ci: rename default branch from master to main

Closes #100

Co-authored-by: Jan Christoph Bischko <jbischko@barracuda.com>

.github/workflows/nix.yml

@@ -2,12 +2,13 @@ name: Nix
 on:
   push:
     branches:
-      - master
+      - main
   pull_request:
   workflow_dispatch:
   schedule:
     # Run once per day
     - cron: '0 0 * * *'
+
 jobs:
   build:
     strategy:
@@ -16,13 +17,66 @@ jobs:
       matrix:
         channel:
           - nixos-unstable
-          - nixos-22.11
-          - nixos-23.05
+          - nixos-25.05
+          - nixos-25.11
+        system:
+          - aarch64-linux
+          - x86_64-linux
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      packages: write
+
+    steps:
+      - uses: actions/checkout@v6
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm64
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-platforms = aarch64-linux
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - name: Push to Docker Hub
+        run: nix-shell --run ./ci.sh
+        env:
+          CI_PROJECT_PATH: 'nixpkgs'
+          CI_REGISTRY: 'docker.io'
+          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
+          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
+          NIX_SYSTEM_NAME: '${{ matrix.system }}'
+
+      - name: Push to GitHub Pages
+        run: nix-shell --run ./ci.sh
+        env:
+          CI_PROJECT_PATH: 'nix-community/docker-nixpkgs'
+          CI_REGISTRY: 'ghcr.io'
+          CI_REGISTRY_AUTH: '${{ github.actor }}:${{ secrets.GITHUB_TOKEN }}'
+          NIXPKGS_CHANNEL: '${{ matrix.channel }}'
+          NIX_SYSTEM_NAME: '${{ matrix.system }}'
+
+  push-manifest:
+    needs: [build]
+    strategy:
+      fail-fast: false
+      matrix:
+        channel:
+          - nixos-unstable
+          - nixos-25.05
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
-      - uses: cachix/install-nix-action@v22
-      - run: nix-shell --run ./ci.sh
+      - uses: actions/checkout@v6
+      - uses: DeterminateSystems/nix-installer-action@main
+        with:
+          extra-conf: |
+            extra-platforms = aarch64-linux
+      - uses: DeterminateSystems/magic-nix-cache-action@main
+
+      - run: nix-shell --run ./ci-manifests.sh
         env:
           CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
           NIXPKGS_CHANNEL: '${{ matrix.channel }}'
+          NIX_SYSTEM_NAME: '${{ matrix.system }}'

.gitlab-ci.yml

@@ -3,12 +3,12 @@ stages:
 
 build:
   stage: build
-  image: nixpkgs/nix:nixos-22.11
+  image: nixpkgs/nix:nixos-25.05
   script: nix-shell --run ./ci.sh
   parallel:
     matrix:
       - NIXPKGS_CHANNEL: nixos-unstable
         IMAGE_TAG: latest
       - NIXPKGS_CHANNEL:
-          - nixos-22.11
-          - nixos-23.05
+          - nixos-25.05
+          - nixos-25.11

README.md

@@ -39,8 +39,8 @@ nixpkgs channel describes.
 
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
-| nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
+| nixos-25.05    | nixos-25.05 | only minor versions that include security updates |
+| nixos-25.11    | nixos-25.11 | only minor versions that include security updates |
 | nixos-unstable | latest      | latest and greatest, major versions might change  |
 
 ## List of images
@@ -52,9 +52,11 @@ All images are automatically built and published to Docker Hub, and served
 on our custom domain, courtesy of [Scarf](https://scarf.sh).
 
 `> ./readme-image-matrix`
+
 <!-- BEGIN mdsh -->
 | Image / Tag | Pull |
 | ---         | ---  |
+| [nixpkgs/attic](https://hub.docker.com/r/nixpkgs/attic)| `docker pull docker.nix-community.org/nixpkgs/attic` |
 | [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |
 | [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |
 | [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |
@@ -62,15 +64,19 @@ on our custom domain, courtesy of [Scarf](https://scarf.sh).
 | [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |
 | [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |
 | [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |
+| [nixpkgs/devenv](https://hub.docker.com/r/nixpkgs/devenv)| `docker pull docker.nix-community.org/nixpkgs/devenv` |
 | [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
 | [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
 | [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
 | [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
+| [nixpkgs/maddy](https://hub.docker.com/r/nixpkgs/maddy)| `docker pull docker.nix-community.org/nixpkgs/maddy` |
 | [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
 | [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
 | [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
 | [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
 | [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
+| [nixpkgs/pocket-id](https://hub.docker.com/r/nixpkgs/pocket-id)| `docker pull docker.nix-community.org/nixpkgs/pocket-id` |
+| [nixpkgs/yarr](https://hub.docker.com/r/nixpkgs/yarr)| `docker pull docker.nix-community.org/nixpkgs/yarr` |
 <!-- END mdsh -->
 ## Adding new images
 

ci-manifests.sh

@@ -0,0 +1,39 @@
+#!/usr/bin/env bash
+#
+# CI specific build script.
+#
+set -euo pipefail
+
+channel=${NIXPKGS_CHANNEL:-nixos-unstable}
+registry=${CI_REGISTRY:-docker.io}
+registry_auth=${CI_REGISTRY_AUTH:-}
+image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+
+if [[ $channel == nixos-unstable ]]; then
+  image_tag=latest
+else
+  image_tag=$channel
+fi
+
+export NIX_PATH=channel:$channel
+
+banner() {
+  echo "========================================================"
+  echo "  $*"
+  echo "========================================================"
+}
+
+cd "$(dirname "$0")"
+
+if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
+  banner "Skipping push on non-main branch"
+  exit
+fi
+
+if [[ -n "${registry_auth}" ]]; then
+  banner "docker login"
+  ./docker-login "$registry_auth" "$registry"
+fi
+
+banner "generate manifests"
+./generate-manifests "$registry" "$image_prefix" "$image_tag"

ci.sh

@@ -8,6 +8,7 @@ channel=${NIXPKGS_CHANNEL:-nixos-unstable}
 registry=${CI_REGISTRY:-docker.io}
 registry_auth=${CI_REGISTRY_AUTH:-}
 image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 
 if [[ $channel == nixos-unstable ]]; then
   image_tag=latest
@@ -30,9 +31,10 @@ banner "Building images"
 nix-build \
   --no-out-link \
   --option sandbox true \
+  --argstr system "$system_name"
 
-if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
-  banner "Skipping push on non-master branch"
+if [[ $(git rev-parse --abbrev-ref HEAD) != main ]]; then
+  banner "Skipping push on non-main branch"
   exit
 fi
 

default.nix

@@ -1,4 +1,14 @@
-let
-  pkgs = import ./pkgs.nix;
+{
+  system ? builtins.currentSystem
+}: let
+  _parts = builtins.split "-" system;
+  arch = builtins.elemAt _parts 0;
+  os = builtins.elemAt _parts 2;
+  system' =
+    if os == "darwin"
+    then "${arch}-linux"
+    else system;
+  pkgs =
+    import ./pkgs.nix system';
 in
 pkgs.docker-nixpkgs

dockerhub-metadata

@@ -8,9 +8,10 @@ set -euo pipefail
 
 user=$1
 org=${2:-nixpkgs}
+system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 
 nix_eval() {
-  nix-instantiate --strict --eval --json "$@"
+  nix-instantiate --strict --eval --argstr system "$system_name" --json "$@"
 }
 
 releases_json=$(nix_eval)

generate-manifests

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+#
+# Usage: ./push-all <registry> <image-prefix> <image-tag>
+set -euo pipefail
+
+registry=${1:-docker.io}
+image_prefix=${2:-nixpkgs}
+image_tag=${3:-latest}
+system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
+
+releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
+
+echo "=== Generating manifests for $registry"
+
+for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
+  repository=$registry/$image_prefix/$attr
+  target_image=${repository}:${image_tag}
+  echo "--- attr=$attr target=$target_image"
+  podman manifest create "$target_image"
+  podman manifest add "$target_image" "docker://$repository:${image_tag}-x86_64-linux"
+  podman manifest add "$target_image" "docker://$repository:${image_tag}-aarch64-linux"
+  podman manifest push --all "$target_image" "docker://$target_image"
+done
+
+echo OK

images/attic/default.nix

@@ -0,0 +1,10 @@
+{ docker-nixpkgs
+, attic-client
+}:
+(docker-nixpkgs.nix.override {
+  extraContents = [ attic-client ];
+}).overrideAttrs (prev: {
+  meta = (prev.meta or { }) // {
+    description = "Nix and Attic client image";
+  };
+})

images/devcontainer/default.nix

@@ -14,7 +14,7 @@
 , gnutar
 , gzip
 , iana-etc
-, iproute
+, iproute2
 , less
 , lib
 , nix
@@ -42,7 +42,11 @@ let
       nix
 
       # runtime dependencies of nix
-      cacert
+      # HACK: don't include the "hashed" output. It has overlapping files with
+      #       the "unbundled" output, and that breaks the build.
+      (cacert // {
+        outputs = builtins.filter (x: x != "hashed") cacert.outputs;
+      })
       gitReallyMinimal
       gnutar
       gzip
@@ -61,7 +65,7 @@ let
       (gcc-unwrapped // {
         outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
       })
-      iproute
+      iproute2
     ];
   };
 
@@ -126,7 +130,7 @@ let
       ];
       Labels = {
         # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "master";
+        "org.label-schema.vcs-ref" = "main";
         "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
       };
     };

images/devenv/default.nix

@@ -0,0 +1,11 @@
+{ docker-nixpkgs
+, devenv ? null
+}:
+(docker-nixpkgs.nix.override {
+  # only available since 24.05
+  extraContents = [ devenv ];
+}).overrideAttrs (prev: {
+  meta = (prev.meta or { }) // {
+    description = "Nix and devenv image";
+  };
+})

images/maddy/default.nix

@@ -0,0 +1,6 @@
+{ buildCLIImage
+, maddy
+}:
+buildCLIImage {
+  drv = maddy;
+}

images/nix-flakes/default.nix

@@ -1,10 +1,10 @@
 { docker-nixpkgs
-, nixFlakes
+, nixVersions
 , writeTextFile
 , extraContents ? [ ]
 }:
 docker-nixpkgs.nix.override {
-  nix = nixFlakes;
+  nix = nixVersions.stable;
   extraContents = [
     (writeTextFile {
       name = "nix.conf";
@@ -12,7 +12,12 @@ docker-nixpkgs.nix.override {
       text = ''
         accept-flake-config = true
         experimental-features = nix-command flakes
+        max-jobs = auto
       '';
     })
   ] ++ extraContents;
+
+  extraEnv = [
+    "PATH=/root/.nix-profile/bin:/usr/bin:/bin" # Not sure how to just prepend
+  ];
 }

images/nix-unstable-static/default.nix

@@ -19,8 +19,8 @@ let
 
   # Get nix from Hydra because the nixpkgs one is not fully static
   nixStaticBin = fetchurl {
-    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
-    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
+    url = "https://hydra.nixos.org/build/305222051/download/1/nix";
+    hash = "sha256-OahnvQ/OKnRhbXaIJ7iEQYu86ECGtUqwW8XrryVkXaM=";
   };
 
   nixSymlinks = [
@@ -84,11 +84,12 @@ let
     mkdir -p libexec/nix
     ln -s /bin/nix libexec/nix/build-remote
 
-    # Enable flakes
+    # Enable flakes and parallel building
     mkdir -p etc/nix
     cat <<NIX_CONFIG > etc/nix/nix.conf
     accept-flake-config = true
     experimental-features = nix-command flakes
+    max-jobs = auto
     NIX_CONFIG
 
     # Add run-as-user script

images/nix-unstable/default.nix

@@ -1,6 +1,6 @@
 { docker-nixpkgs
-, nixUnstable
+, pkgs
 }:
 docker-nixpkgs.nix.override {
-  nix = nixUnstable;
+  nix = pkgs.nixVersions.latest;
 }

images/nix/default.nix

@@ -11,6 +11,7 @@
 , openssh
 , xz
 , extraContents ? [ ]
+, extraEnv ? [ ]
 }:
 let
   image = dockerTools.buildImageWithNixDb {
@@ -58,7 +59,7 @@ let
         "PATH=/usr/bin:/bin"
         "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
         "USER=root"
-      ];
+      ] ++ extraEnv;
     };
   };
 in

images/nix/fake_nixpkgs/default.nix

@@ -3,7 +3,7 @@ throw ''
   This container doesn't include nixpkgs.
 
   The best way to work around that is to pin your dependencies. See
-    https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html
+    https://nix.dev/tutorials/first-steps/towards-reproducibility-pinning-nixpkgs.html
 
   Or if you must, override the NIX_PATH environment variable with eg:
     "NIX_PATH=nixpkgs=channel:nixos-unstable"

images/pocket-id/default.nix

@@ -0,0 +1,6 @@
+{ buildCLIImage
+, pocket-id
+}:
+buildCLIImage {
+  drv = pocket-id;
+}

images/yarr/default.nix

@@ -0,0 +1,6 @@
+{ buildCLIImage
+, yarr
+}:
+buildCLIImage {
+  drv = yarr;
+}

lib/buildCLIImage.nix

@@ -28,7 +28,7 @@ let
       ];
       Labels = {
         # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
-        "org.label-schema.vcs-ref" = "master";
+        "org.label-schema.vcs-ref" = "main";
         "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
       };
     };

pkgs.nix

@@ -1,7 +1,9 @@
+system:
+# docker images run on Linux
+assert builtins.elem system ["x86_64-linux" "aarch64-linux"];
 import <nixpkgs> {
-  # docker images run on Linux
-  system = "x86_64-linux";
   config = { };
+  inherit system;
   overlays = [
     (import ./overlay.nix)
   ];

push-all

@@ -6,15 +6,16 @@ set -euo pipefail
 registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
+system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
 
-releases_json=$(nix-instantiate --strict --eval --json)
+releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
 
 echo "=== Pushing images to $registry"
 
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
   file=$(echo "$releases_json" | jq -r ".\"$attr\"")
   src=docker-archive://$file
-  dst=docker://$registry/$image_prefix/$attr:$image_tag
+  dst=docker://$registry/$image_prefix/$attr:${image_tag}-${system_name}
   echo "--- attr=$attr src=$src dst=$dst"
   skopeo copy --insecure-policy "$src" "$dst"
 done

readme-image-matrix

@@ -3,9 +3,11 @@
 # Usage: ./dockerhub-image-matrix
 set -euo pipefail
 
+system_name=${NIX_SYSTEM_NAME:-x86_64-linux}
+
 ## Main ##
 
-releases_json=$(nix-instantiate --strict --eval --json)
+releases_json=$(nix-instantiate --strict --argstr system "$system_name" --eval --json)
 
 echo "| Image / Tag | Pull |"
 echo "| ---         | ---  |"

shell.nix

@@ -1,5 +1,5 @@
 let
-  nixpkgs = builtins.fetchTarball "channel:nixos-22.05";
+  nixpkgs = builtins.fetchTarball "channel:nixos-23.11";
   pkgs = import nixpkgs { config = { }; overlays = [ ]; };
 in
 with pkgs;
@@ -8,6 +8,7 @@ mkShell {
     dive
     jq
     skopeo
+    podman
   ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;
 
   shellHook = ''