nix-unstable-static: bump nix

.github/workflows/nix.yml

@@ -18,12 +18,11 @@ jobs:
           - nixos-unstable
           - nixos-22.11
           - nixos-23.05
-    runs-on: native
+    runs-on: ubuntu-latest
-    container: pjjw/nix-flake-runner:1
     steps:
       - uses: actions/checkout@v3
+      - uses: cachix/install-nix-action@v22
       - run: nix-shell --run ./ci.sh
         env:
-          CI_PROJECT_PATH: pjjw
           CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
           NIXPKGS_CHANNEL: '${{ matrix.channel }}'

images/nix-unstable-static/default.nix

@@ -6,21 +6,20 @@
 , python3
 , removeReferencesTo
 , runCommand
+, buildPackages
 }:
 let
   inherit (pkgsStatic)
     bashInteractive
     busybox
-    cacert
+    cacert;
-    openssl
-    ;
 
   bash = bashInteractive;
 
   # Get nix from Hydra because the nixpkgs one is not fully static
   nixStaticBin = fetchurl {
-    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
+    url = "https://hydra.nixos.org/build/228458395/download/1/nix";
-    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
+    hash = "sha256-H361lUdMpBpBVwInBmpAXKAwjPIf740Jg9Nht0NV66s=";
   };
 
   nixSymlinks = [
@@ -64,6 +63,11 @@ let
     # Add user home folder
     mkdir home
 
+    # Create an unpriveleged user that we can use also without the run-as-user.sh script
+    chmod +w $PWD/etc/group $PWD/etc/passwd
+    ${buildPackages.shadow}/bin/groupadd --prefix $PWD -g 9000 nixuser
+    ${buildPackages.shadow}/bin/useradd --prefix $PWD -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
+
     # Add SSL CA certs
     cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
 
@@ -117,7 +121,8 @@ let
       Env = [
         "NIX_BUILD_SHELL=/bin/bash"
         "PAGER=cat"
-        "PATH=/bin"
+        # /host/bin can be used to extend the image with additional binaries
+        "PATH=/bin:/host/bin"
         "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
       ];
     };