Skip to content

Instantly share code, notes, and snippets.

@tomberek

tomberek/docker-override.nix

Created January 8, 2020 19:02
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tomberek/6b601e78980af88ca523ce95a5b360fa to your computer and use it in GitHub Desktop.
Save tomberek/6b601e78980af88ca523ce95a5b360fa to your computer and use it in GitHub Desktop.
Download ZIP
Raw
docker-override.nix
buildImageWithNixDb = args@{ contents ? null, extraCommands ? "", fromImage ? null, ... }:
let
# Use lazy evaluation to get list
contentsList = image.contentsList;
image = buildImage (args // {
config = args.config // {
Entrypoint = if args.config?Entrypoint then args.config.Entrypoint else "${entrypoint}/bin/entry";
Env = args.config.Env ++ [
"HOME=/root"
"USER=root"
"PATH=/root/.nix-profile/bin:/bin"
"NIX_PAGER=cat"
#"NIX_PATH=nixpkgs=${pkgs.path}"
"GIT_SSL_CAINFO=/etc/ssl/certs/ca-bundle.crt"
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
];
};
extraCommands = ''
echo "Generating the nix database..."
echo "Warning: only the database of the deepest Nix layer is loaded."
echo " If you want to use nix commands in the container, it would"
echo " be better to only have one layer that contains a nix store."
export NIX_REMOTE=local?root=$PWD
${nix}/bin/nix-store --load-db < ${closureInfo {rootPaths = contentsList;}}/registration
mkdir -p nix/var/nix/gcroots/docker/
for i in ${lib.concatStringsSep " " contentsList}; do
ln -sfn $i nix/var/nix/gcroots/docker/$(basename $i)
done;
'' + extraCommands;
});
in image;
entrypoint = writeScriptBin "entry" ''
#!/bin/sh
mkdir -p /etc/nix
echo 'root:x:0:0::/root:/root/.nix-profile/bin/bash' > $out/etc/passwd
echo 'nixbld0:x:3000:1::/root:/root/.nix-profile/bin/bash' >> $out/etc/passwd
echo 'nixbld1:x:3001:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld2:x:3002:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld3:x:3003:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld4:x:3004:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld5:x:3005:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld6:x:3006:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld7:x:3007:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld8:x:3008:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'nixbld9:x:3009:1::/root:/root/.nix-profile/bin/bash' >> /etc/passwd
echo 'root:x:0:' > /etc/group
echo 'nixbld:x:1:nixbld0,nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9' > /etc/group
mkdir -p /tmp
chmod 1777 /tmp
echo 'hosts: files dns myhostname mymachines' > /etc/nsswitch.conf
mkdir -p /etc/ssl/certs
ln -sfn ${cacert}/etc/ssl/certs/ca-bundle.crt /etc/ssl/certs/ca-bundle.crt
mkdir -p /root
mkdir -p /nix/var/nix/profiles/per-user/root
ln -s /bin /nix/var/nix/profiles/per-user/root/default-1-link || true
ln -s default-1-link /nix/var/nix/profiles/per-user/root/default || true
ln -s /nix/var/nix/profiles/per-user/root/default /root/.nix-profile || true
mkdir -p /nix/var/nix/gcroots
#ln -s /nix/var/nix/profiles /nix/var/nix/gcroots/profiles || true
# Make the shell source nix.sh during login.
nix_profile=/root/.nix-profile/etc/profile.d/nix.sh
echo "if [ -e $nix_profile ]; then . $nix_profile; fi" >> /root/.bash_profile
echo "sandbox = false" > /etc/nix/nix.conf
echo "sandbox-build-dir = /tmp " >> /etc/nix/nix.conf
echo "substituters = https://cache.nixos.org https://arm.cachix.org file://./cache?trusted=1" >> /etc/nix/nix.conf
echo "post-build-hook = ${post-build-hook}/bin/copy" >> /etc/nix/nix.conf
echo "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY= arm.cachix.org-1:5BZ2kjoL1q6nWhlnrbAl+G7ThY7+HaBRD9PZzqZkbnM=" >> /etc/nix/nix.conf
exec "$@"
'';
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment