github-mirror/docker-nixpkgs
1
0
Fork 1
mirror of https://github.com/nix-community/docker-nixpkgs.git synced 2026-01-12 04:40:42 -05:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: github-mirror:main
Branches Tags
github-mirror:main github-mirror:nix-container-images sbl:master sbl:pjjw/nix-flake-runner sbl:pjjw/gitea-actions sbl:nix-unstable-static sbl:push-to-github sbl:nix-container-images
..
compare: sbl:nix-container-images
Branches Tags
sbl:master sbl:pjjw/nix-flake-runner sbl:pjjw/gitea-actions sbl:nix-unstable-static sbl:push-to-github sbl:nix-container-images github-mirror:main github-mirror:nix-container-images

3 Commits
main ... nix-contai

Author SHA1 Message Date
lewo
9ba34c6a05 Use niv to fetch the nix-container-images repository (#5) 
This allows us to easily update it by running `niv update`.
 2019-04-26 12:41:13 +02:00
zimbatm
5452a54955 nix: redefine in terms of nix-container-images 2019-03-16 15:15:11 +01:00
zimbatm
5fe80c5dfb import nlewo/nix-container-images 
allow to build complex container images
 2019-03-16 15:14:53 +01:00
53 changed files with 332 additions and 1099 deletions
Expand all files Collapse all files

6
.github/dependabot.yml vendored
View File

@@ -1,6 +0,0 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"

82
.github/workflows/nix.yml vendored
View File

@@ -1,82 +0,0 @@
name: Nix
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
schedule:
# Run once per day
- cron: '0 0 * * *'
jobs:
build:
strategy:
# Keep building the other channels if one fails
fail-fast: false
matrix:
channel:
- nixos-unstable
- nixos-25.05
- nixos-25.11
system:
- aarch64-linux
- x86_64-linux
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v6
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: |
extra-platforms = aarch64-linux
- uses: DeterminateSystems/magic-nix-cache-action@main
- name: Push to Docker Hub
run: nix-shell --run ./ci.sh
env:
CI_PROJECT_PATH: 'nixpkgs'
CI_REGISTRY: 'docker.io'
CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
NIXPKGS_CHANNEL: '${{ matrix.channel }}'
NIX_SYSTEM_NAME: '${{ matrix.system }}'
- name: Push to GitHub Pages
run: nix-shell --run ./ci.sh
env:
CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'
CI_REGISTRY: 'ghcr.io'
CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'
NIXPKGS_CHANNEL: '${{ matrix.channel }}'
NIX_SYSTEM_NAME: '${{ matrix.system }}'
push-manifest:
needs: [build]
strategy:
fail-fast: false
matrix:
channel:
- nixos-unstable
- nixos-25.05
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: DeterminateSystems/nix-installer-action@main
with:
extra-conf: |
extra-platforms = aarch64-linux
- uses: DeterminateSystems/magic-nix-cache-action@main
- run: nix-shell --run ./ci-manifests.sh
env:
CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
NIXPKGS_CHANNEL: '${{ matrix.channel }}'
NIX_SYSTEM_NAME: '${{ matrix.system }}'

26
.gitlab-ci.sh Executable file
View File

@@ -0,0 +1,26 @@
#!/usr/bin/env bash
#
# Gitlab CI specific build script.
#
set -euo pipefail
./build
# default to the Gitlab registry
: "${REGISTRY:=$CI_REGISTRY}"
: "${REGISTRY_USER:=$CI_REGISTRY_USER}"
: "${REGISTRY_PASSWORD:=$CI_REGISTRY_PASSWORD}"
: "${IMAGE_PREFIX:=$CI_PROJECT_PATH}"
# IMAGE_TAG is provided by .gitlab-ci.yml
if [[ "$CI_COMMIT_REF_NAME" = master ]]; then
./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
if [[ $REGISTRY = *docker.io ]]; then
./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
fi
else
echo "=== not pushing on non-master ==="
fi

31
.gitlab-ci.yml
View File

@@ -1,14 +1,25 @@
image: nixos/nix:latest
stages: stages:
- build - build
build: nixos-unstable:
stage: build stage: build
image: nixpkgs/nix:nixos-25.05 script: nix-shell --run ./.gitlab-ci.sh
script: nix-shell --run ./ci.sh variables:
parallel: NIX_PATH: nixpkgs=channel:nixos-unstable
matrix: IMAGE_TAG: latest
- NIXPKGS_CHANNEL: nixos-unstable
IMAGE_TAG: latest nixos-18.09:
- NIXPKGS_CHANNEL: stage: build
- nixos-25.05 script: nix-shell --run ./.gitlab-ci.sh
- nixos-25.11 variables:
NIX_PATH: nixpkgs=channel:nixos-18.09
IMAGE_TAG: nixos-18.09
nixos-19.03:
stage: build
script: nix-shell --run ./.gitlab-ci.sh
variables:
NIX_PATH: nixpkgs=channel:nixos-19.03
IMAGE_TAG: nixos-19.03

25
.travis.sh Executable file
View File

@@ -0,0 +1,25 @@
#!/usr/bin/env bash
#
# Travis CI specific build script
#
set -euo pipefail
./build
# default to Docker Hub
: "${REGISTRY:=docker.io}"
: "${IMAGE_PREFIX:=nixpkgs}"
# IMAGE_TAG is provided by .travis.yml
# the user has to set REGISTRY_USER and REGISTRY_PASSWORD
if [[ "$TRAVIS_BRANCH" = master && -z "$TRAVIS_PULL_REQUEST_BRANCH" ]]; then
./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
if [[ $REGISTRY = *docker.io ]]; then
./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
fi
else
echo "=== not pushing on non-master ==="
fi

15
.travis.yml Normal file
View File

@@ -0,0 +1,15 @@
language: nix
nix: 2.2.1
matrix:
include:
- name: nixos-unstable
env: NIX_PATH=nixpkgs=channel:nixos-unstable IMAGE_TAG=latest
- name: nixos-18.09
env: NIX_PATH=nixpkgs=channel:nixos-18.09 IMAGE_TAG=nixos-18.09
- name: nixos-19.03
env: NIX_PATH=nixpkgs=channel:nixos-19.03 IMAGE_TAG=nixos-19.03
script:
- nix-shell --run ./.travis.sh

97
README.md
View File

@@ -29,6 +29,22 @@ $ docker run -ti --rm nixpkgs/curl curl http://ifconfig.co
180.52.248.114 180.52.248.114
``` ```
## List of images
Here is the current list of images that are provided. Missing one? Send an
[image request](#image-request).
| Image | Description |
| --- | --- |
| bash | CLI only |
| busybox | CLI only |
| curl | CLI only |
| docker-compose | CLI only |
| kubectl | CLI only |
| kubernetes-helm | CLI only |
| nix | nix with deps |
| nix-unstable | nixUnstable with deps |
## Channels ## Channels
Each image is built with the following nixpkgs channels and map to the Each image is built with the following nixpkgs channels and map to the
@@ -39,54 +55,54 @@ nixpkgs channel describes.
| Channel | Image Tag | Description | | Channel | Image Tag | Description |
| --- | --- | --- | | --- | --- | --- |
| nixos-25.05 | nixos-25.05 | only minor versions that include security updates | | nixos-unstable | latest | latest and greated, major versions might change |
| nixos-25.11 | nixos-25.11 | only minor versions that include security updates | | nixos-18.09 | nixos-18.09 | only minor versions that include security updates |
| nixos-unstable | latest | latest and greatest, major versions might change |
## List of images ## Docker Hub
Here is the current list of images that are provided. Missing one? Send an All images are automatically built and pushed to Docker Hub.
[image request](#image-request).
All images are automatically built and published to Docker Hub, and served ### Image matrix
on our custom domain, courtesy of [Scarf](https://scarf.sh).
`> ./readme-image-matrix`
`> ./dockerhub-image-matrix`
<!-- BEGIN mdsh --> <!-- BEGIN mdsh -->
| Image / Tag | Pull | | Image / Tag | latest | nixos-18.09 | nixos-19.03 |
| --- | --- | | --- | --- | --- | --- |
| [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` | | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-19.03.svg) |
| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` | | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-19.03.svg) |
| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` | | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-19.03.svg) |
| [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` | | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-19.03.svg) |
| [nixpkgs/cachix-flakes](https://hub.docker.com/r/nixpkgs/cachix-flakes)| `docker pull docker.nix-community.org/nixpkgs/cachix-flakes` | | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-19.03.svg) |
| [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` | | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-19.03.svg) |
| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` | | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-19.03.svg) |
| [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` | | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-19.03.svg) |
| [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |
| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
| [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
| [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |
| [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
| [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
| [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
| [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |
| [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |
<!-- END mdsh --> <!-- END mdsh -->
| Image / Tag | latest | nixos-18.09 |
| --- | --- | --- |
| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-18.09.svg) |
| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-18.09.svg) |
| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-18.09.svg) |
| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-18.09.svg) |
| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-18.09.svg) |
| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-18.09.svg) |
| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-18.09.svg) |
| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-18.09.svg) |
## Adding new images ## Adding new images
To add a new image to the project, create a new folder under To add a new image to the project, create a new folder under
`./images/<image-name>` with a default.nix that returns the docker image. `./images/<image-name>` with a default.nix that returns the docker image.
Then run `nix-build -A <image-name>` to test that it builds, and Then run `nix-build release.nix -A <image-name>` to test that it builds, and
then use then use
`docker load -i /nix/store/...<image-name>.tar.gz` to load and test the image. `docker load -i /nix/store/...<image-name>.tar.gz` to load and test the image.
## Related projects
The [docker-library](https://github.com/docker-library/official-images#readme)
is an image set maintained by the Docker Inc. team and contain
officially-supported images.
## User Feedback ## User Feedback
### Issues ### Issues
@@ -102,20 +118,11 @@ with an accompanying use-case for an image that you would like to see.
### Contributing ### Contributing
You are invited to contribute new features, fixes or updates, large or small; You are invited to contribute new features, fixes or updates, large or small;
we are always thrilled to receive pull requests, and do our best to process we are always thrilled to receive pull requests, and do our brest ot process
them as fast as we can. them as fast as we can.
## Related projects
* The [docker-library](https://github.com/docker-library/official-images#readme)
is an image set maintained by the Docker Inc. team and contain
officially-supported images.
* [Nixery](https://nixery.dev/) is a pretty cool service that builds docker
images from nixpkgs attributes on the fly.
## License ## License
Copyright (c) 2021 @zimbatm and contributors. Copyright (c) 2019 zimbatm and contributors.
Licensed under the MIT. Licensed under the MIT.

8
build Executable file
View File

@@ -0,0 +1,8 @@
#!/usr/bin/env bash
set -euo pipefail
# build *all* the docker images
exec nix-build release.nix \
--no-out-link \
--option sandbox true \
"$@"

39
ci-manifests.sh
View File

@@ -1,39 +0,0 @@
#!/usr/bin/env bash
#
# CI specific build script.
#
set -euo pipefail
channel=${NIXPKGS_CHANNEL:-nixos-unstable}
registry=${CI_REGISTRY:-docker.io}
registry_auth=${CI_REGISTRY_AUTH:-}
image_prefix=${CI_PROJECT_PATH:-nixpkgs}
if [[ $channel == nixos-unstable ]]; then
image_tag=latest
else
image_tag=$channel
fi
export NIX_PATH=channel:$channel
banner() {
echo "========================================================"
echo " $*"
echo "========================================================"
}
cd "$(dirname "$0")"
if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
banner "Skipping push on non-main branch"
exit
fi
if [[ -n "${registry_auth}" ]]; then
banner "docker login"
./docker-login "$registry_auth" "$registry"
fi
banner "generate manifests"
./generate-manifests "$registry" "$image_prefix" "$image_tag"

52
ci.sh
View File

@@ -1,52 +0,0 @@
#!/usr/bin/env bash
#
# CI specific build script.
#
set -euo pipefail
channel=${NIXPKGS_CHANNEL:-nixos-unstable}
registry=${CI_REGISTRY:-docker.io}
registry_auth=${CI_REGISTRY_AUTH:-}
image_prefix=${CI_PROJECT_PATH:-nixpkgs}
system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
if [[ $channel == nixos-unstable ]]; then
image_tag=latest
else
image_tag=$channel
fi
export NIX_PATH=channel:$channel
banner() {
echo "========================================================"
echo " $*"
echo "========================================================"
}
cd "$(dirname "$0")"
banner "Building images"
# Build all the docker images
nix-build \
--no-out-link \
--option sandbox true \
--argstr system "$system_name"
if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
banner "Skipping push on non-main branch"
exit
fi
if [[ -n "${registry_auth}" ]]; then
banner "docker login"
./docker-login "$registry_auth" "$registry"
fi
banner "docker push"
./push-all "$registry" "$image_prefix" "$image_tag"
if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
banner "docker metadata update"
./dockerhub-metadata "$registry_auth" "$image_prefix"
fi

26
default.nix
View File

@@ -1,14 +1,14 @@
{ { nixpkgs ? <nixpkgs> }:
system ? builtins.currentSystem let
}: let sources = import ./nix/sources.nix;
_parts = builtins.split "-" system; nix-container-images = sources."nix-container-images";
arch = builtins.elemAt _parts 0;
os = builtins.elemAt _parts 2;
system' =
if os == "darwin"
then "${arch}-linux"
else system;
pkgs =
import ./pkgs.nix system';
in in
pkgs.docker-nixpkgs import nixpkgs {
# docker images run on Linux
system = "x86_64-linux";
config = {};
overlays = [
(import "${nix-container-images}/overlay.nix")
(import ./overlay.nix)
];
}

9
docker-login
View File

@@ -5,8 +5,9 @@
# Usage: ./docker-login <username> <password> [registry] # Usage: ./docker-login <username> <password> [registry]
set -euo pipefail set -euo pipefail
auth=$1 username=$1
registry=${2:-docker.io} password=$2
registry=${3:-docker.io}
# Encode some funky docker heuristic # Encode some funky docker heuristic
if [[ $registry = *docker.io ]]; then if [[ $registry = *docker.io ]]; then
@@ -14,13 +15,13 @@ if [[ $registry = *docker.io ]]; then
registry=https://index.docker.io/v2/ registry=https://index.docker.io/v2/
fi fi
mkdir -p ~/.docker mkdir ~/.docker
cat <<DOCKER_CONF > ~/.docker/config.json cat <<DOCKER_CONF > ~/.docker/config.json
{ {
"auths": { "auths": {
"$registry": { "$registry": {
"auth": "$(echo -n "$auth" | base64)" "auth": "$(printf "%s:%s" "$username" "$password" | base64)"
} }
} }
} }

30
dockerhub-image-matrix Executable file
View File

@@ -0,0 +1,30 @@
#!/usr/bin/env bash
#
# Usage: ./dockerhub-image-matrix
set -euo pipefail
microbadge() {
local name=$1
local tag=${2:-latest}
if [[ $tag != latest ]]; then
name=$name:$tag
fi
# make sure that microbadger has loaded the image
curl -o /dev/null -sfL "https://microbadger.com/images/$name"
echo "![](https://images.microbadger.com/badges/image/$name.svg)"
}
## Main ##
releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
echo "| Image / Tag | latest | nixos-18.09 | nixos-19.03 |"
echo "| --- | --- | --- | --- |"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
name=nixpkgs/$attr
echo "| [$name](https://hub.docker.com/r/$name) | $(microbadge "$name") | $(microbadge "$name" "nixos-18.09") | $(microbadge "$name" "nixos-19.03") |"
done

13
dockerhub-metadata
View File

@@ -6,15 +6,16 @@
# Usage: ./dockerhub-metadata <user> <password> [org] # Usage: ./dockerhub-metadata <user> <password> [org]
set -euo pipefail set -euo pipefail
user=$1 username=$1
org=${2:-nixpkgs} password=$2
system_name=${NIX_SYSTEM_NAME:-x86_64-linux} org=${3:-nixpkgs}
user=$username:$password
nix_eval() { nix_eval() {
nix-instantiate --strict --eval --argstr system "$system_name" --json "$@" nix-instantiate --strict --eval --json "$@"
} }
releases_json=$(nix_eval) releases_json=$(nix_eval release.nix)
to_json() { to_json() {
local desc=$1 full_desc=$2 local desc=$1 full_desc=$2
@@ -28,7 +29,7 @@ echo "=== Updating Docker Hub project descriptions"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
echo "--- $attr" echo "--- $attr"
desc=$(nix_eval -A "$attr.meta.description" | jq -r .) desc=$(nix_eval ./release.nix -A "$attr.meta.description" | jq -r .)
if [[ -f "$attr/README.md" ]]; then if [[ -f "$attr/README.md" ]]; then
full_desc=$(< "$attr/README.md") full_desc=$(< "$attr/README.md")

25
generate-manifests
View File

@@ -1,25 +0,0 @@
#!/usr/bin/env bash
#
# Usage: ./push-all <registry> <image-prefix> <image-tag>
set -euo pipefail
registry=${1:-docker.io}
image_prefix=${2:-nixpkgs}
image_tag=${3:-latest}
system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
echo "=== Generating manifests for $registry"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
repository=$registry/$image_prefix/$attr
target_image=${repository}:${image_tag}
echo "--- attr=$attr target=$target_image"
podman manifest create "$target_image"
podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux"
podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux"
podman manifest push --all "$target_image" "docker://$target_image"
done
echo OK

10
images/attic/default.nix
View File

@@ -1,10 +0,0 @@
{ docker-nixpkgs
, attic-client
}:
(docker-nixpkgs.nix.override {
extraContents = [ attic-client ];
}).overrideAttrs (prev: {
meta = (prev.meta or { }) // {
description = "Nix and Attic client image";
};
})

10
images/cachix-flakes/default.nix
View File

@@ -1,10 +0,0 @@
{ docker-nixpkgs
, cachix
}:
(docker-nixpkgs.nix-flakes.override {
extraContents = [ cachix ];
}).overrideAttrs (prev: {
meta = (prev.meta or { }) // {
description = "Nix and Cachix image";
};
})

10
images/cachix/default.nix
View File

@@ -1,10 +0,0 @@
{ docker-nixpkgs
, cachix
}:
(docker-nixpkgs.nix.override {
extraContents = [ cachix ];
}).overrideAttrs (prev: {
meta = (prev.meta or { }) // {
description = "Nix and Cachix image";
};
})

6
images/caddy/default.nix
View File

@@ -1,6 +0,0 @@
{ buildCLIImage
, caddy
}:
buildCLIImage {
drv = caddy;
}

6
images/devcontainer/README.md
View File

@@ -1,6 +0,0 @@
# Nix VSCode DevContainer
WIP
Related to https://github.com/zimbatm/vscode-devcontainer-nix

143
images/devcontainer/default.nix
View File

@@ -1,143 +0,0 @@
# A fat and modifiable Nix image
{ dockerTools
, bashInteractive
, cacert
, closureInfo
, coreutils
, curl
, direnv
, gcc-unwrapped
, gitReallyMinimal
, glibc
, gnugrep
, gnused
, gnutar
, gzip
, iana-etc
, iproute2
, less
, lib
, nix
, openssh
, procps
, shadow
, xz
, mkUserEnvironment
}:
let
channel = builtins.getEnv ("NIXPKGS_CHANNEL");
# generate a user profile for the image
profile = mkUserEnvironment {
derivations = [
# core utils
coreutils
procps
gnugrep
gnused
less
# add /bin/sh
bashInteractive
nix
# runtime dependencies of nix
# HACK: don't include the "hashed" output. It has overlapping files with
# the "unbundled" output, and that breaks the build.
(cacert // {
outputs = builtins.filter (x: x != "hashed") cacert.outputs;
})
gitReallyMinimal
gnutar
gzip
xz
# for haskell binaries
iana-etc
# for user management
shadow
# for the vscode extension
# HACK: don't include the "libgcc" output. It has overlapping files with
# the "lib" output, and that breaks the build.
(gcc-unwrapped // {
outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
})
iproute2
];
};
image = dockerTools.buildImage {
name = "devcontainer";
contents = [ ];
extraCommands = ''
# create the Nix DB
export NIX_REMOTE=local?root=$PWD
export USER=nobody
${nix}/bin/nix-store --load-db < ${closureInfo { rootPaths = [ profile ]; }}/registration
# set the user profile
${profile}/bin/nix-env --profile nix/var/nix/profiles/default --set ${profile}
# minimal
mkdir -p bin usr/bin
ln -s /nix/var/nix/profiles/default/bin/sh bin/sh
ln -s /nix/var/nix/profiles/default/bin/env usr/bin/env
# might as well...
ln -s /nix/var/nix/profiles/default/bin/bash bin/bash
# setup shadow, bashrc
mkdir home
cp -r ${./root/etc} etc
chmod +w etc etc/group etc/passwd etc/shadow
# setup iana-etc for haskell binaries
ln -s /nix/var/nix/profiles/default/etc/protocols etc/protocols
ln -s /nix/var/nix/profiles/default/etc/services etc/services
# make sure /tmp exists
mkdir -m 0777 tmp
# allow ubuntu ELF binaries to run. VSCode copies it's own.
mkdir -p lib64
ln -s ${glibc}/lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2
# VSCode assumes that /sbin/ip exists
mkdir sbin
ln -s /nix/var/nix/profiles/default/bin/ip sbin/ip
'';
config = {
Cmd = [ "/nix/var/nix/profiles/default/bin/bash" ];
Env = [
"ENV=/nix/var/nix/profiles/default/etc/profile.d/nix.sh"
"GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
"LD_LIBRARY_PATH=/nix/var/nix/profiles/default/lib"
"PAGER=less"
"PATH=/nix/var/nix/profiles/default/bin"
"SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
(
if channel != "" then
"NIX_PATH=nixpkgs=channel:${channel}"
else
"NIX_PATH=nixpkgs=${../nix/fake_nixpkgs}"
)
];
Labels = {
# https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
"org.label-schema.vcs-ref" = "main";
"org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
};
};
};
in
image // {
meta = image.meta // {
description = "Nix devcontainer for VSCode";
};
}

6
images/devcontainer/root/etc/bashrc
View File

@@ -1,6 +0,0 @@
# interactive session
if [[ $- == *i* ]]; then
PS1='\[\033[0;32;40m\][nix]$\[\033[0m\] '
fi

6
images/devcontainer/root/etc/group
View File

@@ -1,6 +0,0 @@
root:x:0:
wheel:x:1:
tty:x:3:
users:x:100:
nixbld:x:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld30
nogroup:x:65534:

11
images/devcontainer/root/etc/nsswitch.conf
View File

@@ -1,11 +0,0 @@
passwd: files mymachines systemd
group: files mymachines systemd
shadow: files
hosts: files mymachines dns myhostname
networks: files
ethers: files
services: files
protocols: files
rpc: files

4
images/devcontainer/root/etc/pam.d/other
View File

@@ -1,4 +0,0 @@
account sufficient pam_unix.so
auth sufficient pam_rootok.so
password requisite pam_unix.so nullok sha512
session required pam_unix.so

32
images/devcontainer/root/etc/passwd
View File

@@ -1,32 +0,0 @@
root:x:0:0:root:/root:/nix/var/nix/profiles/default/bin/bash
nixbld1:x:30001:30000:Nix build user 1:/var/empty:/sbin/nologin
nixbld2:x:30002:30000:Nix build user 2:/var/empty:/sbin/nologin
nixbld3:x:30003:30000:Nix build user 3:/var/empty:/sbin/nologin
nixbld4:x:30004:30000:Nix build user 4:/var/empty:/sbin/nologin
nixbld5:x:30005:30000:Nix build user 5:/var/empty:/sbin/nologin
nixbld6:x:30006:30000:Nix build user 6:/var/empty:/sbin/nologin
nixbld7:x:30007:30000:Nix build user 7:/var/empty:/sbin/nologin
nixbld8:x:30008:30000:Nix build user 8:/var/empty:/sbin/nologin
nixbld9:x:30009:30000:Nix build user 9:/var/empty:/sbin/nologin
nixbld10:x:30010:30000:Nix build user 10:/var/empty:/sbin/nologin
nixbld11:x:30011:30000:Nix build user 11:/var/empty:/sbin/nologin
nixbld12:x:30012:30000:Nix build user 12:/var/empty:/sbin/nologin
nixbld13:x:30013:30000:Nix build user 13:/var/empty:/sbin/nologin
nixbld14:x:30014:30000:Nix build user 14:/var/empty:/sbin/nologin
nixbld15:x:30015:30000:Nix build user 15:/var/empty:/sbin/nologin
nixbld16:x:30016:30000:Nix build user 16:/var/empty:/sbin/nologin
nixbld17:x:30017:30000:Nix build user 17:/var/empty:/sbin/nologin
nixbld18:x:30018:30000:Nix build user 18:/var/empty:/sbin/nologin
nixbld19:x:30019:30000:Nix build user 19:/var/empty:/sbin/nologin
nixbld20:x:30020:30000:Nix build user 20:/var/empty:/sbin/nologin
nixbld21:x:30021:30000:Nix build user 21:/var/empty:/sbin/nologin
nixbld22:x:30022:30000:Nix build user 22:/var/empty:/sbin/nologin
nixbld23:x:30023:30000:Nix build user 23:/var/empty:/sbin/nologin
nixbld24:x:30024:30000:Nix build user 24:/var/empty:/sbin/nologin
nixbld25:x:30025:30000:Nix build user 25:/var/empty:/sbin/nologin
nixbld26:x:30026:30000:Nix build user 26:/var/empty:/sbin/nologin
nixbld27:x:30027:30000:Nix build user 27:/var/empty:/sbin/nologin
nixbld28:x:30028:30000:Nix build user 28:/var/empty:/sbin/nologin
nixbld29:x:30029:30000:Nix build user 29:/var/empty:/sbin/nologin
nixbld30:x:30030:30000:Nix build user 30:/var/empty:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin

32
images/devcontainer/root/etc/shadow
View File

@@ -1,32 +0,0 @@
root:!::0:::::
nixbld1:!:18237:0:99999:7:::
nixbld2:!:18237:0:99999:7:::
nixbld3:!:18237:0:99999:7:::
nixbld4:!:18237:0:99999:7:::
nixbld5:!:18237:0:99999:7:::
nixbld6:!:18237:0:99999:7:::
nixbld7:!:18237:0:99999:7:::
nixbld8:!:18237:0:99999:7:::
nixbld9:!:18237:0:99999:7:::
nixbld10:!:18237:0:99999:7:::
nixbld11:!:18237:0:99999:7:::
nixbld12:!:18237:0:99999:7:::
nixbld13:!:18237:0:99999:7:::
nixbld14:!:18237:0:99999:7:::
nixbld15:!:18237:0:99999:7:::
nixbld16:!:18237:0:99999:7:::
nixbld17:!:18237:0:99999:7:::
nixbld18:!:18237:0:99999:7:::
nixbld19:!:18237:0:99999:7:::
nixbld20:!:18237:0:99999:7:::
nixbld21:!:18237:0:99999:7:::
nixbld22:!:18237:0:99999:7:::
nixbld23:!:18237:0:99999:7:::
nixbld24:!:18237:0:99999:7:::
nixbld25:!:18237:0:99999:7:::
nixbld26:!:18237:0:99999:7:::
nixbld27:!:18237:0:99999:7:::
nixbld28:!:18237:0:99999:7:::
nixbld29:!:18237:0:99999:7:::
nixbld30:!:18237:0:99999:7:::
nobody:!::0:::::

11
images/devenv/default.nix
View File

@@ -1,11 +0,0 @@
{ docker-nixpkgs
, devenv ? null
}:
(docker-nixpkgs.nix.override {
# only available since 24.05
extraContents = [ devenv ];
}).overrideAttrs (prev: {
meta = (prev.meta or { }) // {
description = "Nix and devenv image";
};
})

2
images/docker-compose/default.nix
View File

@@ -7,5 +7,5 @@ buildCLIImage {
if docker-compose == null if docker-compose == null
then python3Packages.docker_compose then python3Packages.docker_compose
else docker-compose # nixos 19.03+ else docker-compose # nixos 19.03+
; ;
} }

8
images/hugo/default.nix
View File

@@ -1,8 +0,0 @@
{ buildCLIImage
, hugo
, gitReallyMinimal
}:
buildCLIImage {
drv = hugo;
extraContents = [ gitReallyMinimal ];
}

6
images/maddy/default.nix
View File

@@ -1,6 +0,0 @@
{ buildCLIImage
, maddy
}:
buildCLIImage {
drv = maddy;
}

6
images/nginx/default.nix
View File

@@ -1,6 +0,0 @@
{ buildCLIImage
, nginx
}:
buildCLIImage {
drv = nginx;
}

23
images/nix-flakes/default.nix
View File

@@ -1,23 +0,0 @@
{ docker-nixpkgs
, nixVersions
, writeTextFile
, extraContents ? [ ]
}:
docker-nixpkgs.nix.override {
nix = nixVersions.stable;
extraContents = [
(writeTextFile {
name = "nix.conf";
destination = "/etc/nix/nix.conf";
text = ''
accept-flake-config = true
experimental-features = nix-command flakes
max-jobs = auto
'';
})
] ++ extraContents;
extraEnv = [
"PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend
];
}

16
images/nix-unstable-static/README.md
View File

@@ -1,16 +0,0 @@
# nix-unstable-static
This is a special variant of the nix image that contains no `/nix/store`.
Instead, nix and all the supporting binaries are statically built and copied
into /bin.
The main use-case is to be able to run nix in the container, but share the
`/nix/store` with the host.
## Using the container with the host store
This folder ships with a complementary script that you can use to run the
image as the current user and the host /nix/store.
Usage: `docker-nix-user.sh [<command> ...<args>]`

132
images/nix-unstable-static/default.nix
View File

@@ -1,132 +0,0 @@
{ dockerTools
, lib
, fetchurl
, findutils
, pkgsStatic
, python3
, removeReferencesTo
, runCommand
}:
let
inherit (pkgsStatic)
bashInteractive
busybox
cacert
openssl
;
bash = bashInteractive;
# Get nix from Hydra because the nixpkgs one is not fully static
nixStaticBin = fetchurl {
url = "https://hydra.nixos.org/build/305222051/download/1/nix";
hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=";
};
nixSymlinks = [
"nix-build"
"nix-channel"
"nix-collect-garbage"
"nix-copy-closure"
"nix-daemon"
"nix-env"
"nix-hash"
"nix-instantiate"
"nix-prefetch-url"
"nix-shell"
"nix-store"
];
dirs = [
"bin"
"etc/ssl/certs"
"root"
"tmp"
"usr"
];
extraCommands = ''
rm_ref() {
${removeReferencesTo}/bin/remove-references-to "$@"
}
# Create a FHS-like file structure
cp -r ${../nix/root}/* .
chmod +w etc
mkdir -p ${toString dirs}
# For /usr/bin/env
ln -s ../bin usr/bin
# Make sure /tmp has the right permissions
chmod 1777 tmp
# Add user home folder
mkdir home
# Add SSL CA certs
cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
# Install base binaries
cp -a ${busybox}/bin/* bin/
rm_ref -t ${busybox} bin/busybox
# Install shell
cp -a ${bash}/bin/bash bin/
rm_ref -t ${bash} bin/bash
# Install nix
cp -a ${nixStaticBin} bin/nix
chmod +x bin/nix
for sym in ${toString nixSymlinks}; do
ln -sv /bin/nix bin/$sym
done
mkdir -p libexec/nix
ln -s /bin/nix libexec/nix/build-remote
# Enable flakes and parallel building
mkdir -p etc/nix
cat <<NIX_CONFIG > etc/nix/nix.conf
accept-flake-config = true
experimental-features = nix-command flakes
max-jobs = auto
NIX_CONFIG
# Add run-as-user script
cp -a ${./run_as_user.sh} run_as_user.sh
'';
# To debug
unpacked = runCommand
"unpacked"
{ buildInputs = [ python3 ]; }
''
mkdir layer
pushd layer
${extraCommands}
popd
mv layer $out
'';
image = dockerTools.buildImage {
name = "nix-static";
inherit extraCommands;
config = {
Cmd = [ "/bin/bash" ];
Env = [
"NIX_BUILD_SHELL=/bin/bash"
"PAGER=cat"
"PATH=/bin"
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
];
};
};
in
image // {
passthru = image.passthru // { inherit unpacked; };
meta = image.meta // {
description = "Nix but statically built";
};
}

28
images/nix-unstable-static/docker-nix-user.sh
View File

@@ -1,28 +0,0 @@
#!/usr/bin/env bash
#
# Run nixpkgs/nix-unstable-static as the current user and the host /nix/store.
#
# Usage: docker-nix-user.sh [<command> ...<args>]
#
set -euo pipefail
image=nixpkgs/nix-unstable-static
options=(
-ti
# Remove the container on exit
--rm
-e NIX_PATH="nixpkgs=channel:nixos-22.05"
# Used by /run_as_user.sh
-e user_id="$(id -u)"
-e user_name="$(id -nu)"
-e group_id="$(id -g)"
-e group_name="$(id -ng)"
# Use the host store
-v /nix:/nix
# Mount the code into the container
-v "$PWD:/workspace"
-w /workspace
--entrypoint /run_as_user.sh
)
exec docker run "${options[@]}" "$image" "$@"

29
images/nix-unstable-static/run_as_user.sh
View File

@@ -1,29 +0,0 @@
#!/bin/sh -eu
#
# This script can be used as an entrypoint. It's used to synchronize and run
# the container with the same user and group as the host user.
#
# Usage:
# user_id=$(id -u) user_name=$(id -un) \
# group_id=$(id -g) group_name=$(id -gn) \
# ./run_as_user.sh [<command> ...<args>]
#
# shellcheck disable=SC2154
# Install the host user and group into the container
delgroup "${group_name}" 2>/dev/null || true
deluser "${user_name}" 2>/dev/null || true
addgroup -g "${group_id}" "${group_name}"
adduser -D -G "${group_name}" -u "${user_id}" "${user_name}"
# Don't propagate those env vars
user=${user_name}
unset user_id user_name group_id group_name
# Change into the user
if [ $# = 0 ]; then
exec su "${user}"
else
exec su "${user}" -c /bin/sh /bin/sh -c "exec \"\$@\"" "$@"
fi

4
images/nix-unstable/default.nix
View File

@@ -1,6 +1,6 @@
{ docker-nixpkgs { docker-nixpkgs
, pkgs , nixUnstable
}: }:
docker-nixpkgs.nix.override { docker-nixpkgs.nix.override {
nix = pkgs.nixVersions.latest; nix = nixUnstable;
} }

89
images/nix/default.nix
View File

@@ -1,66 +1,27 @@
{ dockerTools { path, lib, nix }:
, bashInteractive
, cacert
, coreutils
, curl
, gitReallyMinimal
, gnutar
, gzip
, iana-etc
, nix
, openssh
, xz
, extraContents ? [ ]
, extraEnv ? [ ]
}:
let let
image = dockerTools.buildImageWithNixDb { channel =
inherit (nix) name; builtins.replaceStrings
["\n"]
contents = [ [""]
./root "nixos-${builtins.readFile "${path}/.version"}";
coreutils
# add /bin/sh
bashInteractive
nix
# runtime dependencies of nix
cacert
gitReallyMinimal
gnutar
gzip
openssh
xz
# for haskell binaries
iana-etc
] ++ extraContents;
extraCommands = ''
# for /usr/bin/env
mkdir usr
ln -s ../bin usr/bin
# make sure /tmp exists
mkdir -m 1777 tmp
# need a HOME
mkdir -vp root
'';
config = {
Cmd = [ "/bin/bash" ];
Env = [
"ENV=/etc/profile.d/nix.sh"
"BASH_ENV=/etc/profile.d/nix.sh"
"NIX_BUILD_SHELL=/bin/bash"
"NIX_PATH=nixpkgs=${./fake_nixpkgs}"
"PAGER=cat"
"PATH=/usr/bin:/bin"
"SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
"USER=root"
] ++ extraEnv;
};
};
in in
image // { meta = nix.meta // image.meta; } lib.makeImage {
image = {
name = "nix";
tag = "latest";
run = ''
chmod u+w root
echo 'https://nixos.org/channels/${channel} nixpkgs' > root/.nix-channels
'';
interactive = true;
};
environment.systemPackages = [ nix ];
nix = {
enable = true;
useSandbox = false;
package = nix;
};
}

10
images/nix/fake_nixpkgs/default.nix
View File

@@ -1,10 +0,0 @@
_:
throw ''
This container doesn't include nixpkgs.
The best way to work around that is to pin your dependencies. See
https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
Or if you must, override the NIX_PATH environment variable with eg:
"NIX_PATH=nixpkgs=channel:nixos-unstable"
''

6
images/pocket-id/default.nix
View File

@@ -1,6 +0,0 @@
{ buildCLIImage
, pocket-id
}:
buildCLIImage {
drv = pocket-id;
}

6
images/yarr/default.nix
View File

@@ -1,6 +0,0 @@
{ buildCLIImage
, yarr
}:
buildCLIImage {
drv = yarr;
}

9
lib/buildCLIImage.nix
View File

@@ -3,9 +3,8 @@
, cacert , cacert
}: }:
{ drv # derivation to build the image for { drv # derivation to build the image for
# Name of the binary to run by default # Name of the binary to run by default
, binName ? (builtins.parseDrvName drv.name).name , binName ? (builtins.parseDrvName drv.name).name
, extraContents ? [ ]
, meta ? drv.meta , meta ? drv.meta
}: }:
let let
@@ -18,7 +17,7 @@ let
# most program need TLS certs # most program need TLS certs
cacert cacert
drv drv
] ++ extraContents; ];
config = { config = {
Cmd = [ "/bin/${binName}" ]; Cmd = [ "/bin/${binName}" ];
@@ -28,10 +27,10 @@ let
]; ];
Labels = { Labels = {
# https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33 # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
"org.label-schema.vcs-ref" = "main"; "org.label-schema.vcs-ref" = "master";
"org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs"; "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
}; };
}; };
}; };
in in
image // { meta = meta // image.meta; } image // { meta = meta // image.meta; }

10
lib/importDir.nix
View File

@@ -4,11 +4,9 @@ importFn: baseDir:
let let
dirEntries = dirEntries =
builtins.attrNames builtins.attrNames
( (lib.filterAttrs
lib.filterAttrs (k: v: v == "directory")
(k: v: v == "directory") (builtins.readDir baseDir));
(builtins.readDir baseDir)
);
absDirs = absDirs =
builtins.map builtins.map
@@ -20,4 +18,4 @@ let
(dir: { name = builtins.baseNameOf dir; value = importFn dir; }) (dir: { name = builtins.baseNameOf dir; value = importFn dir; })
absDirs; absDirs;
in in
builtins.listToAttrs imports builtins.listToAttrs imports

111
lib/mkUserEnvironment.nix
View File

@@ -1,111 +0,0 @@
{ writeText, lib }:
# Build a user environment purely with nix.
#
# The original implementation is a mix of C++ and nix code.
#
# See https://github.com/nixos/nix/blob/f4b94958543138671bc3641fc126589a5cffb24b/src/nix-env/user-env.cc
#
# TODO:
# * also add the drvPath if the keepDerivations nix settings is set
# * support "disabled" mode that breaks nix-env?
# * remove the use of writeText. builtins.toFile forbits the use of references
# to derivations, which makes it impossible to create exactly the same
# manifest file as `nix-env`.
#
# Arguments:
# * derivations: a list of derivations
{
# A list of derivations to install
derivations
}:
# Supporting code
with builtins;
let
# Copied from https://github.com/nixos/nix/blob/e02481ded216ffb5b06b413e3695d4e11e62e02f/corepkgs/buildenv.nix
#
# This was available at <nix/buildenv.nix>, until it got removed in Nix.
buildenv = { derivations, manifest }:
derivation {
name = "user-environment";
system = "builtin";
builder = "builtin:buildenv";
inherit manifest;
# !!! grmbl, need structured data for passing this in a clean way.
derivations =
map
(d:
[
(d.meta.active or "true")
(d.meta.priority or 5)
(builtins.length d.outputs)
] ++ map (output: builtins.getAttr output d) d.outputs)
derivations;
# Building user environments remotely just causes huge amounts of
# network traffic, so don't do that.
preferLocalBuild = true;
# Also don't bother substituting.
allowSubstitutes = false;
};
# back-compat
isPath = builtins.isPath or (x: builtins.typeOf x == "path");
# Escape Nix strings
stringEscape = str:
"\"" + (
replaceStrings
[ "\\" "\"" "\n" "\r" "\t" ]
[ "\\\\" "\\" "\\n" "\\r" "\\t" ]
str
)
+ "\"";
# Like builtins.JSON but to output Nix code
toNix = value:
if isString value then stringEscape value
else if isInt value then toString value
else if isPath value then toString value
else if true == value then "true"
else if false == value then "false"
else if null == value then "null"
else if isAttrs value then
"{ " + concatStringsSep " " (lib.mapAttrsToList (k: v: "${k} = ${toNix v};") value) + " }"
else if isList value then
"[ ${ concatStringsSep " " (map toNix value) } ]"
else throw "type ${typeOf value} not supported";
# Generate a nix-env compatible manifest.nix file
genManifest = drv:
let
outputs =
drv.meta.outputsToInstall or
# install the first output
[ (head drv.outputs) ];
base = {
inherit (drv) meta name outPath system type;
out = { inherit (drv) outPath; };
inherit outputs;
};
toOut = name: {
outPath = drv.${name}.outPath;
};
outs = lib.genAttrs outputs toOut;
in
base // outs;
writeManifest = derivations:
writeText "env-manifest.nix" (
toNix (map genManifest derivations)
);
in
buildenv {
inherit derivations;
manifest = writeManifest derivations;
}

13
nix/sources.json Normal file
View File

@@ -0,0 +1,13 @@
{
"nix-container-images": {
"url": "https://github.com/cloudwatt/nix-container-images/archive/cf1dbb827946b22a36d0eeb64a0e062d5e7cba53.tar.gz",
"owner": "cloudwatt",
"branch": "master",
"url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz",
"repo": "nix-container-images",
"type": "tarball",
"sha256": "0svfqzp91qrx82w5wy0ax8vx54mqa1hgipbb1jbd96wqxhbxwgsl",
"description": "Write container images as NixOS machines",
"rev": "cf1dbb827946b22a36d0eeb64a0e062d5e7cba53"
}
}

67
nix/sources.nix Normal file
View File

@@ -0,0 +1,67 @@
# This file has been generated by Niv.
# A record, from name to path, of the third-party packages
with rec
{
pkgs =
if hasNixpkgsPath
then
if hasThisAsNixpkgsPath
then import (builtins_fetchTarball { inherit (sources_nixpkgs) url sha256; }) {}
else import <nixpkgs> {}
else
import (builtins_fetchTarball { inherit (sources_nixpkgs) url sha256; }) {};
sources_nixpkgs =
if builtins.hasAttr "nixpkgs" sources
then sources.nixpkgs
else abort
''
Please specify either <nixpkgs> (through -I or NIX_PATH=nixpkgs=...) or
add a package called "nixpkgs" to your sources.json.
'';
builtins_fetchTarball =
# fetchTarball version that is compatible between all the versions of
# Nix
{ url, sha256 }@attrs:
let
inherit (builtins) lessThan nixVersion fetchTarball;
in
if lessThan nixVersion "1.12" then
fetchTarball { inherit url; }
else
fetchTarball attrs;
hasNixpkgsPath = (builtins.tryEval <nixpkgs>).success;
hasThisAsNixpkgsPath =
(builtins.tryEval <nixpkgs>).success && <nixpkgs> == ./.;
sources = builtins.fromJSON (builtins.readFile ./sources.json);
mapAttrs = builtins.mapAttrs or
(f: set: with builtins;
listToAttrs (map (attr: { name = attr; value = f attr set.${attr}; }) (attrNames set)));
getFetcher = spec:
let fetcherName =
if builtins.hasAttr "type" spec
then builtins.getAttr "type" spec
else "tarball";
in builtins.getAttr fetcherName {
"tarball" = pkgs.fetchzip;
"file" = pkgs.fetchurl;
};
};
# NOTE: spec must _not_ have an "outPath" attribute
mapAttrs (_: spec:
if builtins.hasAttr "outPath" spec
then abort
"The values in sources.json should not have an 'outPath' attribute"
else
if builtins.hasAttr "url" spec && builtins.hasAttr "sha256" spec
then
spec //
{ outPath = getFetcher spec { inherit (spec) url sha256; } ; }
else spec
) sources

29
overlay.nix
View File

@@ -1,32 +1,11 @@
_: pkgs: _: pkgs: let
let
importDir = import ./lib/importDir.nix { importDir = import ./lib/importDir.nix {
inherit (pkgs) lib; inherit (pkgs) lib;
}; };
in in {
{
# builder stuff can be in the top-level # builder stuff can be in the top-level
buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix { }; buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix {};
# docker images must be lower-cased # docker images must be lower-cased
docker-nixpkgs = importDir (path: pkgs.callPackage path { }) ./images; docker-nixpkgs = importDir (path: pkgs.callPackage path {}) ./images;
# used to build nix-env compatible user environments
mkUserEnvironment = pkgs.callPackage ./lib/mkUserEnvironment.nix { };
# gitMinimal still ships with perl and python
gitReallyMinimal = (
pkgs.git.override {
perlSupport = false;
pythonSupport = false;
withManual = false;
withpcre2 = false;
}
).overrideAttrs (
_: {
# installCheck is broken when perl is disabled
doInstallCheck = false;
}
);
} }

10
pkgs.nix
View File

@@ -1,10 +0,0 @@
system:
# docker images run on Linux
assert builtins.elem system ["x86_64-linux" "aarch64-linux"];
import <nixpkgs> {
config = { };
inherit system;
overlays = [
(import ./overlay.nix)
];
}

9
push-all
View File

@@ -6,18 +6,15 @@ set -euo pipefail
registry=${1:-docker.io} registry=${1:-docker.io}
image_prefix=${2:-nixpkgs} image_prefix=${2:-nixpkgs}
image_tag=${3:-latest} image_tag=${3:-latest}
system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json) releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
echo "=== Pushing images to $registry" echo "=== Pushing images to $registry"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
file=$(echo "$releases_json" | jq -r ".\"$attr\"") file=$(echo "$releases_json" | jq -r ".\"$attr\"")
src=docker-archive://$file echo "--- $attr -> $file"
dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name} skopeo copy "docker-archive://$file" "docker://$registry/$image_prefix/$attr:$image_tag"
echo "--- attr=$attr src=$src dst=$dst"
skopeo copy --insecure-policy "$src" "$dst"
done done
echo OK echo OK

20
readme-image-matrix
View File

@@ -1,20 +0,0 @@
#!/usr/bin/env bash
#
# Usage: ./dockerhub-image-matrix
set -euo pipefail
system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
## Main ##
releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
echo "| Image / Tag | Pull |"
echo "| --- | --- |"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
name=nixpkgs/$attr
echo -n "| [$name](https://hub.docker.com/r/$name)"
echo -n "| \`docker pull docker.nix-community.org/$name\` "
echo "|"
done

4
release.nix Normal file
View File

@@ -0,0 +1,4 @@
let
pkgs = import ./. {};
in
pkgs.docker-nixpkgs

11
shell.nix
View File

@@ -1,20 +1,13 @@
let { nixpkgs ? <nixpkgs> }@args:
nixpkgs = builtins.fetchTarball "channel:nixos-23.11"; with import ./. args;
pkgs = import nixpkgs { config = { }; overlays = [ ]; };
in
with pkgs;
mkShell { mkShell {
buildInputs = [ buildInputs = [
dive
jq jq
skopeo skopeo
podman
] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh; ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;
shellHook = '' shellHook = ''
# try to work aroud build issues # try to work aroud build issues
unset TMPDIR unset TMPDIR
export NIX_PATH=nixpkgs=${toString nixpkgs}
''; '';
} }