Merge pull request 'add a nix-flake runner' (#1) from pjjw/nix-flake-runner into master

Reviewed-on: #1

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/nix.yml

@@ -0,0 +1,29 @@
+name: Nix
+on:
+  push:
+    branches:
+      - master
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    # Run once per day
+    - cron: '0 0 * * *'
+jobs:
+  build:
+    strategy:
+      # Keep building the other channels if one fails
+      fail-fast: false
+      matrix:
+        channel:
+          - nixos-unstable
+          - nixos-22.11
+          - nixos-23.05
+    runs-on: native
+    container: pjjw/nix-flake-runner:1
+    steps:
+      - uses: actions/checkout@v3
+      - run: nix-shell --run ./ci.sh
+        env:
+          CI_PROJECT_PATH: pjjw
+          CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
+          NIXPKGS_CHANNEL: '${{ matrix.channel }}'

.gitlab-ci.sh

@@ -1,26 +0,0 @@
-#!/usr/bin/env bash
-#
-# Gitlab CI specific build script.
-#
-set -euo pipefail
-
-./build
-
-# default to the Gitlab registry
-: "${REGISTRY:=$CI_REGISTRY}"
-: "${REGISTRY_USER:=$CI_REGISTRY_USER}"
-: "${REGISTRY_PASSWORD:=$CI_REGISTRY_PASSWORD}"
-: "${IMAGE_PREFIX:=$CI_PROJECT_PATH}"
-
-# IMAGE_TAG is provided by .gitlab-ci.yml
-
-
-if [[ "$CI_COMMIT_REF_NAME" = master ]]; then
-  ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
-  ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
-  if [[ $REGISTRY = *docker.io ]]; then
-    ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
-  fi
-else
-  echo "=== not pushing on non-master ==="
-fi

.gitlab-ci.yml

@@ -1,25 +1,14 @@
-image: nixos/nix:latest
-
 stages:
   - build
 
-nixos-unstable:
+build:
   stage: build
-  script: nix-shell --run ./.gitlab-ci.sh
-  variables:
-    NIX_PATH: nixpkgs=channel:nixos-unstable
-    IMAGE_TAG: latest
-
-nixos-18.09:
-  stage: build
-  script: nix-shell --run ./.gitlab-ci.sh
-  variables:
-    NIX_PATH: nixpkgs=channel:nixos-18.09
-    IMAGE_TAG: nixos-18.09
-
-nixos-19.03:
-  stage: build
-  script: nix-shell --run ./.gitlab-ci.sh
-  variables:
-    NIX_PATH: nixpkgs=channel:nixos-19.03
-    IMAGE_TAG: nixos-19.03
+  image: nixpkgs/nix:nixos-22.11
+  script: nix-shell --run ./ci.sh
+  parallel:
+    matrix:
+      - NIXPKGS_CHANNEL: nixos-unstable
+        IMAGE_TAG: latest
+      - NIXPKGS_CHANNEL:
+          - nixos-22.11
+          - nixos-23.05

.travis.sh

@@ -1,25 +0,0 @@
-#!/usr/bin/env bash
-#
-# Travis CI specific build script
-#
-set -euo pipefail
-
-./build
-
-# default to Docker Hub
-: "${REGISTRY:=docker.io}"
-: "${IMAGE_PREFIX:=nixpkgs}"
-
-# IMAGE_TAG is provided by .travis.yml
-
-# the user has to set REGISTRY_USER and REGISTRY_PASSWORD
-
-if [[ "$TRAVIS_BRANCH" = master && -z "$TRAVIS_PULL_REQUEST_BRANCH" ]]; then
-  ./docker-login "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$REGISTRY"
-  ./push-all "$REGISTRY" "$IMAGE_PREFIX" "$IMAGE_TAG"
-  if [[ $REGISTRY = *docker.io ]]; then
-    ./dockerhub-metadata "$REGISTRY_USER" "$REGISTRY_PASSWORD" "$IMAGE_PREFIX"
-  fi
-else
-  echo "=== not pushing on non-master ==="
-fi

.travis.yml

@@ -1,15 +0,0 @@
-language: nix
-
-nix: 2.2.1
-
-matrix:
-  include:
-  - name: nixos-unstable
-    env: NIX_PATH=nixpkgs=channel:nixos-unstable IMAGE_TAG=latest
-  - name: nixos-18.09
-    env: NIX_PATH=nixpkgs=channel:nixos-18.09 IMAGE_TAG=nixos-18.09
-  - name: nixos-19.03
-    env: NIX_PATH=nixpkgs=channel:nixos-19.03 IMAGE_TAG=nixos-19.03
-
-script:
-  - nix-shell --run ./.travis.sh

README.md

@@ -29,22 +29,6 @@ $ docker run -ti --rm nixpkgs/curl curl http://ifconfig.co
 180.52.248.114
 ```
 
-## List of images
-
-Here is the current list of images that are provided. Missing one? Send an
-[image request](#image-request).
-
-| Image           | Description           |
-| ---             | ---                   |
-| bash            | CLI only              |
-| busybox         | CLI only              |
-| curl            | CLI only              |
-| docker-compose  | CLI only              |
-| kubectl         | CLI only              |
-| kubernetes-helm | CLI only              |
-| nix             | nix with deps         |
-| nix-unstable    | nixUnstable with deps |
-
 ## Channels
 
 Each image is built with the following nixpkgs channels and map to the
@@ -55,54 +39,48 @@ nixpkgs channel describes.
 
 | Channel        | Image Tag   | Description                                       |
 | ---            | ---         | ---                                               |
-| nixos-unstable | latest      | latest and greated, major versions might change   |
-| nixos-18.09    | nixos-18.09 | only minor versions that include security updates |
+| nixos-22.11    | nixos-22.11 | only minor versions that include security updates |
+| nixos-23.05    | nixos-23.05 | only minor versions that include security updates |
+| nixos-unstable | latest      | latest and greatest, major versions might change  |
 
-## Docker Hub
+## List of images
 
-All images are automatically built and pushed to Docker Hub.
+Here is the current list of images that are provided. Missing one? Send an
+[image request](#image-request).
 
-### Image matrix
+All images are automatically built and published to Docker Hub, and served
+on our custom domain, courtesy of [Scarf](https://scarf.sh).
 
-`> ./dockerhub-image-matrix`
+`> ./readme-image-matrix`
 <!-- BEGIN mdsh -->
-| Image / Tag | latest | nixos-18.09 | nixos-19.03 |
-| ---         | ---    | ---         | ---         |
-| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-19.03.svg) |
-| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-19.03.svg) |
-| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-19.03.svg) |
-| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-19.03.svg) |
-| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-19.03.svg) |
-| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-19.03.svg) |
-| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-19.03.svg) |
-| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-18.09.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-19.03.svg) |
+| Image / Tag | Pull |
+| ---         | ---  |
+| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash)| `docker pull docker.nix-community.org/nixpkgs/bash` |
+| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox)| `docker pull docker.nix-community.org/nixpkgs/busybox` |
+| [nixpkgs/cachix](https://hub.docker.com/r/nixpkgs/cachix)| `docker pull docker.nix-community.org/nixpkgs/cachix` |
+| [nixpkgs/cachix-flakes](https://hub.docker.com/r/nixpkgs/cachix-flakes)| `docker pull docker.nix-community.org/nixpkgs/cachix-flakes` |
+| [nixpkgs/caddy](https://hub.docker.com/r/nixpkgs/caddy)| `docker pull docker.nix-community.org/nixpkgs/caddy` |
+| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl)| `docker pull docker.nix-community.org/nixpkgs/curl` |
+| [nixpkgs/devcontainer](https://hub.docker.com/r/nixpkgs/devcontainer)| `docker pull docker.nix-community.org/nixpkgs/devcontainer` |
+| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose)| `docker pull docker.nix-community.org/nixpkgs/docker-compose` |
+| [nixpkgs/hugo](https://hub.docker.com/r/nixpkgs/hugo)| `docker pull docker.nix-community.org/nixpkgs/hugo` |
+| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl)| `docker pull docker.nix-community.org/nixpkgs/kubectl` |
+| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm)| `docker pull docker.nix-community.org/nixpkgs/kubernetes-helm` |
+| [nixpkgs/nginx](https://hub.docker.com/r/nixpkgs/nginx)| `docker pull docker.nix-community.org/nixpkgs/nginx` |
+| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix)| `docker pull docker.nix-community.org/nixpkgs/nix` |
+| [nixpkgs/nix-flakes](https://hub.docker.com/r/nixpkgs/nix-flakes)| `docker pull docker.nix-community.org/nixpkgs/nix-flakes` |
+| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable` |
+| [nixpkgs/nix-unstable-static](https://hub.docker.com/r/nixpkgs/nix-unstable-static)| `docker pull docker.nix-community.org/nixpkgs/nix-unstable-static` |
 <!-- END mdsh -->
-| Image / Tag | latest | nixos-18.09 |
-| ---         | ---    | ---         |
-| [nixpkgs/bash](https://hub.docker.com/r/nixpkgs/bash) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/bash:nixos-18.09.svg) |
-| [nixpkgs/busybox](https://hub.docker.com/r/nixpkgs/busybox) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/busybox:nixos-18.09.svg) |
-| [nixpkgs/curl](https://hub.docker.com/r/nixpkgs/curl) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/curl:nixos-18.09.svg) |
-| [nixpkgs/docker-compose](https://hub.docker.com/r/nixpkgs/docker-compose) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/docker-compose:nixos-18.09.svg) |
-| [nixpkgs/kubectl](https://hub.docker.com/r/nixpkgs/kubectl) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubectl:nixos-18.09.svg) |
-| [nixpkgs/kubernetes-helm](https://hub.docker.com/r/nixpkgs/kubernetes-helm) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/kubernetes-helm:nixos-18.09.svg) |
-| [nixpkgs/nix](https://hub.docker.com/r/nixpkgs/nix) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix:nixos-18.09.svg) |
-| [nixpkgs/nix-unstable](https://hub.docker.com/r/nixpkgs/nix-unstable) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable.svg) | ![](https://images.microbadger.com/badges/image/nixpkgs/nix-unstable:nixos-18.09.svg) |
-
 ## Adding new images
 
 To add a new image to the project, create a new folder under
 `./images/<image-name>` with a default.nix that returns the docker image.
 
-Then run `nix-build release.nix -A <image-name>` to test that it builds, and
+Then run `nix-build -A <image-name>` to test that it builds, and
 then use
 `docker load -i /nix/store/...<image-name>.tar.gz` to load and test the image.
 
-## Related projects
-
-The [docker-library](https://github.com/docker-library/official-images#readme)
-is an image set maintained by the Docker Inc. team and contain
-officially-supported images.
-
 ## User Feedback
 
 ### Issues
@@ -118,11 +96,20 @@ with an accompanying use-case for an image that you would like to see.
 ### Contributing
 
 You are invited to contribute new features, fixes or updates, large or small;
-we are always thrilled to receive pull requests, and do our brest ot process
+we are always thrilled to receive pull requests, and do our best to process
 them as fast as we can.
 
+## Related projects
+
+* The [docker-library](https://github.com/docker-library/official-images#readme)
+  is an image set maintained by the Docker Inc. team and contain
+  officially-supported images.
+
+* [Nixery](https://nixery.dev/) is a pretty cool service that builds docker
+  images from nixpkgs attributes on the fly.
+
 ## License
 
-Copyright (c) 2019 zimbatm and contributors.
+Copyright (c) 2021 @zimbatm and contributors.
 
 Licensed under the MIT.

build

@@ -1,8 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# build *all* the docker images
-exec nix-build release.nix \
-  --no-out-link \
-  --option sandbox true \
-  "$@"

ci.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+#
+# CI specific build script.
+#
+set -euo pipefail
+
+channel=${NIXPKGS_CHANNEL:-nixos-unstable}
+registry=${CI_REGISTRY:-docker.io}
+registry_auth=${CI_REGISTRY_AUTH:-}
+image_prefix=${CI_PROJECT_PATH:-nixpkgs}
+
+if [[ $channel == nixos-unstable ]]; then
+  image_tag=latest
+else
+  image_tag=$channel
+fi
+
+export NIX_PATH=channel:$channel
+
+banner() {
+  echo "========================================================"
+  echo "  $*"
+  echo "========================================================"
+}
+
+cd "$(dirname "$0")"
+
+banner "Building images"
+# Build all the docker images
+nix-build \
+  --no-out-link \
+  --option sandbox true \
+
+if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
+  banner "Skipping push on non-master branch"
+  exit
+fi
+
+if [[ -n "${registry_auth}" ]]; then
+  banner "docker login"
+  ./docker-login "$registry_auth" "$registry"
+fi
+
+banner "docker push"
+./push-all "$registry" "$image_prefix" "$image_tag"
+
+if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
+  banner "docker metadata update"
+  ./dockerhub-metadata "$registry_auth" "$image_prefix"
+fi

default.nix

@@ -1,9 +1,4 @@
-{ nixpkgs ? <nixpkgs> }:
-import nixpkgs {
-  # docker images run on Linux
-  system = "x86_64-linux";
-  config = {};
-  overlays = [
-    (import ./overlay.nix)
-  ];
-}
+let
+  pkgs = import ./pkgs.nix;
+in
+pkgs.docker-nixpkgs

docker-login

@@ -5,9 +5,8 @@
 # Usage: ./docker-login <username> <password> [registry]
 set -euo pipefail
 
-username=$1
-password=$2
-registry=${3:-docker.io}
+auth=$1
+registry=${2:-docker.io}
 
 # Encode some funky docker heuristic
 if [[ $registry = *docker.io ]]; then
@@ -15,13 +14,13 @@ if [[ $registry = *docker.io ]]; then
   registry=https://index.docker.io/v2/
 fi
 
-mkdir ~/.docker
+mkdir -p ~/.docker
 
 cat <<DOCKER_CONF > ~/.docker/config.json
 {
   "auths": {
     "$registry": {
-      "auth": "$(printf "%s:%s" "$username" "$password" | base64)"
+      "auth": "$(echo -n "$auth" | base64)"
     }
   }
 }

dockerhub-image-matrix

@@ -1,30 +0,0 @@
-#!/usr/bin/env bash
-#
-# Usage: ./dockerhub-image-matrix
-set -euo pipefail
-
-microbadge() {
-  local name=$1
-  local tag=${2:-latest}
-
-  if [[ $tag != latest ]]; then
-    name=$name:$tag
-  fi
-
-  # make sure that microbadger has loaded the image
-  curl -o /dev/null -sfL "https://microbadger.com/images/$name"
-
-  echo "![](https://images.microbadger.com/badges/image/$name.svg)"
-}
-
-## Main ##
-
-releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
-
-echo "| Image / Tag | latest | nixos-18.09 | nixos-19.03 |"
-echo "| ---         | ---    | ---         | ---         |"
-
-for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
-  name=nixpkgs/$attr
-  echo "| [$name](https://hub.docker.com/r/$name) | $(microbadge "$name") | $(microbadge "$name" "nixos-18.09") | $(microbadge "$name" "nixos-19.03") |"
-done

dockerhub-metadata

@@ -6,16 +6,14 @@
 # Usage: ./dockerhub-metadata <user> <password> [org]
 set -euo pipefail
 
-username=$1
-password=$2
-org=${3:-nixpkgs}
-user=$username:$password
+user=$1
+org=${2:-nixpkgs}
 
 nix_eval() {
   nix-instantiate --strict --eval --json "$@"
 }
 
-releases_json=$(nix_eval release.nix)
+releases_json=$(nix_eval)
 
 to_json() {
   local desc=$1 full_desc=$2
@@ -29,7 +27,7 @@ echo "=== Updating Docker Hub project descriptions"
 
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
   echo "--- $attr"
-  desc=$(nix_eval ./release.nix -A "$attr.meta.description" | jq -r .)
+  desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
 
   if [[ -f "$attr/README.md" ]]; then
     full_desc=$(< "$attr/README.md")

images/cachix-flakes/default.nix

@@ -0,0 +1,10 @@
+{ docker-nixpkgs
+, cachix
+}:
+(docker-nixpkgs.nix-flakes.override {
+  extraContents = [ cachix ];
+}).overrideAttrs (prev: {
+  meta = (prev.meta or { }) // {
+    description = "Nix and Cachix image";
+  };
+})

images/cachix/default.nix

@@ -0,0 +1,10 @@
+{ docker-nixpkgs
+, cachix
+}:
+(docker-nixpkgs.nix.override {
+  extraContents = [ cachix ];
+}).overrideAttrs (prev: {
+  meta = (prev.meta or { }) // {
+    description = "Nix and Cachix image";
+  };
+})

images/caddy/default.nix

@@ -0,0 +1,6 @@
+{ buildCLIImage
+, caddy
+}:
+buildCLIImage {
+  drv = caddy;
+}

images/devcontainer/README.md

@@ -0,0 +1,6 @@
+# Nix VSCode DevContainer
+
+WIP
+
+Related to https://github.com/zimbatm/vscode-devcontainer-nix
+

images/devcontainer/default.nix

@@ -0,0 +1,139 @@
+# A fat and modifiable Nix image
+{ dockerTools
+, bashInteractive
+, cacert
+, closureInfo
+, coreutils
+, curl
+, direnv
+, gcc-unwrapped
+, gitReallyMinimal
+, glibc
+, gnugrep
+, gnused
+, gnutar
+, gzip
+, iana-etc
+, iproute
+, less
+, lib
+, nix
+, openssh
+, procps
+, shadow
+, xz
+, mkUserEnvironment
+}:
+let
+  channel = builtins.getEnv ("NIXPKGS_CHANNEL");
+
+  # generate a user profile for the image
+  profile = mkUserEnvironment {
+    derivations = [
+      # core utils
+      coreutils
+      procps
+      gnugrep
+      gnused
+      less
+
+      # add /bin/sh
+      bashInteractive
+      nix
+
+      # runtime dependencies of nix
+      cacert
+      gitReallyMinimal
+      gnutar
+      gzip
+      xz
+
+      # for haskell binaries
+      iana-etc
+
+      # for user management
+      shadow
+
+      # for the vscode extension
+
+      # HACK: don't include the "libgcc" output. It has overlapping files with
+      #       the "lib" output, and that breaks the build.
+      (gcc-unwrapped // {
+        outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
+      })
+      iproute
+    ];
+  };
+
+  image = dockerTools.buildImage {
+    name = "devcontainer";
+
+    contents = [ ];
+
+    extraCommands = ''
+      # create the Nix DB
+      export NIX_REMOTE=local?root=$PWD
+      export USER=nobody
+      ${nix}/bin/nix-store --load-db < ${closureInfo { rootPaths = [ profile ]; }}/registration
+
+      # set the user profile
+      ${profile}/bin/nix-env --profile nix/var/nix/profiles/default --set ${profile}
+
+      # minimal
+      mkdir -p bin usr/bin
+      ln -s /nix/var/nix/profiles/default/bin/sh bin/sh
+      ln -s /nix/var/nix/profiles/default/bin/env usr/bin/env
+
+      # might as well...
+      ln -s /nix/var/nix/profiles/default/bin/bash bin/bash
+
+      # setup shadow, bashrc
+      mkdir home
+      cp -r ${./root/etc} etc
+      chmod +w etc etc/group etc/passwd etc/shadow
+
+      # setup iana-etc for haskell binaries
+      ln -s /nix/var/nix/profiles/default/etc/protocols etc/protocols
+      ln -s /nix/var/nix/profiles/default/etc/services etc/services
+
+      # make sure /tmp exists
+      mkdir -m 0777 tmp
+
+      # allow ubuntu ELF binaries to run. VSCode copies it's own.
+      mkdir -p lib64
+      ln -s ${glibc}/lib64/ld-linux-x86-64.so.2 lib64/ld-linux-x86-64.so.2
+
+      # VSCode assumes that /sbin/ip exists
+      mkdir sbin
+      ln -s /nix/var/nix/profiles/default/bin/ip sbin/ip
+    '';
+
+    config = {
+      Cmd = [ "/nix/var/nix/profiles/default/bin/bash" ];
+      Env = [
+        "ENV=/nix/var/nix/profiles/default/etc/profile.d/nix.sh"
+        "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "LD_LIBRARY_PATH=/nix/var/nix/profiles/default/lib"
+        "PAGER=less"
+        "PATH=/nix/var/nix/profiles/default/bin"
+        "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        (
+          if channel != "" then
+            "NIX_PATH=nixpkgs=channel:${channel}"
+          else
+            "NIX_PATH=nixpkgs=${../nix/fake_nixpkgs}"
+        )
+      ];
+      Labels = {
+        # https://github.com/microscaling/microscaling/blob/55a2d7b91ce7513e07f8b1fd91bbed8df59aed5a/Dockerfile#L22-L33
+        "org.label-schema.vcs-ref" = "master";
+        "org.label-schema.vcs-url" = "https://github.com/nix-community/docker-nixpkgs";
+      };
+    };
+  };
+in
+image // {
+  meta = image.meta // {
+    description = "Nix devcontainer for VSCode";
+  };
+}

images/devcontainer/root/etc/bashrc

@@ -0,0 +1,6 @@
+# interactive session
+if [[ $- == *i* ]]; then
+
+PS1='\[\033[0;32;40m\][nix]$\[\033[0m\] '
+
+fi

images/devcontainer/root/etc/group

@@ -0,0 +1,6 @@
+root:x:0:
+wheel:x:1:
+tty:x:3:
+users:x:100:
+nixbld:x:30000:nixbld1,nixbld2,nixbld3,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld30
+nogroup:x:65534:

images/devcontainer/root/etc/nsswitch.conf

@@ -0,0 +1,11 @@
+passwd:    files mymachines systemd
+group:     files mymachines systemd
+shadow:    files
+
+hosts:     files mymachines dns myhostname
+networks:  files
+
+ethers:    files
+services:  files
+protocols: files
+rpc:       files

images/devcontainer/root/etc/pam.d/other

@@ -0,0 +1,4 @@
+account sufficient pam_unix.so
+auth sufficient pam_rootok.so
+password requisite pam_unix.so nullok sha512
+session required pam_unix.so

images/devcontainer/root/etc/passwd

@@ -0,0 +1,32 @@
+root:x:0:0:root:/root:/nix/var/nix/profiles/default/bin/bash
+nixbld1:x:30001:30000:Nix build user 1:/var/empty:/sbin/nologin
+nixbld2:x:30002:30000:Nix build user 2:/var/empty:/sbin/nologin
+nixbld3:x:30003:30000:Nix build user 3:/var/empty:/sbin/nologin
+nixbld4:x:30004:30000:Nix build user 4:/var/empty:/sbin/nologin
+nixbld5:x:30005:30000:Nix build user 5:/var/empty:/sbin/nologin
+nixbld6:x:30006:30000:Nix build user 6:/var/empty:/sbin/nologin
+nixbld7:x:30007:30000:Nix build user 7:/var/empty:/sbin/nologin
+nixbld8:x:30008:30000:Nix build user 8:/var/empty:/sbin/nologin
+nixbld9:x:30009:30000:Nix build user 9:/var/empty:/sbin/nologin
+nixbld10:x:30010:30000:Nix build user 10:/var/empty:/sbin/nologin
+nixbld11:x:30011:30000:Nix build user 11:/var/empty:/sbin/nologin
+nixbld12:x:30012:30000:Nix build user 12:/var/empty:/sbin/nologin
+nixbld13:x:30013:30000:Nix build user 13:/var/empty:/sbin/nologin
+nixbld14:x:30014:30000:Nix build user 14:/var/empty:/sbin/nologin
+nixbld15:x:30015:30000:Nix build user 15:/var/empty:/sbin/nologin
+nixbld16:x:30016:30000:Nix build user 16:/var/empty:/sbin/nologin
+nixbld17:x:30017:30000:Nix build user 17:/var/empty:/sbin/nologin
+nixbld18:x:30018:30000:Nix build user 18:/var/empty:/sbin/nologin
+nixbld19:x:30019:30000:Nix build user 19:/var/empty:/sbin/nologin
+nixbld20:x:30020:30000:Nix build user 20:/var/empty:/sbin/nologin
+nixbld21:x:30021:30000:Nix build user 21:/var/empty:/sbin/nologin
+nixbld22:x:30022:30000:Nix build user 22:/var/empty:/sbin/nologin
+nixbld23:x:30023:30000:Nix build user 23:/var/empty:/sbin/nologin
+nixbld24:x:30024:30000:Nix build user 24:/var/empty:/sbin/nologin
+nixbld25:x:30025:30000:Nix build user 25:/var/empty:/sbin/nologin
+nixbld26:x:30026:30000:Nix build user 26:/var/empty:/sbin/nologin
+nixbld27:x:30027:30000:Nix build user 27:/var/empty:/sbin/nologin
+nixbld28:x:30028:30000:Nix build user 28:/var/empty:/sbin/nologin
+nixbld29:x:30029:30000:Nix build user 29:/var/empty:/sbin/nologin
+nixbld30:x:30030:30000:Nix build user 30:/var/empty:/sbin/nologin
+nobody:x:65534:65534:nobody:/:/sbin/nologin

images/devcontainer/root/etc/shadow

@@ -0,0 +1,32 @@
+root:!::0:::::
+nixbld1:!:18237:0:99999:7:::
+nixbld2:!:18237:0:99999:7:::
+nixbld3:!:18237:0:99999:7:::
+nixbld4:!:18237:0:99999:7:::
+nixbld5:!:18237:0:99999:7:::
+nixbld6:!:18237:0:99999:7:::
+nixbld7:!:18237:0:99999:7:::
+nixbld8:!:18237:0:99999:7:::
+nixbld9:!:18237:0:99999:7:::
+nixbld10:!:18237:0:99999:7:::
+nixbld11:!:18237:0:99999:7:::
+nixbld12:!:18237:0:99999:7:::
+nixbld13:!:18237:0:99999:7:::
+nixbld14:!:18237:0:99999:7:::
+nixbld15:!:18237:0:99999:7:::
+nixbld16:!:18237:0:99999:7:::
+nixbld17:!:18237:0:99999:7:::
+nixbld18:!:18237:0:99999:7:::
+nixbld19:!:18237:0:99999:7:::
+nixbld20:!:18237:0:99999:7:::
+nixbld21:!:18237:0:99999:7:::
+nixbld22:!:18237:0:99999:7:::
+nixbld23:!:18237:0:99999:7:::
+nixbld24:!:18237:0:99999:7:::
+nixbld25:!:18237:0:99999:7:::
+nixbld26:!:18237:0:99999:7:::
+nixbld27:!:18237:0:99999:7:::
+nixbld28:!:18237:0:99999:7:::
+nixbld29:!:18237:0:99999:7:::
+nixbld30:!:18237:0:99999:7:::
+nobody:!::0:::::

images/docker-compose/default.nix

@@ -7,5 +7,5 @@ buildCLIImage {
     if docker-compose == null
     then python3Packages.docker_compose
     else docker-compose # nixos 19.03+
-    ;
+  ;
 }

images/hugo/default.nix

@@ -0,0 +1,8 @@
+{ buildCLIImage
+, hugo
+, gitReallyMinimal
+}:
+buildCLIImage {
+  drv = hugo;
+  extraContents = [ gitReallyMinimal ];
+}

images/nginx/default.nix

@@ -0,0 +1,6 @@
+{ buildCLIImage
+, nginx
+}:
+buildCLIImage {
+  drv = nginx;
+}

images/nix-flakes-runner/default.nix

@@ -0,0 +1,10 @@
+{ docker-nixpkgs
+, nodejs
+, extraContents ? [ ]
+}:
+docker-nixpkgs.nix-flakes.override {
+  extraContents = [
+    # nodejs for runner
+    nodejs
+  ] ++ extraContents;
+}

images/nix-flakes/default.nix

@@ -0,0 +1,18 @@
+{ docker-nixpkgs
+, nixFlakes
+, writeTextFile
+, extraContents ? [ ]
+}:
+docker-nixpkgs.nix.override {
+  nix = nixFlakes;
+  extraContents = [
+    (writeTextFile {
+      name = "nix.conf";
+      destination = "/etc/nix/nix.conf";
+      text = ''
+        accept-flake-config = true
+        experimental-features = nix-command flakes
+      '';
+    })
+  ] ++ extraContents;
+}

images/nix-unstable-static/README.md

@@ -0,0 +1,16 @@
+# nix-unstable-static
+
+This is a special variant of the nix image that contains no `/nix/store`.
+Instead, nix and all the supporting binaries are statically built and copied
+into /bin.
+
+The main use-case is to be able to run nix in the container, but share the
+`/nix/store` with the host.
+
+## Using the container with the host store
+
+This folder ships with a complementary script that you can use to run the
+image as the current user and the host /nix/store.
+
+Usage: `docker-nix-user.sh [<command> ...<args>]`
+

images/nix-unstable-static/default.nix

@@ -0,0 +1,131 @@
+{ dockerTools
+, lib
+, fetchurl
+, findutils
+, pkgsStatic
+, python3
+, removeReferencesTo
+, runCommand
+}:
+let
+  inherit (pkgsStatic)
+    bashInteractive
+    busybox
+    cacert
+    openssl
+    ;
+
+  bash = bashInteractive;
+
+  # Get nix from Hydra because the nixpkgs one is not fully static
+  nixStaticBin = fetchurl {
+    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
+    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
+  };
+
+  nixSymlinks = [
+    "nix-build"
+    "nix-channel"
+    "nix-collect-garbage"
+    "nix-copy-closure"
+    "nix-daemon"
+    "nix-env"
+    "nix-hash"
+    "nix-instantiate"
+    "nix-prefetch-url"
+    "nix-shell"
+    "nix-store"
+  ];
+
+  dirs = [
+    "bin"
+    "etc/ssl/certs"
+    "root"
+    "tmp"
+    "usr"
+  ];
+
+  extraCommands = ''
+    rm_ref() {
+      ${removeReferencesTo}/bin/remove-references-to "$@"
+    }
+
+    # Create a FHS-like file structure
+    cp -r ${../nix/root}/* .
+    chmod +w etc
+    mkdir -p ${toString dirs}
+
+    # For /usr/bin/env
+    ln -s ../bin usr/bin
+
+    # Make sure /tmp has the right permissions
+    chmod 1777 tmp
+
+    # Add user home folder
+    mkdir home
+
+    # Add SSL CA certs
+    cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
+
+    # Install base binaries
+    cp -a ${busybox}/bin/* bin/
+    rm_ref -t ${busybox} bin/busybox
+
+    # Install shell
+    cp -a ${bash}/bin/bash bin/
+    rm_ref -t ${bash} bin/bash
+
+    # Install nix
+    cp -a ${nixStaticBin} bin/nix
+    chmod +x bin/nix
+    for sym in ${toString nixSymlinks}; do
+      ln -sv /bin/nix bin/$sym
+    done
+    mkdir -p libexec/nix
+    ln -s /bin/nix libexec/nix/build-remote
+
+    # Enable flakes
+    mkdir -p etc/nix
+    cat <<NIX_CONFIG > etc/nix/nix.conf
+    accept-flake-config = true
+    experimental-features = nix-command flakes
+    NIX_CONFIG
+
+    # Add run-as-user script
+    cp -a ${./run_as_user.sh} run_as_user.sh
+  '';
+
+  # To debug
+  unpacked = runCommand
+    "unpacked"
+    { buildInputs = [ python3 ]; }
+    ''
+      mkdir layer
+      pushd layer
+      ${extraCommands}
+      popd
+      mv layer $out
+    '';
+
+  image = dockerTools.buildImage {
+    name = "nix-static";
+
+    inherit extraCommands;
+
+    config = {
+      Cmd = [ "/bin/bash" ];
+      Env = [
+        "NIX_BUILD_SHELL=/bin/bash"
+        "PAGER=cat"
+        "PATH=/bin"
+        "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+in
+image // {
+  passthru = image.passthru // { inherit unpacked; };
+  meta = image.meta // {
+    description = "Nix but statically built";
+  };
+}

images/nix-unstable-static/docker-nix-user.sh

@@ -0,0 +1,28 @@
+#!/usr/bin/env bash
+#
+# Run nixpkgs/nix-unstable-static as the current user and the host /nix/store.
+#
+# Usage: docker-nix-user.sh [<command> ...<args>]
+#
+set -euo pipefail
+
+image=nixpkgs/nix-unstable-static
+
+options=(
+  -ti
+  # Remove the container on exit
+  --rm
+  -e NIX_PATH="nixpkgs=channel:nixos-22.05"
+  # Used by /run_as_user.sh
+  -e user_id="$(id -u)"
+  -e user_name="$(id -nu)"
+  -e group_id="$(id -g)"
+  -e group_name="$(id -ng)"
+  # Use the host store
+  -v /nix:/nix
+  # Mount the code into the container
+  -v "$PWD:/workspace"
+  -w /workspace
+  --entrypoint /run_as_user.sh
+)
+exec docker run "${options[@]}" "$image" "$@"

images/nix-unstable-static/run_as_user.sh

@@ -0,0 +1,29 @@
+#!/bin/sh -eu
+#
+# This script can be used as an entrypoint. It's used to synchronize and run
+# the container with the same user and group as the host user.
+#
+# Usage:
+#   user_id=$(id -u) user_name=$(id -un) \
+#   group_id=$(id -g) group_name=$(id -gn) \
+#   ./run_as_user.sh [<command> ...<args>]
+#
+# shellcheck disable=SC2154
+
+# Install the host user and group into the container
+delgroup "${group_name}" 2>/dev/null || true
+deluser "${user_name}" 2>/dev/null || true
+
+addgroup -g "${group_id}" "${group_name}"
+adduser -D -G "${group_name}" -u "${user_id}" "${user_name}"
+
+# Don't propagate those env vars
+user=${user_name}
+unset user_id user_name group_id group_name
+
+# Change into the user
+if [ $# = 0 ]; then
+  exec su "${user}"
+else
+  exec su "${user}" -c /bin/sh /bin/sh -c "exec \"\$@\"" "$@"
+fi

images/nix/default.nix

@@ -1,14 +1,16 @@
 { dockerTools
-, bash
+, bashInteractive
 , cacert
 , coreutils
 , curl
-, gitMinimal
+, gitReallyMinimal
 , gnutar
 , gzip
 , iana-etc
 , nix
+, openssh
 , xz
+, extraContents ? [ ]
 }:
 let
   image = dockerTools.buildImageWithNixDb {
@@ -18,19 +20,20 @@ let
       ./root
       coreutils
       # add /bin/sh
-      bash
+      bashInteractive
       nix
 
       # runtime dependencies of nix
       cacert
-      gitMinimal
+      gitReallyMinimal
       gnutar
       gzip
+      openssh
       xz
 
       # for haskell binaries
       iana-etc
-    ];
+    ] ++ extraContents;
 
     extraCommands = ''
       # for /usr/bin/env
@@ -38,19 +41,25 @@ let
       ln -s ../bin usr/bin
 
       # make sure /tmp exists
-      mkdir -m 0777 tmp
+      mkdir -m 1777 tmp
+
+      # need a HOME
+      mkdir -vp root
     '';
 
     config = {
       Cmd = [ "/bin/bash" ];
       Env = [
         "ENV=/etc/profile.d/nix.sh"
-        "NIX_PATH=nixpkgs=channel:nixpkgs-unstable"
+        "BASH_ENV=/etc/profile.d/nix.sh"
+        "NIX_BUILD_SHELL=/bin/bash"
+        "NIX_PATH=nixpkgs=${./fake_nixpkgs}"
         "PAGER=cat"
         "PATH=/usr/bin:/bin"
         "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
+        "USER=root"
       ];
     };
   };
 in
-  image // { meta = nix.meta // image.meta; }
+image // { meta = nix.meta // image.meta; }

images/nix/fake_nixpkgs/default.nix

@@ -0,0 +1,10 @@
+_:
+throw ''
+  This container doesn't include nixpkgs.
+
+  The best way to work around that is to pin your dependencies. See
+    https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html
+
+  Or if you must, override the NIX_PATH environment variable with eg:
+    "NIX_PATH=nixpkgs=channel:nixos-unstable"
+''

lib/buildCLIImage.nix

@@ -3,8 +3,9 @@
 , cacert
 }:
 { drv # derivation to build the image for
-# Name of the binary to run by default
+  # Name of the binary to run by default
 , binName ? (builtins.parseDrvName drv.name).name
+, extraContents ? [ ]
 , meta ? drv.meta
 }:
 let
@@ -17,7 +18,7 @@ let
       # most program need TLS certs
       cacert
       drv
-    ];
+    ] ++ extraContents;
 
     config = {
       Cmd = [ "/bin/${binName}" ];
@@ -33,4 +34,4 @@ let
     };
   };
 in
-  image // { meta = meta // image.meta; }
+image // { meta = meta // image.meta; }

lib/importDir.nix

@@ -4,9 +4,11 @@ importFn: baseDir:
 let
   dirEntries =
     builtins.attrNames
-      (lib.filterAttrs
-        (k: v: v == "directory")
-        (builtins.readDir baseDir));
+      (
+        lib.filterAttrs
+          (k: v: v == "directory")
+          (builtins.readDir baseDir)
+      );
 
   absDirs =
     builtins.map
@@ -18,4 +20,4 @@ let
       (dir: { name = builtins.baseNameOf dir; value = importFn dir; })
       absDirs;
 in
-  builtins.listToAttrs imports
+builtins.listToAttrs imports

lib/mkUserEnvironment.nix

@@ -0,0 +1,111 @@
+{ writeText, lib }:
+# Build a user environment purely with nix.
+#
+# The original implementation is a mix of C++ and nix code.
+#
+# See https://github.com/nixos/nix/blob/f4b94958543138671bc3641fc126589a5cffb24b/src/nix-env/user-env.cc
+#
+# TODO:
+# * also add the drvPath if the keepDerivations nix settings is set
+# * support "disabled" mode that breaks nix-env?
+# * remove the use of writeText. builtins.toFile forbits the use of references
+#   to derivations, which makes it impossible to create exactly the same
+#   manifest file as `nix-env`.
+#
+# Arguments:
+# * derivations: a list of derivations
+{
+  # A list of derivations to install
+  derivations
+}:
+# Supporting code
+with builtins;
+let
+  # Copied from https://github.com/nixos/nix/blob/e02481ded216ffb5b06b413e3695d4e11e62e02f/corepkgs/buildenv.nix
+  #
+  # This was available at <nix/buildenv.nix>, until it got removed in Nix.
+  buildenv = { derivations, manifest }:
+    derivation {
+      name = "user-environment";
+      system = "builtin";
+      builder = "builtin:buildenv";
+
+      inherit manifest;
+
+      # !!! grmbl, need structured data for passing this in a clean way.
+      derivations =
+        map
+          (d:
+            [
+              (d.meta.active or "true")
+              (d.meta.priority or 5)
+              (builtins.length d.outputs)
+            ] ++ map (output: builtins.getAttr output d) d.outputs)
+          derivations;
+
+      # Building user environments remotely just causes huge amounts of
+      # network traffic, so don't do that.
+      preferLocalBuild = true;
+
+      # Also don't bother substituting.
+      allowSubstitutes = false;
+    };
+
+  # back-compat
+  isPath = builtins.isPath or (x: builtins.typeOf x == "path");
+
+  # Escape Nix strings
+  stringEscape = str:
+    "\"" + (
+      replaceStrings
+        [ "\\" "\"" "\n" "\r" "\t" ]
+        [ "\\\\" "\\" "\\n" "\\r" "\\t" ]
+        str
+    )
+    + "\"";
+
+  # Like builtins.JSON but to output Nix code
+  toNix = value:
+    if isString value then stringEscape value
+    else if isInt value then toString value
+    else if isPath value then toString value
+    else if true == value then "true"
+    else if false == value then "false"
+    else if null == value then "null"
+    else if isAttrs value then
+      "{ " + concatStringsSep " " (lib.mapAttrsToList (k: v: "${k} = ${toNix v};") value) + " }"
+    else if isList value then
+      "[ ${ concatStringsSep " " (map toNix value) } ]"
+    else throw "type ${typeOf value} not supported";
+
+  # Generate a nix-env compatible manifest.nix file
+  genManifest = drv:
+    let
+      outputs =
+        drv.meta.outputsToInstall or
+          # install the first output
+          [ (head drv.outputs) ];
+
+      base = {
+        inherit (drv) meta name outPath system type;
+        out = { inherit (drv) outPath; };
+        inherit outputs;
+      };
+
+      toOut = name: {
+        outPath = drv.${name}.outPath;
+      };
+
+      outs = lib.genAttrs outputs toOut;
+    in
+    base // outs;
+
+  writeManifest = derivations:
+    writeText "env-manifest.nix" (
+      toNix (map genManifest derivations)
+    );
+in
+buildenv {
+  inherit derivations;
+  manifest = writeManifest derivations;
+}

overlay.nix

@@ -1,11 +1,32 @@
-_: pkgs: let
+_: pkgs:
+let
   importDir = import ./lib/importDir.nix {
-    inherit (pkgs) lib; 
+    inherit (pkgs) lib;
   };
-in {
+in
+{
   # builder stuff can be in the top-level
-  buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix {};
+  buildCLIImage = pkgs.callPackage ./lib/buildCLIImage.nix { };
 
   # docker images must be lower-cased
-  docker-nixpkgs = importDir (path: pkgs.callPackage path {}) ./images;
+  docker-nixpkgs = importDir (path: pkgs.callPackage path { }) ./images;
+
+  # used to build nix-env compatible user environments
+  mkUserEnvironment = pkgs.callPackage ./lib/mkUserEnvironment.nix { };
+
+  # gitMinimal still ships with perl and python
+  gitReallyMinimal = (
+    pkgs.git.override {
+      perlSupport = false;
+      pythonSupport = false;
+      withManual = false;
+      withpcre2 = false;
+    }
+  ).overrideAttrs (
+    _: {
+      # installCheck is broken when perl is disabled
+      doInstallCheck = false;
+    }
+  );
+
 }

pkgs.nix

@@ -0,0 +1,8 @@
+import <nixpkgs> {
+  # docker images run on Linux
+  system = "x86_64-linux";
+  config = { };
+  overlays = [
+    (import ./overlay.nix)
+  ];
+}

push-all

@@ -7,14 +7,16 @@ registry=${1:-docker.io}
 image_prefix=${2:-nixpkgs}
 image_tag=${3:-latest}
 
-releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
+releases_json=$(nix-instantiate --strict --eval --json)
 
 echo "=== Pushing images to $registry"
 
 for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
   file=$(echo "$releases_json" | jq -r ".\"$attr\"")
-  echo "--- $attr -> $file"
-  skopeo copy "docker-archive://$file" "docker://$registry/$image_prefix/$attr:$image_tag"
+  src=docker-archive://$file
+  dst=docker://$registry/$image_prefix/$attr:$image_tag
+  echo "--- attr=$attr src=$src dst=$dst"
+  skopeo copy --insecure-policy "$src" "$dst"
 done
 
 echo OK

readme-image-matrix

@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+#
+# Usage: ./dockerhub-image-matrix
+set -euo pipefail
+
+## Main ##
+
+releases_json=$(nix-instantiate --strict --eval --json)
+
+echo "| Image / Tag | Pull |"
+echo "| ---         | ---  |"
+
+for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
+  name=nixpkgs/$attr
+  echo -n "| [$name](https://hub.docker.com/r/$name)"
+  echo -n "| \`docker pull docker.nix-community.org/$name\` "
+  echo "|"
+done

release.nix

@@ -1,4 +0,0 @@
-let
-  pkgs = import ./. {};
-in
-  pkgs.docker-nixpkgs

shell.nix

@@ -1,7 +1,11 @@
-{ nixpkgs ? <nixpkgs> }@args:
-with import ./. args;
+let
+  nixpkgs = builtins.fetchTarball "channel:nixos-22.05";
+  pkgs = import nixpkgs { config = { }; overlays = [ ]; };
+in
+with pkgs;
 mkShell {
   buildInputs = [
+    dive
     jq
     skopeo
   ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;
@@ -9,5 +13,7 @@ mkShell {
   shellHook = ''
     # try to work aroud build issues
     unset TMPDIR
+
+    export NIX_PATH=nixpkgs=${toString nixpkgs}
   '';
 }