nix-unstable-static: bump nix

nix-unstable-static: add a PATH entry that can be used to bind mount more binaries into the system
nix-unstable-static: add an unprivileged nix user that can be used without entrypoint
2026-01-12 04:40:42 -05:00 · 2023-07-20 12:59:44 +02:00 · 2023-07-20 12:59:36 +02:00 · 2023-07-20 12:59:36 +02:00 · 2023-07-20 12:21:18 +02:00
24 changed files with 45 additions and 233 deletions
--- a/.github/workflows/nix.yml
+++ b/.github/workflows/nix.yml
@@ -2,13 +2,12 @@ name: Nix
 on:
  push:
    branches:
-      - main
+      - master
  pull_request:
  workflow_dispatch:
  schedule:
    # Run once per day
    - cron: '0 0 * * *'
 jobs:
  build:
    strategy:
@@ -17,66 +16,13 @@ jobs:
      matrix:
        channel:
          - nixos-unstable
-          - nixos-25.05
+          - nixos-22.11
-          - nixos-25.11
+          - nixos-23.05
        system:
          - aarch64-linux
          - x86_64-linux
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
    steps:
      - uses: actions/checkout@v6
      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3
        with:
          platforms: arm64
      - uses: DeterminateSystems/nix-installer-action@main
        with:
          extra-conf: |
            extra-platforms = aarch64-linux
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - name: Push to Docker Hub
        run: nix-shell --run ./ci.sh
        env:
          CI_PROJECT_PATH: 'nixpkgs'
          CI_REGISTRY: 'docker.io'
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
      - name: Push to GitHub Pages
        run: nix-shell --run ./ci.sh
        env:
          CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'
          CI_REGISTRY: 'ghcr.io'
          CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
  push-manifest:
    needs: [build]
    strategy:
      fail-fast: false
      matrix:
        channel:
          - nixos-unstable
          - nixos-25.05
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v3
-      - uses: DeterminateSystems/nix-installer-action@main
+      - uses: cachix/install-nix-action@v22
-        with:
+      - run: nix-shell --run ./ci.sh
          extra-conf: |
            extra-platforms = aarch64-linux
      - uses: DeterminateSystems/magic-nix-cache-action@main
      - run: nix-shell --run ./ci-manifests.sh
        env:
          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
          NIX_SYSTEM_NAME: '${{ matrix.system }}'
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -3,12 +3,12 @@ stages:
 build:
  stage: build
-  image: nixpkgs/nix:nixos-25.05
+  image: nixpkgs/nix:nixos-22.11
  script: nix-shell --run ./ci.sh
  parallel:
    matrix:
      - NIXPKGS_CHANNEL: nixos-unstable
        IMAGE_TAG: latest
      - NIXPKGS_CHANNEL:
-          - nixos-25.05
+          - nixos-22.11
-          - nixos-25.11
+          - nixos-23.05
--- a/README.md
+++ b/README.md
@@ -39,8 +39,8 @@ nixpkgs channel describes.
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-25.05    | nixos-25.05 | only minor versions that include security updates |
+| nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
-| nixos-25.11    | nixos-25.11 | only minor versions that include security updates |
+| nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |
 ## List of images
@@ -52,11 +52,9 @@ All images are automatically built and published to Docker Hub, and served
 on our custom domain, courtesy of [Scarf](https://scarf.sh).
 `> ./readme-image-matrix`
 <!-- BEGIN mdsh -->
 | Image / Tag | Pull |
 | ---         | ---  |
 | [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` |
 | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |
 | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |
 | [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |
@@ -64,19 +62,15 @@ on our custom domain, courtesy of [Scarf](https://scarf.sh).
 | [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |
 | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |
 | [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |
 | [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |
 | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
 | [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
 | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
 | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
 | [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |
 | [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
 | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
 | [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
 | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
 | [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
 | [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |
 | [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |
 <!-- END mdsh -->
 ## Adding new images
--- a/ci-manifests.sh
+++ b/ci-manifests.sh
@@ -1,39 +0,0 @@
 #!/usr/bin/env bash
 #
 # CI specific build script.
 #
 set -euo pipefail
 channel=${NIXPKGS_CHANNEL:-nixos-unstable}
 registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
 image_prefix=${CI_PROJECT_PATH:-nixpkgs}
 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
 else
  image_tag=$channel
 fi
 export NIX_PATH=channel:$channel
 banner() {
  echo "========================================================"
  echo "  $*"
  echo "========================================================"
 }
 cd "$(dirname "$0")"
 if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
  banner "Skipping push on non-main branch"
  exit
 fi
 if [[ -n "${registry_auth}" ]]; then
  banner "docker login"
  ./docker-login "$registry_auth" "$registry"
 fi
 banner "generate manifests"
 ./generate-manifests "$registry" "$image_prefix" "$image_tag"
--- a/ci.sh
+++ b/ci.sh
@@ -8,7 +8,6 @@ channel=${NIXPKGS_CHANNEL:-nixos-unstable}
 registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
 image_prefix=${CI_PROJECT_PATH:-nixpkgs}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 if [[ $channel == nixos-unstable ]]; then
  image_tag=latest
@@ -31,10 +30,9 @@ banner "Building images"
 nix-build \
  --no-out-link \
  --option sandbox true \
  --argstr system "$system_name"
-if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
+if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-  banner "Skipping push on non-main branch"
+  banner "Skipping push on non-master branch"
  exit
 fi
--- a/default.nix
+++ b/default.nix
@@ -1,14 +1,4 @@
-{
+let
-  system ? builtins.currentSystem
+  pkgs = import ./pkgs.nix;
 }: let
  _parts = builtins.split "-" system;
  arch = builtins.elemAt _parts 0;
  os = builtins.elemAt _parts 2;
  system' =
    if os == "darwin"
    then "${arch}-linux"
    else system;
  pkgs =
    import ./pkgs.nix system';
 in
 pkgs.docker-nixpkgs
--- a/3
+++ b/3
@@ -8,10 +8,9 @@ set -euo pipefail
 user=$1
 org=${2:-nixpkgs}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 nix_eval() {
-  nix-instantiate --strict --eval --argstr system "$system_name" --json "$@"
+  nix-instantiate --strict --eval --json "$@"
 }
 releases_json=$(nix_eval)
--- a/25
+++ b/25
@@ -1,25 +0,0 @@
 #!/usr/bin/env bash
 #
 # Usage: ./push-all <registry> <image-prefix> <image-tag>
 set -euo pipefail
 registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
 echo "=== Generating manifests for $registry"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  repository=$registry/$image_prefix/$attr
  target_image=${repository}:${image_tag}
  echo "--- attr=$attr target=$target_image"
  podman manifest create "$target_image"
  podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux"
  podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux"
  podman manifest push --all "$target_image" "docker://$target_image"
 done
 echo OK
--- a/images/attic/default.nix
+++ b/images/attic/default.nix
@@ -1,10 +0,0 @@
 { docker-nixpkgs
 , attic-client
 }:
 (docker-nixpkgs.nix.override {
  extraContents = [ attic-client ];
 }).overrideAttrs (prev: {
  meta = (prev.meta or { }) // {
    description = "Nix and Attic client image";
  };
 })
--- a/images/devcontainer/default.nix
+++ b/images/devcontainer/default.nix
@@ -14,7 +14,7 @@
 , gnutar
 , gzip
 , iana-etc
-, iproute2
+, iproute
 , less
 , lib
 , nix
@@ -42,11 +42,7 @@ let
      nix
      # runtime dependencies of nix
-      # HACK: don't include the "hashed" output. It has overlapping files with
+      cacert
      #       the "unbundled" output, and that breaks the build.
      (cacert // {
        outputs = builtins.filter (x: x != "hashed") cacert.outputs;
      })
      gitReallyMinimal
      gnutar
      gzip
@@ -65,7 +61,7 @@ let
      (gcc-unwrapped // {
        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
      })
-      iproute2
+      iproute
    ];
  };
@@ -130,7 +126,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/images/devenv/default.nix
+++ b/images/devenv/default.nix
@@ -1,11 +0,0 @@
 { docker-nixpkgs
 , devenv ? null
 }:
 (docker-nixpkgs.nix.override {
  # only available since 24.05
  extraContents = [ devenv ];
 }).overrideAttrs (prev: {
  meta = (prev.meta or { }) // {
    description = "Nix and devenv image";
  };
 })
--- a/images/maddy/default.nix
+++ b/images/maddy/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , maddy
 }:
 buildCLIImage {
  drv = maddy;
 }
--- a/images/nix-flakes/default.nix
+++ b/images/nix-flakes/default.nix
@@ -1,10 +1,10 @@
 { docker-nixpkgs
-, nixVersions
+, nixFlakes
 , writeTextFile
 , extraContents ? [ ]
 }:
 docker-nixpkgs.nix.override {
-  nix = nixVersions.stable;
+  nix = nixFlakes;
  extraContents = [
    (writeTextFile {
      name = "nix.conf";
@@ -12,12 +12,7 @@ docker-nixpkgs.nix.override {
      text = ''
        accept-flake-config = true
        experimental-features = nix-command flakes
        max-jobs = auto
      '';
    })
  ] ++ extraContents;
  extraEnv = [
    "PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend
  ];
 }
--- a/images/nix-unstable-static/default.nix
+++ b/images/nix-unstable-static/default.nix
@@ -6,21 +6,20 @@
 , python3
 , removeReferencesTo
 , runCommand
 , buildPackages
 }:
 let
  inherit (pkgsStatic)
    bashInteractive
    busybox
-    cacert
+    cacert;
    openssl
    ;
  bash = bashInteractive;
  # Get nix from Hydra because the nixpkgs one is not fully static
  nixStaticBin = fetchurl {
-    url = "https://hydra.nixos.org/build/305222051/download/1/nix";
+    url = "https://hydra.nixos.org/build/228458395/download/1/nix";
-    hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=";
+    hash = "sha256-H361lUdMpBpBVwInBmpAXKAwjPIf740Jg9Nht0NV66s=";
  };
  nixSymlinks = [
@@ -64,6 +63,11 @@ let
    # Add user home folder
    mkdir home
    # Create an unpriveleged user that we can use also without the run-as-user.sh script
    chmod +w $PWD/etc/group $PWD/etc/passwd
    ${buildPackages.shadow}/bin/groupadd --prefix $PWD -g 9000 nixuser
    ${buildPackages.shadow}/bin/useradd --prefix $PWD -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
    # Add SSL CA certs
    cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
@@ -84,12 +88,11 @@ let
    mkdir -p libexec/nix
    ln -s /bin/nix libexec/nix/build-remote
-    # Enable flakes and parallel building
+    # Enable flakes
    mkdir -p etc/nix
    cat <<NIX_CONFIG > etc/nix/nix.conf
    accept-flake-config = true
    experimental-features = nix-command flakes
    max-jobs = auto
    NIX_CONFIG
    # Add run-as-user script
@@ -118,7 +121,8 @@ let
      Env = [
        "NIX_BUILD_SHELL=/bin/bash"
        "PAGER=cat"
-        "PATH=/bin"
+        # /host/bin can be used to extend the image with additional binaries
        "PATH=/bin:/host/bin"
        "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
      ];
    };
--- a/images/nix-unstable/default.nix
+++ b/images/nix-unstable/default.nix
@@ -1,6 +1,6 @@
 { docker-nixpkgs
-, pkgs
+, nixUnstable
 }:
 docker-nixpkgs.nix.override {
-  nix = pkgs.nixVersions.latest;
+  nix = nixUnstable;
 }
--- a/images/nix/default.nix
+++ b/images/nix/default.nix
@@ -11,7 +11,6 @@
 , openssh
 , xz
 , extraContents ? [ ]
 , extraEnv ? [ ]
 }:
 let
  image = dockerTools.buildImageWithNixDb {
@@ -59,7 +58,7 @@ let
        "PATH=/usr/bin:/bin"
        "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
        "USER=root"
-      ] ++ extraEnv;
+      ];
    };
  };
 in
--- a/images/nix/fake_nixpkgs/default.nix
+++ b/images/nix/fake_nixpkgs/default.nix
@@ -3,7 +3,7 @@ throw ''
  This container doesn't include nixpkgs.
  The best way to work around that is to pin your dependencies. See
-    https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
+    https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html
  Or if you must, override the NIX_PATH environment variable with eg:
    "NIX_PATH=nixpkgs=channel:nixos-unstable"
--- a/images/pocket-id/default.nix
+++ b/images/pocket-id/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , pocket-id
 }:
 buildCLIImage {
  drv = pocket-id;
 }
--- a/images/yarr/default.nix
+++ b/images/yarr/default.nix
@@ -1,6 +0,0 @@
 { buildCLIImage
 , yarr
 }:
 buildCLIImage {
  drv = yarr;
 }
--- a/lib/buildCLIImage.nix
+++ b/lib/buildCLIImage.nix
@@ -28,7 +28,7 @@ let
      ];
      Labels = {
        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "main";
+        "org.label-schema.vcs-ref" = "master";
        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
      };
    };
--- a/pkgs.nix
+++ b/pkgs.nix
@@ -1,9 +1,7 @@
 system:
 # docker images run on Linux
 assert builtins.elem system ["x86_64-linux" "aarch64-linux"];
 import <nixpkgs> {
  # docker images run on Linux
  system = "x86_64-linux";
  config = { };
  inherit system;
  overlays = [
    (import ./overlay.nix)
  ];
--- a/5
+++ b/5
@@ -6,16 +6,15 @@ set -euo pipefail
 registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)
 echo "=== Pushing images to $registry"
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
  file=$(echo "$releases_json" | jq -r ".\"$attr\"")
  src=docker-archive://$file
-  dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name}
+  dst=docker://$registry/$image_prefix/$attr:$image_tag
  echo "--- attr=$attr src=$src dst=$dst"
  skopeo copy --insecure-policy "$src" "$dst"
 done
--- a/4
+++ b/4
@@ -3,11 +3,9 @@
 # Usage: ./dockerhub-image-matrix
 set -euo pipefail
 system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 ## Main ##
-releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)
 echo "| Image / Tag | Pull |"
 echo "| ---         | ---  |"
--- a/shell.nix
+++ b/shell.nix
@@ -1,5 +1,5 @@
 let
-  nixpkgs = builtins.fetchTarball "channel:nixos-23.11";
+  nixpkgs = builtins.fetchTarball "channel:nixos-22.05";
  pkgs = import nixpkgs { config = { }; overlays = [ ]; };
 in
 with pkgs;
@@ -8,7 +8,6 @@ mkShell {
    dive
    jq
    skopeo
    podman
  ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;
  shellHook = ''
Author	SHA1	Message	Date
Jörg Thalheim	f5c8f11da0	nix-unstable-static: bump nix	2023-07-20 12:59:44 +02:00
Jörg Thalheim	019b4effa9	nix-unstable-static: add a PATH entry that can be used to bind mount more binaries into the system	2023-07-20 12:59:36 +02:00
Jörg Thalheim	e380dbbda5	nix-unstable-static: add an unprivileged nix user that can be used without entrypoint	2023-07-20 12:59:36 +02:00
Jörg Thalheim	23c51fe60b	nix-unstable-static: drop unused openssl	2023-07-20 12:21:18 +02:00