Repository: nix-community/docker-nixpkgs Branch: main Commit: 10b83cdcf12c Files: 55 Total size: 40.0 KB Directory structure: gitextract_p0b97sxe/ ├── .github/ │ ├── dependabot.yml │ └── workflows/ │ └── nix.yml ├── .gitignore ├── .gitlab-ci.yml ├── LICENSE ├── README.md ├── ci-manifests.sh ├── ci.sh ├── default.nix ├── docker-login ├── dockerhub-metadata ├── generate-manifests ├── images/ │ ├── attic/ │ │ └── default.nix │ ├── bash/ │ │ └── default.nix │ ├── busybox/ │ │ └── default.nix │ ├── cachix/ │ │ └── default.nix │ ├── cachix-flakes/ │ │ └── default.nix │ ├── caddy/ │ │ └── default.nix │ ├── curl/ │ │ └── default.nix │ ├── devcontainer/ │ │ ├── README.md │ │ ├── default.nix │ │ └── root/ │ │ └── etc/ │ │ ├── bashrc │ │ ├── group │ │ ├── nsswitch.conf │ │ ├── pam.d/ │ │ │ └── other │ │ ├── passwd │ │ └── shadow │ ├── devenv/ │ │ └── default.nix │ ├── docker-compose/ │ │ └── default.nix │ ├── hugo/ │ │ └── default.nix │ ├── kubectl/ │ │ └── default.nix │ ├── kubernetes-helm/ │ │ └── default.nix │ ├── maddy/ │ │ └── default.nix │ ├── nginx/ │ │ └── default.nix │ ├── nix/ │ │ ├── default.nix │ │ ├── fake_nixpkgs/ │ │ │ └── default.nix │ │ └── root/ │ │ └── etc/ │ │ ├── group │ │ ├── nsswitch.conf │ │ └── passwd │ ├── nix-flakes/ │ │ └── default.nix │ ├── nix-unstable/ │ │ └── default.nix │ ├── nix-unstable-static/ │ │ ├── README.md │ │ ├── default.nix │ │ ├── docker-nix-user.sh │ │ └── run_as_user.sh │ ├── pocket-id/ │ │ └── default.nix │ └── yarr/ │ └── default.nix ├── lib/ │ ├── buildCLIImage.nix │ ├── importDir.nix │ └── mkUserEnvironment.nix ├── overlay.nix ├── pkgs.nix ├── push-all ├── readme-image-matrix └── shell.nix ================================================ FILE CONTENTS ================================================ ================================================ FILE: .github/dependabot.yml ================================================ version: 2 updates: - package-ecosystem: "github-actions" directory: "/" schedule: interval: "weekly" ================================================ FILE: .github/workflows/nix.yml ================================================ name: Nix on: push: branches: - main pull_request: workflow_dispatch: schedule: # Run once per day - cron: '0 0 * * *' jobs: build: strategy: # Keep building the other channels if one fails fail-fast: false matrix: channel: - nixos-unstable - nixos-25.05 - nixos-25.11 system: - aarch64-linux - x86_64-linux runs-on: ubuntu-latest permissions: contents: read packages: write steps: - uses: actions/checkout@v6 - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: platforms: arm64 - uses: DeterminateSystems/nix-installer-action@main with: extra-conf: | extra-platforms = aarch64-linux - uses: DeterminateSystems/magic-nix-cache-action@main - name: Push to Docker Hub run: nix-shell --run ./ci.sh env: CI_PROJECT_PATH: 'nixpkgs' CI_REGISTRY: 'docker.io' CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}' NIXPKGS_CHANNEL: '${{ matrix.channel }}' NIX_SYSTEM_NAME: '${{ matrix.system }}' - name: Push to GitHub Pages run: nix-shell --run ./ci.sh env: CI_PROJECT_PATH: 'nix-community/docker-nixpkgs' CI_REGISTRY: 'ghcr.io' CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}' NIXPKGS_CHANNEL: '${{ matrix.channel }}' NIX_SYSTEM_NAME: '${{ matrix.system }}' push-manifest: needs: [build] strategy: fail-fast: false matrix: channel: - nixos-unstable - nixos-25.05 runs-on: ubuntu-latest steps: - uses: actions/checkout@v6 - uses: DeterminateSystems/nix-installer-action@main with: extra-conf: | extra-platforms = aarch64-linux - uses: DeterminateSystems/magic-nix-cache-action@main - run: nix-shell --run ./ci-manifests.sh env: CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}' NIXPKGS_CHANNEL: '${{ matrix.channel }}' NIX_SYSTEM_NAME: '${{ matrix.system }}' ================================================ FILE: .gitignore ================================================ # Nix result result-* ================================================ FILE: .gitlab-ci.yml ================================================ stages: - build build: stage: build image: nixpkgs/nix:nixos-25.05 script: nix-shell --run ./ci.sh parallel: matrix: - NIXPKGS_CHANNEL: nixos-unstable IMAGE_TAG: latest - NIXPKGS_CHANNEL: - nixos-25.05 - nixos-25.11 ================================================ FILE: LICENSE ================================================ MIT License Copyright (c) 2019 zimbatm and contributors Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. ================================================ FILE: README.md ================================================ # docker-nixpkgs: docker images from nixpkgs This project is a collection of docker images automatically produced with Nix and the latest nixpkgs package set. All the images are refreshed daily with the latest versions of nixpkgs. It's also a good demonstration on how to build and publish Docker images with Nix. Always keep your docker images fresh! ## Why use Nix to build docker images? Nix has a number of advantages over Dockerfile when producing docker images: * builds are more likely to be repeatable and binary reproducible * Nix will only rebuild the minimum set of changes with no manual intervention * Nix produces optimised layers with no manual intervention * nixpkgs provides automatic security updates ## Example usage Here is an example of using one of the docker images. Usage will change from image to image. ``` # run the curl image which has curl as an entry-point $ docker run -ti --rm nixpkgs/curl curl http://ifconfig.co 180.52.248.114 ``` ## Channels Each image is built with the following nixpkgs channels and map to the following image tag. The version of the packages included in each image depends on what version the nixpkgs channel describes. | Channel | Image Tag | Description | | --- | --- | --- | | nixos-25.05 | nixos-25.05 | only minor versions that include security updates | | nixos-25.11 | nixos-25.11 | only minor versions that include security updates | | nixos-unstable | latest | latest and greatest, major versions might change | ## List of images Here is the current list of images that are provided. Missing one? Send an [image request](#image-request). All images are automatically built and published to Docker Hub, and served on our custom domain, courtesy of [Scarf](https://scarf.sh). `> ./readme-image-matrix` | Image / Tag | Pull | | --- | --- | | [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` | | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` | | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` | | [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` | | [nixpkgs/cachix-flakes](https://hub.docker.com/r/nixpkgs/cachix-flakes)| `docker pull docker.nix-community.org/nixpkgs/cachix-flakes` | | [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` | | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` | | [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` | | [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` | | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` | | [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` | | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` | | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` | | [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` | | [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` | | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` | | [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` | | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` | | [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` | | [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` | | [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` | ## Adding new images To add a new image to the project, create a new folder under `./images/` with a default.nix that returns the docker image. Then run `nix-build -A ` to test that it builds, and then use `docker load -i /nix/store/....tar.gz` to load and test the image. ## User Feedback ### Issues If you have any problems with or questions about this project, please contact us through a [GitHub issue](https://github.com/nix-community/docker-nixpkgs/issues/new) ### Image request [Submit a request](https://github.com/nix-community/docker-nixpkgs/issues/new) with an accompanying use-case for an image that you would like to see. ### Contributing You are invited to contribute new features, fixes or updates, large or small; we are always thrilled to receive pull requests, and do our best to process them as fast as we can. ## Related projects * The [docker-library](https://github.com/docker-library/official-images#readme) is an image set maintained by the Docker Inc. team and contain officially-supported images. * [Nixery](https://nixery.dev/) is a pretty cool service that builds docker images from nixpkgs attributes on the fly. ## License Copyright (c) 2021 @zimbatm and contributors. Licensed under the MIT. ================================================ FILE: ci-manifests.sh ================================================ #!/usr/bin/env bash # # CI specific build script. # set -euo pipefail channel=${NIXPKGS_CHANNEL:-nixos-unstable} registry=${CI_REGISTRY:-docker.io} registry_auth=${CI_REGISTRY_AUTH:-} image_prefix=${CI_PROJECT_PATH:-nixpkgs} if [[ $channel == nixos-unstable ]]; then image_tag=latest else image_tag=$channel fi export NIX_PATH=channel:$channel banner() { echo "========================================================" echo " $*" echo "========================================================" } cd "$(dirname "$0")" if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then banner "Skipping push on non-main branch" exit fi if [[ -n "${registry_auth}" ]]; then banner "docker login" ./docker-login "$registry_auth" "$registry" fi banner "generate manifests" ./generate-manifests "$registry" "$image_prefix" "$image_tag" ================================================ FILE: ci.sh ================================================ #!/usr/bin/env bash # # CI specific build script. # set -euo pipefail channel=${NIXPKGS_CHANNEL:-nixos-unstable} registry=${CI_REGISTRY:-docker.io} registry_auth=${CI_REGISTRY_AUTH:-} image_prefix=${CI_PROJECT_PATH:-nixpkgs} system_name=${NIX_SYSTEM_NAME:-x86_64-linux} if [[ $channel == nixos-unstable ]]; then image_tag=latest else image_tag=$channel fi export NIX_PATH=channel:$channel banner() { echo "========================================================" echo " $*" echo "========================================================" } cd "$(dirname "$0")" banner "Building images" # Build all the docker images nix-build \ --no-out-link \ --option sandbox true \ --argstr system "$system_name" if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then banner "Skipping push on non-main branch" exit fi if [[ -n "${registry_auth}" ]]; then banner "docker login" ./docker-login "$registry_auth" "$registry" fi banner "docker push" ./push-all "$registry" "$image_prefix" "$image_tag" if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then banner "docker metadata update" ./dockerhub-metadata "$registry_auth" "$image_prefix" fi ================================================ FILE: default.nix ================================================ { system ? builtins.currentSystem }: let _parts = builtins.split "-" system; arch = builtins.elemAt _parts 0; os = builtins.elemAt _parts 2; system' = if os == "darwin" then "${arch}-linux" else system; pkgs = import ./pkgs.nix system'; in pkgs.docker-nixpkgs ================================================ FILE: docker-login ================================================ #!/usr/bin/env bash # # A simplified docker login approach that doesn't depends on the docker binary # # Usage: ./docker-login [registry] set -euo pipefail auth=$1 registry=${2:-docker.io} # Encode some funky docker heuristic if [[ $registry = *docker.io ]]; then # use the v2 registry so that skopeo can do noop layer copies registry=https://index.docker.io/v2/ fi mkdir -p ~/.docker cat < ~/.docker/config.json { "auths": { "$registry": { "auth": "$(echo -n "$auth" | base64)" } } } DOCKER_CONF ================================================ FILE: dockerhub-metadata ================================================ #!/usr/bin/env bash # # Update docker hub image descriptions. The API is not documented and might # break in the future. # # Usage: ./dockerhub-metadata [org] set -euo pipefail user=$1 org=${2:-nixpkgs} system_name=${NIX_SYSTEM_NAME:-x86_64-linux} nix_eval() { nix-instantiate --strict --eval --argstr system "$system_name" --json "$@" } releases_json=$(nix_eval) to_json() { local desc=$1 full_desc=$2 jq -n \ --arg desc "$desc" \ --arg full_desc "$full_desc" \ '.description=$desc | .full_description=$full_desc' } echo "=== Updating Docker Hub project descriptions" for attr in $(echo "$releases_json" | jq -r "keys[]") ; do echo "--- $attr" desc=$(nix_eval -A "$attr.meta.description" | jq -r .) if [[ -f "$attr/README.md" ]]; then full_desc=$(< "$attr/README.md") else full_desc=$(< "README.md") fi data=$(to_json "$desc" "$full_desc") echo "data: $data" url=https://cloud.docker.com/v2/repositories/$org/$attr/ curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url" done echo OK ================================================ FILE: generate-manifests ================================================ #!/usr/bin/env bash # # Usage: ./push-all set -euo pipefail registry=${1:-docker.io} image_prefix=${2:-nixpkgs} image_tag=${3:-latest} system_name=${NIX_SYSTEM_NAME:-x86_64-linux} releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json) echo "=== Generating manifests for $registry" for attr in $(echo "$releases_json" | jq -r "keys[]") ; do repository=$registry/$image_prefix/$attr target_image=${repository}:${image_tag} echo "--- attr=$attr target=$target_image" podman manifest create "$target_image" podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux" podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux" podman manifest push --all "$target_image" "docker://$target_image" done echo OK ================================================ FILE: images/attic/default.nix ================================================ { docker-nixpkgs , attic-client }: (docker-nixpkgs.nix.override { extraContents = [ attic-client ]; }).overrideAttrs (prev: { meta = (prev.meta or { }) // { description = "Nix and Attic client image"; }; }) ================================================ FILE: images/bash/default.nix ================================================ { buildCLIImage , bash }: buildCLIImage { drv = bash; } ================================================ FILE: images/busybox/default.nix ================================================ { buildCLIImage , busybox }: buildCLIImage { drv = busybox; } ================================================ FILE: images/cachix/default.nix ================================================ { docker-nixpkgs , cachix }: (docker-nixpkgs.nix.override { extraContents = [ cachix ]; }).overrideAttrs (prev: { meta = (prev.meta or { }) // { description = "Nix and Cachix image"; }; }) ================================================ FILE: images/cachix-flakes/default.nix ================================================ { docker-nixpkgs , cachix }: (docker-nixpkgs.nix-flakes.override { extraContents = [ cachix ]; }).overrideAttrs (prev: { meta = (prev.meta or { }) // { description = "Nix and Cachix image"; }; }) ================================================ FILE: images/caddy/default.nix ================================================ { buildCLIImage , caddy }: buildCLIImage { drv = caddy; } ================================================ FILE: images/curl/default.nix ================================================ { buildCLIImage , curl }: buildCLIImage { drv = curl; } ================================================ FILE: images/devcontainer/README.md ================================================ # Nix VSCode DevContainer WIP Related to https://github.com/zimbatm/vscode-devcontainer-nix ================================================ FILE: images/devcontainer/default.nix ================================================ # A fat and modifiable Nix image { dockerTools , bashInteractive , cacert , closureInfo , coreutils , curl , direnv , gcc-unwrapped , gitReallyMinimal , glibc , gnugrep , gnused , gnutar , gzip , iana-etc , iproute2 , less , lib , nix , openssh , procps , shadow , xz , mkUserEnvironment }: let channel = builtins.getEnv ("NIXPKGS_CHANNEL"); # generate a user profile for the image profile = mkUserEnvironment { derivations = [ # core utils coreutils procps gnugrep gnused less # add /bin/sh bashInteractive nix # runtime dependencies of nix # HACK: don't include the "hashed" output. It has overlapping files with # the "unbundled" output, and that breaks the build. (cacert // { outputs = builtins.filter (x: x != "hashed") cacert.outputs; }) gitReallyMinimal gnutar gzip xz # for haskell binaries iana-etc # for user management shadow # for the vscode extension # HACK: don't include the "libgcc" output. It has overlapping files with # the "lib" output, and that breaks the build. (gcc-unwrapped // { outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs; }) iproute2 ]; }; image = dockerTools.buildImage { name = "devcontainer"; contents = [ ]; extraCommands = '' # create the Nix DB export NIX_REMOTE=local?root=$PWD export USER=nobody ${nix}/bin/nix-store --load-db < ${closureInfo { rootPaths = [ profile ]; }}/registration # set the user profile ${profile}/bin/nix-env --profile nix/var/nix/profiles/default --set ${profile} # minimal mkdir -p bin usr/bin ln -s /nix/var/nix/profiles/default/bin/sh bin/sh ln -s /nix/var/nix/profiles/default/bin/env usr/bin/env # might as well... ln -s /nix/var/nix/profiles/default/bin/bash bin/bash # setup shadow, bashrc mkdir home cp -r ${./root/etc} etc chmod +w etc etc/group etc/passwd etc/shadow # setup iana-etc for haskell binaries ln -s /nix/var/nix/profiles/default/etc/protocols etc/protocols ln -s /nix/var/nix/profiles/default/etc/services etc/services # make sure /tmp exists mkdir -m 0777 tmp # allow ubuntu ELF binaries to run. VSCode copies it's own. mkdir -p lib64 ln -s ${glibc}/lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2 # VSCode assumes that /sbin/ip exists mkdir sbin ln -s /nix/var/nix/profiles/default/bin/ip sbin/ip ''; config = { Cmd = [ "/nix/var/nix/profiles/default/bin/bash" ]; Env = [ "ENV=/nix/var/nix/profiles/default/etc/profile.d/nix.sh" "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" "LD_LIBRARY_PATH=/nix/var/nix/profiles/default/lib" "PAGER=less" "PATH=/nix/var/nix/profiles/default/bin" "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt" ( if channel != "" then "NIX_PATH=nixpkgs=channel:${channel}" else "NIX_PATH=nixpkgs=${../nix/fake_nixpkgs}" ) ]; Labels = { # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33 "org.label-schema.vcs-ref" = "main"; "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs"; }; }; }; in image // { meta = image.meta // { description = "Nix devcontainer for VSCode"; }; } ================================================ FILE: images/devcontainer/root/etc/bashrc ================================================ # interactive session if [[ $- == *i* ]]; then PS1='\[\033[0;32;40m\][nix]$\[\033[0m\] ' fi ================================================ FILE: images/devcontainer/root/etc/group ================================================ root:x:0: wheel:x:1: tty:x:3: users:x:100: nixbld:x:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld30 nogroup:x:65534: ================================================ FILE: images/devcontainer/root/etc/nsswitch.conf ================================================ passwd: files mymachines systemd group: files mymachines systemd shadow: files hosts: files mymachines dns myhostname networks: files ethers: files services: files protocols: files rpc: files ================================================ FILE: images/devcontainer/root/etc/pam.d/other ================================================ account sufficient pam_unix.so auth sufficient pam_rootok.so password requisite pam_unix.so nullok sha512 session required pam_unix.so ================================================ FILE: images/devcontainer/root/etc/passwd ================================================ root:x:0:0:root:/root:/nix/var/nix/profiles/default/bin/bash nixbld1:x:30001:30000:Nix build user 1:/var/empty:/sbin/nologin nixbld2:x:30002:30000:Nix build user 2:/var/empty:/sbin/nologin nixbld3:x:30003:30000:Nix build user 3:/var/empty:/sbin/nologin nixbld4:x:30004:30000:Nix build user 4:/var/empty:/sbin/nologin nixbld5:x:30005:30000:Nix build user 5:/var/empty:/sbin/nologin nixbld6:x:30006:30000:Nix build user 6:/var/empty:/sbin/nologin nixbld7:x:30007:30000:Nix build user 7:/var/empty:/sbin/nologin nixbld8:x:30008:30000:Nix build user 8:/var/empty:/sbin/nologin nixbld9:x:30009:30000:Nix build user 9:/var/empty:/sbin/nologin nixbld10:x:30010:30000:Nix build user 10:/var/empty:/sbin/nologin nixbld11:x:30011:30000:Nix build user 11:/var/empty:/sbin/nologin nixbld12:x:30012:30000:Nix build user 12:/var/empty:/sbin/nologin nixbld13:x:30013:30000:Nix build user 13:/var/empty:/sbin/nologin nixbld14:x:30014:30000:Nix build user 14:/var/empty:/sbin/nologin nixbld15:x:30015:30000:Nix build user 15:/var/empty:/sbin/nologin nixbld16:x:30016:30000:Nix build user 16:/var/empty:/sbin/nologin nixbld17:x:30017:30000:Nix build user 17:/var/empty:/sbin/nologin nixbld18:x:30018:30000:Nix build user 18:/var/empty:/sbin/nologin nixbld19:x:30019:30000:Nix build user 19:/var/empty:/sbin/nologin nixbld20:x:30020:30000:Nix build user 20:/var/empty:/sbin/nologin nixbld21:x:30021:30000:Nix build user 21:/var/empty:/sbin/nologin nixbld22:x:30022:30000:Nix build user 22:/var/empty:/sbin/nologin nixbld23:x:30023:30000:Nix build user 23:/var/empty:/sbin/nologin nixbld24:x:30024:30000:Nix build user 24:/var/empty:/sbin/nologin nixbld25:x:30025:30000:Nix build user 25:/var/empty:/sbin/nologin nixbld26:x:30026:30000:Nix build user 26:/var/empty:/sbin/nologin nixbld27:x:30027:30000:Nix build user 27:/var/empty:/sbin/nologin nixbld28:x:30028:30000:Nix build user 28:/var/empty:/sbin/nologin nixbld29:x:30029:30000:Nix build user 29:/var/empty:/sbin/nologin nixbld30:x:30030:30000:Nix build user 30:/var/empty:/sbin/nologin nobody:x:65534:65534:nobody:/:/sbin/nologin ================================================ FILE: images/devcontainer/root/etc/shadow ================================================ root:!::0::::: nixbld1:!:18237:0:99999:7::: nixbld2:!:18237:0:99999:7::: nixbld3:!:18237:0:99999:7::: nixbld4:!:18237:0:99999:7::: nixbld5:!:18237:0:99999:7::: nixbld6:!:18237:0:99999:7::: nixbld7:!:18237:0:99999:7::: nixbld8:!:18237:0:99999:7::: nixbld9:!:18237:0:99999:7::: nixbld10:!:18237:0:99999:7::: nixbld11:!:18237:0:99999:7::: nixbld12:!:18237:0:99999:7::: nixbld13:!:18237:0:99999:7::: nixbld14:!:18237:0:99999:7::: nixbld15:!:18237:0:99999:7::: nixbld16:!:18237:0:99999:7::: nixbld17:!:18237:0:99999:7::: nixbld18:!:18237:0:99999:7::: nixbld19:!:18237:0:99999:7::: nixbld20:!:18237:0:99999:7::: nixbld21:!:18237:0:99999:7::: nixbld22:!:18237:0:99999:7::: nixbld23:!:18237:0:99999:7::: nixbld24:!:18237:0:99999:7::: nixbld25:!:18237:0:99999:7::: nixbld26:!:18237:0:99999:7::: nixbld27:!:18237:0:99999:7::: nixbld28:!:18237:0:99999:7::: nixbld29:!:18237:0:99999:7::: nixbld30:!:18237:0:99999:7::: nobody:!::0::::: ================================================ FILE: images/devenv/default.nix ================================================ { docker-nixpkgs , devenv ? null }: (docker-nixpkgs.nix.override { # only available since 24.05 extraContents = [ devenv ]; }).overrideAttrs (prev: { meta = (prev.meta or { }) // { description = "Nix and devenv image"; }; }) ================================================ FILE: images/docker-compose/default.nix ================================================ { buildCLIImage , docker-compose ? null , python3Packages }: buildCLIImage { drv = if docker-compose == null then python3Packages.docker_compose else docker-compose # nixos 19.03+ ; } ================================================ FILE: images/hugo/default.nix ================================================ { buildCLIImage , hugo , gitReallyMinimal }: buildCLIImage { drv = hugo; extraContents = [ gitReallyMinimal ]; } ================================================ FILE: images/kubectl/default.nix ================================================ { buildCLIImage , kubectl }: buildCLIImage { drv = kubectl; } ================================================ FILE: images/kubernetes-helm/default.nix ================================================ { buildCLIImage , kubernetes-helm }: buildCLIImage { drv = kubernetes-helm; binName = "helm"; } ================================================ FILE: images/maddy/default.nix ================================================ { buildCLIImage , maddy }: buildCLIImage { drv = maddy; } ================================================ FILE: images/nginx/default.nix ================================================ { buildCLIImage , nginx }: buildCLIImage { drv = nginx; } ================================================ FILE: images/nix/default.nix ================================================ { dockerTools , bashInteractive , cacert , coreutils , curl , gitReallyMinimal , gnutar , gzip , iana-etc , nix , openssh , xz , extraContents ? [ ] , extraEnv ? [ ] }: let image = dockerTools.buildImageWithNixDb { inherit (nix) name; contents = [ ./root coreutils # add /bin/sh bashInteractive nix # runtime dependencies of nix cacert gitReallyMinimal gnutar gzip openssh xz # for haskell binaries iana-etc ] ++ extraContents; extraCommands = '' # for /usr/bin/env mkdir usr ln -s ../bin usr/bin # make sure /tmp exists mkdir -m 1777 tmp # need a HOME mkdir -vp root ''; config = { Cmd = [ "/bin/bash" ]; Env = [ "ENV=/etc/profile.d/nix.sh" "BASH_ENV=/etc/profile.d/nix.sh" "NIX_BUILD_SHELL=/bin/bash" "NIX_PATH=nixpkgs=${./fake_nixpkgs}" "PAGER=cat" "PATH=/usr/bin:/bin" "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt" "USER=root" ] ++ extraEnv; }; }; in image // { meta = nix.meta // image.meta; } ================================================ FILE: images/nix/fake_nixpkgs/default.nix ================================================ _: throw '' This container doesn't include nixpkgs. The best way to work around that is to pin your dependencies. See https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html Or if you must, override the NIX_PATH environment variable with eg: "NIX_PATH=nixpkgs=channel:nixos-unstable" '' ================================================ FILE: images/nix/root/etc/group ================================================ root:x:0: wheel:x:1: kmem:x:2: tty:x:3: messagebus:x:4: disk:x:6: audio:x:17: floppy:x:18: uucp:x:19: lp:x:20: cdrom:x:24: tape:x:25: video:x:26: dialout:x:27: utmp:x:29: adm:x:55: keys:x:96: users:x:100: input:x:174: nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9 nogroup:x:65534: ================================================ FILE: images/nix/root/etc/nsswitch.conf ================================================ passwd: files mymachines systemd group: files mymachines systemd shadow: files hosts: files mymachines dns myhostname networks: files ethers: files services: files protocols: files rpc: files ================================================ FILE: images/nix/root/etc/passwd ================================================ root:x:0:0:System administrator:/root:/bin/bash nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin ================================================ FILE: images/nix-flakes/default.nix ================================================ { docker-nixpkgs , nixVersions , writeTextFile , extraContents ? [ ] }: docker-nixpkgs.nix.override { nix = nixVersions.stable; extraContents = [ (writeTextFile { name = "nix.conf"; destination = "/etc/nix/nix.conf"; text = '' accept-flake-config = true experimental-features = nix-command flakes max-jobs = auto ''; }) ] ++ extraContents; extraEnv = [ "PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend ]; } ================================================ FILE: images/nix-unstable/default.nix ================================================ { docker-nixpkgs , pkgs }: docker-nixpkgs.nix.override { nix = pkgs.nixVersions.latest; } ================================================ FILE: images/nix-unstable-static/README.md ================================================ # nix-unstable-static This is a special variant of the nix image that contains no `/nix/store`. Instead, nix and all the supporting binaries are statically built and copied into /bin. The main use-case is to be able to run nix in the container, but share the `/nix/store` with the host. ## Using the container with the host store This folder ships with a complementary script that you can use to run the image as the current user and the host /nix/store. Usage: `docker-nix-user.sh [ ...]` ================================================ FILE: images/nix-unstable-static/default.nix ================================================ { dockerTools , lib , fetchurl , findutils , pkgsStatic , python3 , removeReferencesTo , runCommand }: let inherit (pkgsStatic) bashInteractive busybox cacert openssl ; bash = bashInteractive; # Get nix from Hydra because the nixpkgs one is not fully static nixStaticBin = fetchurl { url = "https://hydra.nixos.org/build/305222051/download/1/nix"; hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM="; }; nixSymlinks = [ "nix-build" "nix-channel" "nix-collect-garbage" "nix-copy-closure" "nix-daemon" "nix-env" "nix-hash" "nix-instantiate" "nix-prefetch-url" "nix-shell" "nix-store" ]; dirs = [ "bin" "etc/ssl/certs" "root" "tmp" "usr" ]; extraCommands = '' rm_ref() { ${removeReferencesTo}/bin/remove-references-to "$@" } # Create a FHS-like file structure cp -r ${../nix/root}/* . chmod +w etc mkdir -p ${toString dirs} # For /usr/bin/env ln -s ../bin usr/bin # Make sure /tmp has the right permissions chmod 1777 tmp # Add user home folder mkdir home # Add SSL CA certs cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt # Install base binaries cp -a ${busybox}/bin/* bin/ rm_ref -t ${busybox} bin/busybox # Install shell cp -a ${bash}/bin/bash bin/ rm_ref -t ${bash} bin/bash # Install nix cp -a ${nixStaticBin} bin/nix chmod +x bin/nix for sym in ${toString nixSymlinks}; do ln -sv /bin/nix bin/$sym done mkdir -p libexec/nix ln -s /bin/nix libexec/nix/build-remote # Enable flakes and parallel building mkdir -p etc/nix cat < etc/nix/nix.conf accept-flake-config = true experimental-features = nix-command flakes max-jobs = auto NIX_CONFIG # Add run-as-user script cp -a ${./run_as_user.sh} run_as_user.sh ''; # To debug unpacked = runCommand "unpacked" { buildInputs = [ python3 ]; } '' mkdir layer pushd layer ${extraCommands} popd mv layer $out ''; image = dockerTools.buildImage { name = "nix-static"; inherit extraCommands; config = { Cmd = [ "/bin/bash" ]; Env = [ "NIX_BUILD_SHELL=/bin/bash" "PAGER=cat" "PATH=/bin" "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" ]; }; }; in image // { passthru = image.passthru // { inherit unpacked; }; meta = image.meta // { description = "Nix but statically built"; }; } ================================================ FILE: images/nix-unstable-static/docker-nix-user.sh ================================================ #!/usr/bin/env bash # # Run nixpkgs/nix-unstable-static as the current user and the host /nix/store. # # Usage: docker-nix-user.sh [ ...] # set -euo pipefail image=nixpkgs/nix-unstable-static options=( -ti # Remove the container on exit --rm -e NIX_PATH="nixpkgs=channel:nixos-22.05" # Used by /run_as_user.sh -e user_id="$(id -u)" -e user_name="$(id -nu)" -e group_id="$(id -g)" -e group_name="$(id -ng)" # Use the host store -v /nix:/nix # Mount the code into the container -v "$PWD:/workspace" -w /workspace --entrypoint /run_as_user.sh ) exec docker run "${options[@]}" "$image" "$@" ================================================ FILE: images/nix-unstable-static/run_as_user.sh ================================================ #!/bin/sh -eu # # This script can be used as an entrypoint. It's used to synchronize and run # the container with the same user and group as the host user. # # Usage: # user_id=$(id -u) user_name=$(id -un) \ # group_id=$(id -g) group_name=$(id -gn) \ # ./run_as_user.sh [ ...] # # shellcheck disable=SC2154 # Install the host user and group into the container delgroup "${group_name}" 2>/dev/null || true deluser "${user_name}" 2>/dev/null || true addgroup -g "${group_id}" "${group_name}" adduser -D -G "${group_name}" -u "${user_id}" "${user_name}" # Don't propagate those env vars user=${user_name} unset user_id user_name group_id group_name # Change into the user if [ $# = 0 ]; then exec su "${user}" else exec su "${user}" -c /bin/sh /bin/sh -c "exec \"\$@\"" "$@" fi ================================================ FILE: images/pocket-id/default.nix ================================================ { buildCLIImage , pocket-id }: buildCLIImage { drv = pocket-id; } ================================================ FILE: images/yarr/default.nix ================================================ { buildCLIImage , yarr }: buildCLIImage { drv = yarr; } ================================================ FILE: lib/buildCLIImage.nix ================================================ { dockerTools , busybox , cacert }: { drv # derivation to build the image for # Name of the binary to run by default , binName ? (builtins.parseDrvName drv.name).name , extraContents ? [ ] , meta ? drv.meta }: let image = dockerTools.buildLayeredImage { name = drv.name; contents = [ # add a /bin/sh on all images busybox # most program need TLS certs cacert drv ] ++ extraContents; config = { Cmd = [ "/bin/${binName}" ]; Env = [ "PATH=/bin" "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt" ]; Labels = { # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33 "org.label-schema.vcs-ref" = "main"; "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs"; }; }; }; in image // { meta = meta // image.meta; } ================================================ FILE: lib/importDir.nix ================================================ { lib }: importFn: baseDir: let dirEntries = builtins.attrNames ( lib.filterAttrs (k: v: v == "directory") (builtins.readDir baseDir) ); absDirs = builtins.map (dir: "${toString baseDir}/${dir}") dirEntries; imports = builtins.map (dir: { name = builtins.baseNameOf dir; value = importFn dir; }) absDirs; in builtins.listToAttrs imports ================================================ FILE: lib/mkUserEnvironment.nix ================================================ { writeText, lib }: # Build a user environment purely with nix. # # The original implementation is a mix of C++ and nix code. # # See https://github.com/nixos/nix/blob/f4b94958543138671bc3641fc126589a5cffb24b/src/nix-env/user-env.cc # # TODO: # * also add the drvPath if the keepDerivations nix settings is set # * support "disabled" mode that breaks nix-env? # * remove the use of writeText. builtins.toFile forbits the use of references # to derivations, which makes it impossible to create exactly the same # manifest file as `nix-env`. # # Arguments: # * derivations: a list of derivations { # A list of derivations to install derivations }: # Supporting code with builtins; let # Copied from https://github.com/nixos/nix/blob/e02481ded216ffb5b06b413e3695d4e11e62e02f/corepkgs/buildenv.nix # # This was available at , until it got removed in Nix. buildenv = { derivations, manifest }: derivation { name = "user-environment"; system = "builtin"; builder = "builtin:buildenv"; inherit manifest; # !!! grmbl, need structured data for passing this in a clean way. derivations = map (d: [ (d.meta.active or "true") (d.meta.priority or 5) (builtins.length d.outputs) ] ++ map (output: builtins.getAttr output d) d.outputs) derivations; # Building user environments remotely just causes huge amounts of # network traffic, so don't do that. preferLocalBuild = true; # Also don't bother substituting. allowSubstitutes = false; }; # back-compat isPath = builtins.isPath or (x: builtins.typeOf x == "path"); # Escape Nix strings stringEscape = str: "\"" + ( replaceStrings [ "\\" "\"" "\n" "\r" "\t" ] [ "\\\\" "\\" "\\n" "\\r" "\\t" ] str ) + "\""; # Like builtins.JSON but to output Nix code toNix = value: if isString value then stringEscape value else if isInt value then toString value else if isPath value then toString value else if true == value then "true" else if false == value then "false" else if null == value then "null" else if isAttrs value then "{ " + concatStringsSep " " (lib.mapAttrsToList (k: v: "${k} = ${toNix v};") value) + " }" else if isList value then "[ ${ concatStringsSep " " (map toNix value) } ]" else throw "type ${typeOf value} not supported"; # Generate a nix-env compatible manifest.nix file genManifest = drv: let outputs = drv.meta.outputsToInstall or # install the first output [ (head drv.outputs) ]; base = { inherit (drv) meta name outPath system type; out = { inherit (drv) outPath; }; inherit outputs; }; toOut = name: { outPath = drv.${name}.outPath; }; outs = lib.genAttrs outputs toOut; in base // outs; writeManifest = derivations: writeText "env-manifest.nix" ( toNix (map genManifest derivations) ); in buildenv { inherit derivations; manifest = writeManifest derivations; } ================================================ FILE: overlay.nix ================================================ _: pkgs: let importDir = import ./lib/importDir.nix { inherit (pkgs) lib; }; in { # builder stuff can be in the top-level buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix { }; # docker images must be lower-cased docker-nixpkgs = importDir (path: pkgs.callPackage path { }) ./images; # used to build nix-env compatible user environments mkUserEnvironment = pkgs.callPackage ./lib/mkUserEnvironment.nix { }; # gitMinimal still ships with perl and python gitReallyMinimal = ( pkgs.git.override { perlSupport = false; pythonSupport = false; withManual = false; withpcre2 = false; } ).overrideAttrs ( _: { # installCheck is broken when perl is disabled doInstallCheck = false; } ); } ================================================ FILE: pkgs.nix ================================================ system: # docker images run on Linux assert builtins.elem system ["x86_64-linux" "aarch64-linux"]; import { config = { }; inherit system; overlays = [ (import ./overlay.nix) ]; } ================================================ FILE: push-all ================================================ #!/usr/bin/env bash # # Usage: ./push-all set -euo pipefail registry=${1:-docker.io} image_prefix=${2:-nixpkgs} image_tag=${3:-latest} system_name=${NIX_SYSTEM_NAME:-x86_64-linux} releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json) echo "=== Pushing images to $registry" for attr in $(echo "$releases_json" | jq -r "keys[]") ; do file=$(echo "$releases_json" | jq -r ".\"$attr\"") src=docker-archive://$file dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name} echo "--- attr=$attr src=$src dst=$dst" skopeo copy --insecure-policy "$src" "$dst" done echo OK ================================================ FILE: readme-image-matrix ================================================ #!/usr/bin/env bash # # Usage: ./dockerhub-image-matrix set -euo pipefail system_name=${NIX_SYSTEM_NAME:-x86_64-linux} ## Main ## releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json) echo "| Image / Tag | Pull |" echo "| --- | --- |" for attr in $(echo "$releases_json" | jq -r "keys[]") ; do name=nixpkgs/$attr echo -n "| [$name](https://hub.docker.com/r/$name)" echo -n "| \`docker pull docker.nix-community.org/$name\` " echo "|" done ================================================ FILE: shell.nix ================================================ let nixpkgs = builtins.fetchTarball "channel:nixos-23.11"; pkgs = import nixpkgs { config = { }; overlays = [ ]; }; in with pkgs; mkShell { buildInputs = [ dive jq skopeo podman ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh; shellHook = '' # try to work aroud build issues unset TMPDIR export NIX_PATH=nixpkgs=${toString nixpkgs} ''; }