Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
{ pkgs ? import <nixpkgs> {}
}:
let
nix = pkgs.nixUnstable;
inherit (pkgs) stdenv;
# TODO: config could be using nixos modules
defaultConfig = {
Env = [
"HOME=/root"
# TODO: PATH should be calculated from contents
"PATH=/root/.nix-profile/bin:/bin"
"NIX_PAGER=cat"
"NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs"
"GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
];
Cmd = [ "bash" ];
WorkingDir = "/root";
};
# TODO: maybe we should use busybox instead of coreutils
mkNixEnv = contents: pkgs.buildEnv {
name = "user-environment";
paths = [
pkgs.nixUnstable
pkgs.curl
pkgs.busybox
pkgs.cacert
pkgs.bashInteractive
vimMinimal
gitReallyMinimal
post-build-hook
] ++ contents;
};
buildImageWithNix = args@{ contents ? []
, runAsRoot ? ""
, config ? defaultConfig
, ...
}:
let
contentsEnv = mkNixEnv contents;
in
(pkgs.dockerTools.buildImageWithNixDb (args // {
contents = contentsEnv;
inherit config;
runAsRoot = ''
#!${stdenv.shell}
${pkgs.dockerTools.shadowSetup}
# Create root user
mkdir -p /etc
echo 'root:x:0:0::/root:/root/.nix-profile/bin/bash' > /etc/passwd
echo 'nixbld0:x:3000:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld1:x:3001:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld2:x:3002:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld3:x:3003:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld4:x:3004:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld5:x:3005:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld6:x:3006:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld7:x:3007:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld8:x:3008:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld9:x:3009:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'root:x:0:' > /etc/group
echo 'nixbld:x:1:nixbld0,nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9' > /etc/group
# SSL
mkdir -p /etc/ssl/certs
ln -sf /root/.nix-profile/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-bundle.crt || true
ln -sf /root/.nix-profile/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt || true
# TODO: why do we need this files explain in comments
mkdir -p /etc
echo 'hosts: files dns myhostname mymachines' > /etc/nsswitch.conf
# Create temporary folder
mkdir -p /tmp
chmod 1777 /tmp
# Subscribe to Nix channel
mkdir -p /root
# Create default profile for
mkdir -p /nix/var/nix/profiles/per-user/root
ln -s ${contentsEnv} /nix/var/nix/profiles/per-user/root/default-1-link || true
ln -s default-1-link /nix/var/nix/profiles/per-user/root/default || true
# things installed with nix-env go to /nix/var/nix/profiles/per-user/root/default
# we need to create ~/.nix-profile symlink manually
ln -s /nix/var/nix/profiles/per-user/root/default /root/.nix-profile || true
mkdir -p /nix/var/nix/gcroots
ln -s /nix/var/nix/profiles /nix/var/nix/gcroots/profiles || true
# Make the shell source nix.sh during login.
nix_profile=/root/.nix-profile/etc/profile.d/nix.sh
echo "if [ -e $nix_profile ]; then . $nix_profile; fi" >> /root/.bash_profile
mkdir -p /etc/nix
${nix}/bin/nix-store --store local?root=/tmp --generate-binary-cache-key local-1 /etc/nix/key.private /etc/nix/key.public
rm -rf /tmp/*
echo "sandbox = false" > /etc/nix/nix.conf
echo "sandbox-build-dir = /tmp " >> /etc/nix/nix.conf
echo "substituters = https://cache.nixos.org file://./cache?secret-key=/etc/nix/key.private" >> /etc/nix/nix.conf
echo "post-build-hook = ${post-build-hook}/bin/copy" >> /etc/nix/nix.conf
echo "secret-key-files = /etc/nix/key.private" >> /etc/nix/nix.conf
echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= $(cat /etc/nix/key.public)" >> /etc/nix/nix.conf
'' + runAsRoot;
}));
post-build-hook = pkgs.writeShellScriptBin "copy" ''
set -eu
set -f # disable globbing
export IFS=' '
echo "Caching paths" $OUT_PATHS
exec ${nix}/bin/nix copy --to file://./cache $OUT_PATHS
'';
vimMinimal = with pkgs; with lib; (vimUtils.makeCustomizable (callPackage ("${pkgs.path}" + "/pkgs/applications/editors/vim/configurable.nix") {
inherit (darwin.apple_sdk.frameworks) CoreServices Cocoa Foundation CoreData;
inherit (darwin) libobjc cf-private;
lua = pkgs.lua5_1;
config.vim = {
lua = false;
python = false;
ruby = false;
netbeans = false;
xim = false;
cscope = false;
};
guiSupport = "no";
features = "tiny"; # one of tiny, small, normal, big or huge
})).overrideAttrs (old: {
postFixup = ''
rm -r $out/share $out/bin/vimtutor
'';
});
gitReallyMinimal = (pkgs.git.override {
withManual = false;
pythonSupport = false;
perlSupport = false;
withpcre2 = false;
}).overrideAttrs(old:{doInstallCheck=false;doCheck=false;});
in
{
inherit buildImageWithNix;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment