Created
December 8, 2019 18:21
-
-
Save tomberek/53a1f50def192cc924672eddda3719c7 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { pkgs ? import <nixpkgs> {} | |
| }: | |
| let | |
| nix = pkgs.nixUnstable; | |
| inherit (pkgs) stdenv; | |
| # TODO: config could be using nixos modules | |
| defaultConfig = { | |
| Env = [ | |
| "HOME=/root" | |
| # TODO: PATH should be calculated from contents | |
| "PATH=/root/.nix-profile/bin:/bin" | |
| "NIX_PAGER=cat" | |
| "NIX_PATH=nixpkgs=/nix/var/nix/profiles/per-user/root/channels/nixpkgs" | |
| "GIT_SSL_CAINFO=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" | |
| "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" | |
| ]; | |
| Cmd = [ "bash" ]; | |
| WorkingDir = "/root"; | |
| }; | |
| # TODO: maybe we should use busybox instead of coreutils | |
| mkNixEnv = contents: pkgs.buildEnv { | |
| name = "user-environment"; | |
| paths = [ | |
| pkgs.nixUnstable | |
| pkgs.curl | |
| pkgs.busybox | |
| pkgs.cacert | |
| pkgs.bashInteractive | |
| vimMinimal | |
| gitReallyMinimal | |
| post-build-hook | |
| ] ++ contents; | |
| }; | |
| buildImageWithNix = args@{ contents ? [] | |
| , runAsRoot ? "" | |
| , config ? defaultConfig | |
| , ... | |
| }: | |
| let | |
| contentsEnv = mkNixEnv contents; | |
| in | |
| (pkgs.dockerTools.buildImageWithNixDb (args // { | |
| contents = contentsEnv; | |
| inherit config; | |
| runAsRoot = '' | |
| #!${stdenv.shell} | |
| ${pkgs.dockerTools.shadowSetup} | |
| # Create root user | |
| mkdir -p /etc | |
| echo 'root:x:0:0::/root:/root/.nix-profile/bin/bash' > /etc/passwd | |
| echo 'nixbld0:x:3000:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld1:x:3001:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld2:x:3002:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld3:x:3003:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld4:x:3004:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld5:x:3005:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld6:x:3006:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld7:x:3007:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld8:x:3008:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'nixbld9:x:3009:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd | |
| echo 'root:x:0:' > /etc/group | |
| echo 'nixbld:x:1:nixbld0,nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9' > /etc/group | |
| # SSL | |
| mkdir -p /etc/ssl/certs | |
| ln -sf /root/.nix-profile/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-bundle.crt || true | |
| ln -sf /root/.nix-profile/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-certificates.crt || true | |
| # TODO: why do we need this files explain in comments | |
| mkdir -p /etc | |
| echo 'hosts: files dns myhostname mymachines' > /etc/nsswitch.conf | |
| # Create temporary folder | |
| mkdir -p /tmp | |
| chmod 1777 /tmp | |
| # Subscribe to Nix channel | |
| mkdir -p /root | |
| # Create default profile for | |
| mkdir -p /nix/var/nix/profiles/per-user/root | |
| ln -s ${contentsEnv} /nix/var/nix/profiles/per-user/root/default-1-link || true | |
| ln -s default-1-link /nix/var/nix/profiles/per-user/root/default || true | |
| # things installed with nix-env go to /nix/var/nix/profiles/per-user/root/default | |
| # we need to create ~/.nix-profile symlink manually | |
| ln -s /nix/var/nix/profiles/per-user/root/default /root/.nix-profile || true | |
| mkdir -p /nix/var/nix/gcroots | |
| ln -s /nix/var/nix/profiles /nix/var/nix/gcroots/profiles || true | |
| # Make the shell source nix.sh during login. | |
| nix_profile=/root/.nix-profile/etc/profile.d/nix.sh | |
| echo "if [ -e $nix_profile ]; then . $nix_profile; fi" >> /root/.bash_profile | |
| mkdir -p /etc/nix | |
| ${nix}/bin/nix-store --store local?root=/tmp --generate-binary-cache-key local-1 /etc/nix/key.private /etc/nix/key.public | |
| rm -rf /tmp/* | |
| echo "sandbox = false" > /etc/nix/nix.conf | |
| echo "sandbox-build-dir = /tmp " >> /etc/nix/nix.conf | |
| echo "substituters = https://cache.nixos.org file://./cache?secret-key=/etc/nix/key.private" >> /etc/nix/nix.conf | |
| echo "post-build-hook = ${post-build-hook}/bin/copy" >> /etc/nix/nix.conf | |
| echo "secret-key-files = /etc/nix/key.private" >> /etc/nix/nix.conf | |
| echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= $(cat /etc/nix/key.public)" >> /etc/nix/nix.conf | |
| '' + runAsRoot; | |
| })); | |
| post-build-hook = pkgs.writeShellScriptBin "copy" '' | |
| set -eu | |
| set -f # disable globbing | |
| export IFS=' ' | |
| echo "Caching paths" $OUT_PATHS | |
| exec ${nix}/bin/nix copy --to file://./cache $OUT_PATHS | |
| ''; | |
| vimMinimal = with pkgs; with lib; (vimUtils.makeCustomizable (callPackage ("${pkgs.path}" + "/pkgs/applications/editors/vim/configurable.nix") { | |
| inherit (darwin.apple_sdk.frameworks) CoreServices Cocoa Foundation CoreData; | |
| inherit (darwin) libobjc cf-private; | |
| lua = pkgs.lua5_1; | |
| config.vim = { | |
| lua = false; | |
| python = false; | |
| ruby = false; | |
| netbeans = false; | |
| xim = false; | |
| cscope = false; | |
| }; | |
| guiSupport = "no"; | |
| features = "tiny"; # one of tiny, small, normal, big or huge | |
| })).overrideAttrs (old: { | |
| postFixup = '' | |
| rm -r $out/share $out/bin/vimtutor | |
| ''; | |
| }); | |
| gitReallyMinimal = (pkgs.git.override { | |
| withManual = false; | |
| pythonSupport = false; | |
| perlSupport = false; | |
| withpcre2 = false; | |
| }).overrideAttrs(old:{doInstallCheck=false;doCheck=false;}); | |
| in | |
| { | |
| inherit buildImageWithNix; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment