\n \"SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt\"\n (\n if channel != \"\" then\n \"NIX_PATH=nixpkgs=channel:${channel}\"\n else\n \"NIX_PATH=nixpkgs=${../nix/fake_nixpkgs}\"\n )\n ];\n Labels = {\n # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33\n \"org.label-schema.vcs-ref\" = \"main\";\n \"org.label-schema.vcs-url\" = \"https://github.com/nix-community/docker-nixpkgs\";\n };\n };\n };\nin\nimage // {\n meta = image.meta // {\n description = \"Nix devcontainer for VSCode\";\n };\n}\n" }, { "path": "images/devcontainer/root/etc/bashrc", "content": "# interactive session\nif [[ $- == *i* ]]; then\n\nPS1='\\[\\033[0;32;40m\\][nix]$\\[\\033[0m\\] '\n\nfi\n" }, { "path": "images/devcontainer/root/etc/group", "content": "root:x:0:\nwheel:x:1:\ntty:x:3:\nusers:x:100:\nnixbld:x:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld30\nnogroup:x:65534:\n" }, { "path": "images/devcontainer/root/etc/nsswitch.conf", "content": "passwd: files mymachines systemd\ngroup: files mymachines systemd\nshadow: files\n\nhosts: files mymachines dns myhostname\nnetworks: files\n\nethers: files\nservices: files\nprotocols: files\nrpc: files\n" }, { "path": "images/devcontainer/root/etc/pam.d/other", "content": "account sufficient pam_unix.so\nauth sufficient pam_rootok.so\npassword requisite pam_unix.so nullok sha512\nsession required pam_unix.so\n" }, { "path": "images/devcontainer/root/etc/passwd", "content": "root:x:0:0:root:/root:/nix/var/nix/profiles/default/bin/bash\nnixbld1:x:30001:30000:Nix build user 1:/var/empty:/sbin/nologin\nnixbld2:x:30002:30000:Nix build user 2:/var/empty:/sbin/nologin\nnixbld3:x:30003:30000:Nix build user 3:/var/empty:/sbin/nologin\nnixbld4:x:30004:30000:Nix build user 4:/var/empty:/sbin/nologin\nnixbld5:x:30005:30000:Nix build user 5:/var/empty:/sbin/nologin\nnixbld6:x:30006:30000:Nix build user 6:/var/empty:/sbin/nologin\nnixbld7:x:30007:30000:Nix build user 7:/var/empty:/sbin/nologin\nnixbld8:x:30008:30000:Nix build user 8:/var/empty:/sbin/nologin\nnixbld9:x:30009:30000:Nix build user 9:/var/empty:/sbin/nologin\nnixbld10:x:30010:30000:Nix build user 10:/var/empty:/sbin/nologin\nnixbld11:x:30011:30000:Nix build user 11:/var/empty:/sbin/nologin\nnixbld12:x:30012:30000:Nix build user 12:/var/empty:/sbin/nologin\nnixbld13:x:30013:30000:Nix build user 13:/var/empty:/sbin/nologin\nnixbld14:x:30014:30000:Nix build user 14:/var/empty:/sbin/nologin\nnixbld15:x:30015:30000:Nix build user 15:/var/empty:/sbin/nologin\nnixbld16:x:30016:30000:Nix build user 16:/var/empty:/sbin/nologin\nnixbld17:x:30017:30000:Nix build user 17:/var/empty:/sbin/nologin\nnixbld18:x:30018:30000:Nix build user 18:/var/empty:/sbin/nologin\nnixbld19:x:30019:30000:Nix build user 19:/var/empty:/sbin/nologin\nnixbld20:x:30020:30000:Nix build user 20:/var/empty:/sbin/nologin\nnixbld21:x:30021:30000:Nix build user 21:/var/empty:/sbin/nologin\nnixbld22:x:30022:30000:Nix build user 22:/var/empty:/sbin/nologin\nnixbld23:x:30023:30000:Nix build user 23:/var/empty:/sbin/nologin\nnixbld24:x:30024:30000:Nix build user 24:/var/empty:/sbin/nologin\nnixbld25:x:30025:30000:Nix build user 25:/var/empty:/sbin/nologin\nnixbld26:x:30026:30000:Nix build user 26:/var/empty:/sbin/nologin\nnixbld27:x:30027:30000:Nix build user 27:/var/empty:/sbin/nologin\nnixbld28:x:30028:30000:Nix build user 28:/var/empty:/sbin/nologin\nnixbld29:x:30029:30000:Nix build user 29:/var/empty:/sbin/nologin\nnixbld30:x:30030:30000:Nix build user 30:/var/empty:/sbin/nologin\nnobody:x:65534:65534:nobody:/:/sbin/nologin\n" }, { "path": "images/devcontainer/root/etc/shadow", "content": "root:!::0:::::\nnixbld1:!:18237:0:99999:7:::\nnixbld2:!:18237:0:99999:7:::\nnixbld3:!:18237:0:99999:7:::\nnixbld4:!:18237:0:99999:7:::\nnixbld5:!:18237:0:99999:7:::\nnixbld6:!:18237:0:99999:7:::\nnixbld7:!:18237:0:99999:7:::\nnixbld8:!:18237:0:99999:7:::\nnixbld9:!:18237:0:99999:7:::\nnixbld10:!:18237:0:99999:7:::\nnixbld11:!:18237:0:99999:7:::\nnixbld12:!:18237:0:99999:7:::\nnixbld13:!:18237:0:99999:7:::\nnixbld14:!:18237:0:99999:7:::\nnixbld15:!:18237:0:99999:7:::\nnixbld16:!:18237:0:99999:7:::\nnixbld17:!:18237:0:99999:7:::\nnixbld18:!:18237:0:99999:7:::\nnixbld19:!:18237:0:99999:7:::\nnixbld20:!:18237:0:99999:7:::\nnixbld21:!:18237:0:99999:7:::\nnixbld22:!:18237:0:99999:7:::\nnixbld23:!:18237:0:99999:7:::\nnixbld24:!:18237:0:99999:7:::\nnixbld25:!:18237:0:99999:7:::\nnixbld26:!:18237:0:99999:7:::\nnixbld27:!:18237:0:99999:7:::\nnixbld28:!:18237:0:99999:7:::\nnixbld29:!:18237:0:99999:7:::\nnixbld30:!:18237:0:99999:7:::\nnobody:!::0:::::\n" }, { "path": "images/devenv/default.nix", "content": "{ docker-nixpkgs\n, devenv ? null\n}:\n(docker-nixpkgs.nix.override {\n # only available since 24.05\n extraContents = [ devenv ];\n}).overrideAttrs (prev: {\n meta = (prev.meta or { }) // {\n description = \"Nix and devenv image\";\n };\n})\n" }, { "path": "images/docker-compose/default.nix", "content": "{ buildCLIImage\n, docker-compose ? null\n, python3Packages\n}:\nbuildCLIImage {\n drv =\n if docker-compose == null\n then python3Packages.docker_compose\n else docker-compose # nixos 19.03+\n ;\n}\n" }, { "path": "images/hugo/default.nix", "content": "{ buildCLIImage\n, hugo\n, gitReallyMinimal\n}:\nbuildCLIImage {\n drv = hugo;\n extraContents = [ gitReallyMinimal ];\n}\n" }, { "path": "images/kubectl/default.nix", "content": "{ buildCLIImage\n, kubectl\n}:\nbuildCLIImage {\n drv = kubectl;\n}\n" }, { "path": "images/kubernetes-helm/default.nix", "content": "{ buildCLIImage\n, kubernetes-helm\n}:\nbuildCLIImage {\n drv = kubernetes-helm;\n binName = \"helm\";\n}\n" }, { "path": "images/maddy/default.nix", "content": "{ buildCLIImage\n, maddy\n}:\nbuildCLIImage {\n drv = maddy;\n}\n" }, { "path": "images/nginx/default.nix", "content": "{ buildCLIImage\n, nginx\n}:\nbuildCLIImage {\n drv = nginx;\n}\n" }, { "path": "images/nix/default.nix", "content": "{ dockerTools\n, bashInteractive\n, cacert\n, coreutils\n, curl\n, gitReallyMinimal\n, gnutar\n, gzip\n, iana-etc\n, nix\n, openssh\n, xz\n, extraContents ? [ ]\n, extraEnv ? [ ]\n}:\nlet\n image = dockerTools.buildImageWithNixDb {\n inherit (nix) name;\n\n contents = [\n ./root\n coreutils\n # add /bin/sh\n bashInteractive\n nix\n\n # runtime dependencies of nix\n cacert\n gitReallyMinimal\n gnutar\n gzip\n openssh\n xz\n\n # for haskell binaries\n iana-etc\n ] ++ extraContents;\n\n extraCommands = ''\n # for /usr/bin/env\n mkdir usr\n ln -s ../bin usr/bin\n\n # make sure /tmp exists\n mkdir -m 1777 tmp\n\n # need a HOME\n mkdir -vp root\n '';\n\n config = {\n Cmd = [ \"/bin/bash\" ];\n Env = [\n \"ENV=/etc/profile.d/nix.sh\"\n \"BASH_ENV=/etc/profile.d/nix.sh\"\n \"NIX_BUILD_SHELL=/bin/bash\"\n \"NIX_PATH=nixpkgs=${./fake_nixpkgs}\"\n \"PAGER=cat\"\n \"PATH=/usr/bin:/bin\"\n \"SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt\"\n \"USER=root\"\n ] ++ extraEnv;\n };\n };\nin\nimage // { meta = nix.meta // image.meta; }\n" }, { "path": "images/nix/fake_nixpkgs/default.nix", "content": "_:\nthrow ''\n This container doesn't include nixpkgs.\n\n The best way to work around that is to pin your dependencies. See\n https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html\n\n Or if you must, override the NIX_PATH environment variable with eg:\n \"NIX_PATH=nixpkgs=channel:nixos-unstable\"\n''\n" }, { "path": "images/nix/root/etc/group", "content": "root:x:0:\nwheel:x:1:\nkmem:x:2:\ntty:x:3:\nmessagebus:x:4:\ndisk:x:6:\naudio:x:17:\nfloppy:x:18:\nuucp:x:19:\nlp:x:20:\ncdrom:x:24:\ntape:x:25:\nvideo:x:26:\ndialout:x:27:\nutmp:x:29:\nadm:x:55:\nkeys:x:96:\nusers:x:100:\ninput:x:174:\nnixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9\nnogroup:x:65534:\n" }, { "path": "images/nix/root/etc/nsswitch.conf", "content": "passwd: files mymachines systemd\ngroup: files mymachines systemd\nshadow: files\n\nhosts: files mymachines dns myhostname\nnetworks: files\n\nethers: files\nservices: files\nprotocols: files\nrpc: files\n" }, { "path": "images/nix/root/etc/passwd", "content": "root:x:0:0:System administrator:/root:/bin/bash\nnixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin\nnixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin\nnixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin\nnixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin\nnixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin\nnixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin\nnixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin\nnixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin\nnixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin\nnixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin\nnixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin\nnixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin\nnixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin\nnixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin\nnixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin\nnixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin\nnixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin\nnixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin\nnixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin\nnixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin\nnixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin\nnixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin\nnixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin\nnixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin\nnixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin\nnixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin\nnixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin\nnixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin\nnixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin\nnixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin\nnixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin\nnixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin\nnobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin\n" }, { "path": "images/nix-flakes/default.nix", "content": "{ docker-nixpkgs\n, nixVersions\n, writeTextFile\n, extraContents ? [ ]\n}:\ndocker-nixpkgs.nix.override {\n nix = nixVersions.stable;\n extraContents = [\n (writeTextFile {\n name = \"nix.conf\";\n destination = \"/etc/nix/nix.conf\";\n text = ''\n accept-flake-config = true\n experimental-features = nix-command flakes\n max-jobs = auto\n '';\n })\n ] ++ extraContents;\n\n extraEnv = [\n \"PATH=/root/.nix-profile/bin:/usr/bin:/bin\" # Not sure how to just prepend\n ];\n}\n" }, { "path": "images/nix-unstable/default.nix", "content": "{ docker-nixpkgs\n, pkgs\n}:\ndocker-nixpkgs.nix.override {\n nix = pkgs.nixVersions.latest;\n}\n" }, { "path": "images/nix-unstable-static/README.md", "content": "# nix-unstable-static\n\nThis is a special variant of the nix image that contains no `/nix/store`.\nInstead, nix and all the supporting binaries are statically built and copied\ninto /bin.\n\nThe main use-case is to be able to run nix in the container, but share the\n`/nix/store` with the host.\n\n## Using the container with the host store\n\nThis folder ships with a complementary script that you can use to run the\nimage as the current user and the host /nix/store.\n\nUsage: `docker-nix-user.sh [ ...]`\n\n" }, { "path": "images/nix-unstable-static/default.nix", "content": "{ dockerTools\n, lib\n, fetchurl\n, findutils\n, pkgsStatic\n, python3\n, removeReferencesTo\n, runCommand\n}:\nlet\n inherit (pkgsStatic)\n bashInteractive\n busybox\n cacert\n openssl\n ;\n\n bash = bashInteractive;\n\n # Get nix from Hydra because the nixpkgs one is not fully static\n nixStaticBin = fetchurl {\n url = \"https://hydra.nixos.org/build/305222051/download/1/nix\";\n hash = \"sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=\";\n };\n\n nixSymlinks = [\n \"nix-build\"\n \"nix-channel\"\n \"nix-collect-garbage\"\n \"nix-copy-closure\"\n \"nix-daemon\"\n \"nix-env\"\n \"nix-hash\"\n \"nix-instantiate\"\n \"nix-prefetch-url\"\n \"nix-shell\"\n \"nix-store\"\n ];\n\n dirs = [\n \"bin\"\n \"etc/ssl/certs\"\n \"root\"\n \"tmp\"\n \"usr\"\n ];\n\n extraCommands = ''\n rm_ref() {\n ${removeReferencesTo}/bin/remove-references-to \"$@\"\n }\n\n # Create a FHS-like file structure\n cp -r ${../nix/root}/* .\n chmod +w etc\n mkdir -p ${toString dirs}\n\n # For /usr/bin/env\n ln -s ../bin usr/bin\n\n # Make sure /tmp has the right permissions\n chmod 1777 tmp\n\n # Add user home folder\n mkdir home\n\n # Add SSL CA certs\n cp -a \"${cacert}/etc/ssl/certs/ca-bundle.crt\" etc/ssl/certs/ca-bundle.crt\n\n # Install base binaries\n cp -a ${busybox}/bin/* bin/\n rm_ref -t ${busybox} bin/busybox\n\n # Install shell\n cp -a ${bash}/bin/bash bin/\n rm_ref -t ${bash} bin/bash\n\n # Install nix\n cp -a ${nixStaticBin} bin/nix\n chmod +x bin/nix\n for sym in ${toString nixSymlinks}; do\n ln -sv /bin/nix bin/$sym\n done\n mkdir -p libexec/nix\n ln -s /bin/nix libexec/nix/build-remote\n\n # Enable flakes and parallel building\n mkdir -p etc/nix\n cat < etc/nix/nix.conf\n accept-flake-config = true\n experimental-features = nix-command flakes\n max-jobs = auto\n NIX_CONFIG\n\n # Add run-as-user script\n cp -a ${./run_as_user.sh} run_as_user.sh\n '';\n\n # To debug\n unpacked = runCommand\n \"unpacked\"\n { buildInputs = [ python3 ]; }\n ''\n mkdir layer\n pushd layer\n ${extraCommands}\n popd\n mv layer $out\n '';\n\n image = dockerTools.buildImage {\n name = \"nix-static\";\n\n inherit extraCommands;\n\n config = {\n Cmd = [ \"/bin/bash\" ];\n Env = [\n \"NIX_BUILD_SHELL=/bin/bash\"\n \"PAGER=cat\"\n \"PATH=/bin\"\n \"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt\"\n ];\n };\n };\nin\nimage // {\n passthru = image.passthru // { inherit unpacked; };\n meta = image.meta // {\n description = \"Nix but statically built\";\n };\n}\n" }, { "path": "images/nix-unstable-static/docker-nix-user.sh", "content": "#!/usr/bin/env bash\n#\n# Run nixpkgs/nix-unstable-static as the current user and the host /nix/store.\n#\n# Usage: docker-nix-user.sh [ ...]\n#\nset -euo pipefail\n\nimage=nixpkgs/nix-unstable-static\n\noptions=(\n -ti\n # Remove the container on exit\n --rm\n -e NIX_PATH=\"nixpkgs=channel:nixos-22.05\"\n # Used by /run_as_user.sh\n -e user_id=\"$(id -u)\"\n -e user_name=\"$(id -nu)\"\n -e group_id=\"$(id -g)\"\n -e group_name=\"$(id -ng)\"\n # Use the host store\n -v /nix:/nix\n # Mount the code into the container\n -v \"$PWD:/workspace\"\n -w /workspace\n --entrypoint /run_as_user.sh\n)\nexec docker run \"${options[@]}\" \"$image\" \"$@\"\n" }, { "path": "images/nix-unstable-static/run_as_user.sh", "content": "#!/bin/sh -eu\n#\n# This script can be used as an entrypoint. It's used to synchronize and run\n# the container with the same user and group as the host user.\n#\n# Usage:\n# user_id=$(id -u) user_name=$(id -un) \\\n# group_id=$(id -g) group_name=$(id -gn) \\\n# ./run_as_user.sh [ ...]\n#\n# shellcheck disable=SC2154\n\n# Install the host user and group into the container\ndelgroup \"${group_name}\" 2>/dev/null || true\ndeluser \"${user_name}\" 2>/dev/null || true\n\naddgroup -g \"${group_id}\" \"${group_name}\"\nadduser -D -G \"${group_name}\" -u \"${user_id}\" \"${user_name}\"\n\n# Don't propagate those env vars\nuser=${user_name}\nunset user_id user_name group_id group_name\n\n# Change into the user\nif [ $# = 0 ]; then\n exec su \"${user}\"\nelse\n exec su \"${user}\" -c /bin/sh /bin/sh -c \"exec \\\"\\$@\\\"\" \"$@\"\nfi\n" }, { "path": "images/pocket-id/default.nix", "content": "{ buildCLIImage\n, pocket-id\n}:\nbuildCLIImage {\n drv = pocket-id;\n}\n" }, { "path": "images/yarr/default.nix", "content": "{ buildCLIImage\n, yarr\n}:\nbuildCLIImage {\n drv = yarr;\n}\n" }, { "path": "lib/buildCLIImage.nix", "content": "{ dockerTools\n, busybox\n, cacert\n}:\n{ drv # derivation to build the image for\n # Name of the binary to run by default\n, binName ? (builtins.parseDrvName drv.name).name\n, extraContents ? [ ]\n, meta ? drv.meta\n}:\nlet\n image = dockerTools.buildLayeredImage {\n name = drv.name;\n\n contents = [\n # add a /bin/sh on all images\n busybox\n # most program need TLS certs\n cacert\n drv\n ] ++ extraContents;\n\n config = {\n Cmd = [ \"/bin/${binName}\" ];\n Env = [\n \"PATH=/bin\"\n \"SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt\"\n ];\n Labels = {\n # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33\n \"org.label-schema.vcs-ref\" = \"main\";\n \"org.label-schema.vcs-url\" = \"https://github.com/nix-community/docker-nixpkgs\";\n };\n };\n };\nin\nimage // { meta = meta // image.meta; }\n" }, { "path": "lib/importDir.nix", "content": "{ lib }:\n\nimportFn: baseDir:\nlet\n dirEntries =\n builtins.attrNames\n (\n lib.filterAttrs\n (k: v: v == \"directory\")\n (builtins.readDir baseDir)\n );\n\n absDirs =\n builtins.map\n (dir: \"${toString baseDir}/${dir}\")\n dirEntries;\n\n imports =\n builtins.map\n (dir: { name = builtins.baseNameOf dir; value = importFn dir; })\n absDirs;\nin\nbuiltins.listToAttrs imports\n" }, { "path": "lib/mkUserEnvironment.nix", "content": "{ writeText, lib }:\n# Build a user environment purely with nix.\n#\n# The original implementation is a mix of C++ and nix code.\n#\n# See https://github.com/nixos/nix/blob/f4b94958543138671bc3641fc126589a5cffb24b/src/nix-env/user-env.cc\n#\n# TODO:\n# * also add the drvPath if the keepDerivations nix settings is set\n# * support \"disabled\" mode that breaks nix-env?\n# * remove the use of writeText. builtins.toFile forbits the use of references\n# to derivations, which makes it impossible to create exactly the same\n# manifest file as `nix-env`.\n#\n# Arguments:\n# * derivations: a list of derivations\n{\n # A list of derivations to install\n derivations\n}:\n# Supporting code\nwith builtins;\nlet\n # Copied from https://github.com/nixos/nix/blob/e02481ded216ffb5b06b413e3695d4e11e62e02f/corepkgs/buildenv.nix\n #\n # This was available at , until it got removed in Nix.\n buildenv = { derivations, manifest }:\n derivation {\n name = \"user-environment\";\n system = \"builtin\";\n builder = \"builtin:buildenv\";\n\n inherit manifest;\n\n # !!! grmbl, need structured data for passing this in a clean way.\n derivations =\n map\n (d:\n [\n (d.meta.active or \"true\")\n (d.meta.priority or 5)\n (builtins.length d.outputs)\n ] ++ map (output: builtins.getAttr output d) d.outputs)\n derivations;\n\n # Building user environments remotely just causes huge amounts of\n # network traffic, so don't do that.\n preferLocalBuild = true;\n\n # Also don't bother substituting.\n allowSubstitutes = false;\n };\n\n # back-compat\n isPath = builtins.isPath or (x: builtins.typeOf x == \"path\");\n\n # Escape Nix strings\n stringEscape = str:\n \"\\\"\" + (\n replaceStrings\n [ \"\\\\\" \"\\\"\" \"\\n\" \"\\r\" \"\\t\" ]\n [ \"\\\\\\\\\" \"\\\\\" \"\\\\n\" \"\\\\r\" \"\\\\t\" ]\n str\n )\n + \"\\\"\";\n\n # Like builtins.JSON but to output Nix code\n toNix = value:\n if isString value then stringEscape value\n else if isInt value then toString value\n else if isPath value then toString value\n else if true == value then \"true\"\n else if false == value then \"false\"\n else if null == value then \"null\"\n else if isAttrs value then\n \"{ \" + concatStringsSep \" \" (lib.mapAttrsToList (k: v: \"${k} = ${toNix v};\") value) + \" }\"\n else if isList value then\n \"[ ${ concatStringsSep \" \" (map toNix value) } ]\"\n else throw \"type ${typeOf value} not supported\";\n\n # Generate a nix-env compatible manifest.nix file\n genManifest = drv:\n let\n outputs =\n drv.meta.outputsToInstall or\n # install the first output\n [ (head drv.outputs) ];\n\n base = {\n inherit (drv) meta name outPath system type;\n out = { inherit (drv) outPath; };\n inherit outputs;\n };\n\n toOut = name: {\n outPath = drv.${name}.outPath;\n };\n\n outs = lib.genAttrs outputs toOut;\n in\n base // outs;\n\n writeManifest = derivations:\n writeText \"env-manifest.nix\" (\n toNix (map genManifest derivations)\n );\nin\nbuildenv {\n inherit derivations;\n manifest = writeManifest derivations;\n}\n" }, { "path": "overlay.nix", "content": "_: pkgs:\nlet\n importDir = import ./lib/importDir.nix {\n inherit (pkgs) lib;\n };\nin\n{\n # builder stuff can be in the top-level\n buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix { };\n\n # docker images must be lower-cased\n docker-nixpkgs = importDir (path: pkgs.callPackage path { }) ./images;\n\n # used to build nix-env compatible user environments\n mkUserEnvironment = pkgs.callPackage ./lib/mkUserEnvironment.nix { };\n\n # gitMinimal still ships with perl and python\n gitReallyMinimal = (\n pkgs.git.override {\n perlSupport = false;\n pythonSupport = false;\n withManual = false;\n withpcre2 = false;\n }\n ).overrideAttrs (\n _: {\n # installCheck is broken when perl is disabled\n doInstallCheck = false;\n }\n );\n\n}\n" }, { "path": "pkgs.nix", "content": "system:\n# docker images run on Linux\nassert builtins.elem system [\"x86_64-linux\" \"aarch64-linux\"];\nimport {\n config = { };\n inherit system;\n overlays = [\n (import ./overlay.nix)\n ];\n}\n" }, { "path": "push-all", "content": "#!/usr/bin/env bash\n#\n# Usage: ./push-all \nset -euo pipefail\n\nregistry=${1:-docker.io}\nimage_prefix=${2:-nixpkgs}\nimage_tag=${3:-latest}\nsystem_name=${NIX_SYSTEM_NAME:-x86_64-linux}\n\nreleases_json=$(nix-instantiate --strict --argstr system \"$system_name\" --eval --json)\n\necho \"=== Pushing images to $registry\"\n\nfor attr in $(echo \"$releases_json\" | jq -r \"keys[]\") ; do\n file=$(echo \"$releases_json\" | jq -r \".\\\"$attr\\\"\")\n src=docker-archive://$file\n dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name}\n echo \"--- attr=$attr src=$src dst=$dst\"\n skopeo copy --insecure-policy \"$src\" \"$dst\"\ndone\n\necho OK\n" }, { "path": "readme-image-matrix", "content": "#!/usr/bin/env bash\n#\n# Usage: ./dockerhub-image-matrix\nset -euo pipefail\n\nsystem_name=${NIX_SYSTEM_NAME:-x86_64-linux}\n\n## Main ##\n\nreleases_json=$(nix-instantiate --strict --argstr system \"$system_name\" --eval --json)\n\necho \"| Image / Tag | Pull |\"\necho \"| --- | --- |\"\n\nfor attr in $(echo \"$releases_json\" | jq -r \"keys[]\") ; do\n name=nixpkgs/$attr\n echo -n \"| [$name](https://hub.docker.com/r/$name)\"\n echo -n \"| \\`docker pull docker.nix-community.org/$name\\` \"\n echo \"|\"\ndone\n" }, { "path": "shell.nix", "content": "let\n nixpkgs = builtins.fetchTarball \"channel:nixos-23.11\";\n pkgs = import nixpkgs { config = { }; overlays = [ ]; };\nin\nwith pkgs;\nmkShell {\n buildInputs = [\n dive\n jq\n skopeo\n podman\n ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;\n\n shellHook = ''\n # try to work aroud build issues\n unset TMPDIR\n\n export NIX_PATH=nixpkgs=${toString nixpkgs}\n '';\n}\n" } ]