sbl/docker-nixpkgs
1
0
Fork 0
forked from github-mirror/docker-nixpkgs
Code Pull Requests Actions Activity

Compare commits

base: sbl:push-to-github
Branches Tags
sbl:master sbl:pjjw/nix-flake-runner sbl:pjjw/gitea-actions sbl:nix-unstable-static sbl:push-to-github sbl:nix-container-images
..
compare: sbl:nix-unstable-static
Branches Tags
sbl:master sbl:pjjw/nix-flake-runner sbl:pjjw/gitea-actions sbl:nix-unstable-static sbl:push-to-github sbl:nix-container-images github-mirror:main github-mirror:nix-container-images

7 Commits
push-to-gi ... nix-unstab

Author SHA1 Message Date
Jörg Thalheim
f5c8f11da0 nix-unstable-static: bump nix 2023-07-20 12:59:44 +02:00
Jörg Thalheim
019b4effa9 nix-unstable-static: add a PATH entry that can be used to bind mount more binaries into the system 2023-07-20 12:59:36 +02:00
Jörg Thalheim
e380dbbda5 nix-unstable-static: add an unprivileged nix user that can be used without entrypoint 2023-07-20 12:59:36 +02:00
Jörg Thalheim
23c51fe60b nix-unstable-static: drop unused openssl 2023-07-20 12:21:18 +02:00
Jonas Chevalier
30ea4a75cd devcontainer: fix build on nixos-unstable (#64) 2023-07-18 17:31:21 +02:00
Franz Pletz
ae6d994038 bump to nixos-23.05 (#59) 
fixes #57
 2023-07-01 22:04:07 +02:00
dependabot[bot]
e9b6514e0e build(deps): bump cachix/install-nix-action from 20 to 22 (#58) 
Bumps [cachix/install-nix-action](https://github.com/cachix/install-nix-action) from 20 to 22.
- [Release notes](https://github.com/cachix/install-nix-action/releases)
- [Commits](https://github.com/cachix/install-nix-action/compare/v20...v22)

---
updated-dependencies:
- dependency-name: cachix/install-nix-action
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2023-06-19 12:44:07 +02:00
8 changed files with 80 additions and 40 deletions
Expand all files Collapse all files

22
.github/workflows/nix.yml vendored
View File

@@ -8,10 +8,6 @@ on:
schedule: schedule:
# Run once per day # Run once per day
- cron: '0 0 * * *' - cron: '0 0 * * *'
env:
CI_REGISTRY: ghcr.io
jobs: jobs:
build: build:
strategy: strategy:
@@ -20,25 +16,13 @@ jobs:
matrix: matrix:
channel: channel:
- nixos-unstable - nixos-unstable
- nixos-22.05
- nixos-22.11 - nixos-22.11
- nixos-23.05
runs-on: ubuntu-latest runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps: steps:
- uses: actions/checkout@v3 - uses: actions/checkout@v3
- name: Log in to the Container registry - uses: cachix/install-nix-action@v22
uses: docker/login-action@v2.1.0
with:
registry: ${{ env.CI_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: cachix/install-nix-action@v20
- run: nix-shell --run ./ci.sh - run: nix-shell --run ./ci.sh
env: env:
CI_REGISTRY_AUTH: '${{ secrets.REGISTRY_AUTH }}'
NIXPKGS_CHANNEL: '${{ matrix.channel }}' NIXPKGS_CHANNEL: '${{ matrix.channel }}'

4
.gitlab-ci.yml
View File

@@ -3,12 +3,12 @@ stages:
build: build:
stage: build stage: build
image: nixpkgs/nix:nixos-22.05 image: nixpkgs/nix:nixos-22.11
script: nix-shell --run ./ci.sh script: nix-shell --run ./ci.sh
parallel: parallel:
matrix: matrix:
- NIXPKGS_CHANNEL: nixos-unstable - NIXPKGS_CHANNEL: nixos-unstable
IMAGE_TAG: latest IMAGE_TAG: latest
- NIXPKGS_CHANNEL: - NIXPKGS_CHANNEL:
- nixos-22.05
- nixos-22.11 - nixos-22.11
- nixos-23.05

6
README.md
View File

@@ -1,9 +1,5 @@
# docker-nixpkgs: docker images from nixpkgs # docker-nixpkgs: docker images from nixpkgs
> Docker recently requested that we start paying $420.-/year in order to keep
> the organization. So we moved the images to GitHub. Sorry for the
> inconvenience.
This project is a collection of docker images automatically produced with Nix This project is a collection of docker images automatically produced with Nix
and the latest nixpkgs package set. All the images are refreshed daily with and the latest nixpkgs package set. All the images are refreshed daily with
the latest versions of nixpkgs. the latest versions of nixpkgs.
@@ -43,8 +39,8 @@ nixpkgs channel describes.
| Channel | Image Tag | Description | | Channel | Image Tag | Description |
| --- | --- | --- | | --- | --- | --- |
| nixos-22.05 | nixos-22.05 | only minor versions that include security updates |
| nixos-22.11 | nixos-22.11 | only minor versions that include security updates | | nixos-22.11 | nixos-22.11 | only minor versions that include security updates |
| nixos-23.05 | nixos-23.05 | only minor versions that include security updates |
| nixos-unstable | latest | latest and greatest, major versions might change | | nixos-unstable | latest | latest and greatest, major versions might change |
## List of images ## List of images

17
ci.sh
View File

@@ -5,9 +5,9 @@
set -euo pipefail set -euo pipefail
channel=${NIXPKGS_CHANNEL:-nixos-unstable} channel=${NIXPKGS_CHANNEL:-nixos-unstable}
registry=${CI_REGISTRY:-ghcr.io} registry=${CI_REGISTRY:-docker.io}
registry_auth=${CI_REGISTRY_AUTH:-} registry_auth=${CI_REGISTRY_AUTH:-}
image_prefix=${CI_PROJECT_PATH:-nix-community/docker-nixpkgs} image_prefix=${CI_PROJECT_PATH:-nixpkgs}
if [[ $channel == nixos-unstable ]]; then if [[ $channel == nixos-unstable ]]; then
image_tag=latest image_tag=latest
@@ -31,10 +31,10 @@ nix-build \
--no-out-link \ --no-out-link \
--option sandbox true \ --option sandbox true \
# if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then if [[ $(git rev-parse --abbrev-ref HEAD) != master ]]; then
# banner "Skipping push on non-master branch" banner "Skipping push on non-master branch"
# exit exit
# fi fi
if [[ -n "${registry_auth}" ]]; then if [[ -n "${registry_auth}" ]]; then
banner "docker login" banner "docker login"
@@ -43,3 +43,8 @@ fi
banner "docker push" banner "docker push"
./push-all "$registry" "$image_prefix" "$image_tag" ./push-all "$registry" "$image_prefix" "$image_tag"
if [[ -n "${registry_auth}" && $registry = *docker.io ]]; then
banner "docker metadata update"
./dockerhub-metadata "$registry_auth" "$image_prefix"
fi

45
dockerhub-metadata Executable file
View File

@@ -0,0 +1,45 @@
#!/usr/bin/env bash
#
# Update docker hub image descriptions. The API is not documented and might
# break in the future.
#
# Usage: ./dockerhub-metadata <user> <password> [org]
set -euo pipefail
user=$1
org=${2:-nixpkgs}
nix_eval() {
nix-instantiate --strict --eval --json "$@"
}
releases_json=$(nix_eval)
to_json() {
local desc=$1 full_desc=$2
jq -n \
--arg desc "$desc" \
--arg full_desc "$full_desc" \
'.description=$desc | .full_description=$full_desc'
}
echo "=== Updating Docker Hub project descriptions"
for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
echo "--- $attr"
desc=$(nix_eval -A "$attr.meta.description" | jq -r .)
if [[ -f "$attr/README.md" ]]; then
full_desc=$(< "$attr/README.md")
else
full_desc=$(< "README.md")
fi
data=$(to_json "$desc" "$full_desc")
echo "data: $data"
url=https://cloud.docker.com/v2/repositories/$org/$attr/
curl -XPATCH -H "Content-Type: application/json" --user "$user" --data "$data" "$url"
done
echo OK

7
images/devcontainer/default.nix
View File

@@ -55,7 +55,12 @@ let
shadow shadow
# for the vscode extension # for the vscode extension
gcc-unwrapped
# HACK: don't include the "libgcc" output. It has overlapping files with
# the "lib" output, and that breaks the build.
(gcc-unwrapped // {
outputs = builtins.filter (x: x != "libgcc") gcc-unwrapped.outputs;
})
iproute iproute
]; ];
}; };

17
images/nix-unstable-static/default.nix
View File

@@ -6,21 +6,20 @@
, python3 , python3
, removeReferencesTo , removeReferencesTo
, runCommand , runCommand
, buildPackages
}: }:
let let
inherit (pkgsStatic) inherit (pkgsStatic)
bashInteractive bashInteractive
busybox busybox
cacert cacert;
openssl
;
bash = bashInteractive; bash = bashInteractive;
# Get nix from Hydra because the nixpkgs one is not fully static # Get nix from Hydra because the nixpkgs one is not fully static
nixStaticBin = fetchurl { nixStaticBin = fetchurl {
url = "https://hydra.nixos.org/build/181573550/download/1/nix"; url = "https://hydra.nixos.org/build/228458395/download/1/nix";
hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok="; hash = "sha256-H361lUdMpBpBVwInBmpAXKAwjPIf740Jg9Nht0NV66s=";
}; };
nixSymlinks = [ nixSymlinks = [
@@ -64,6 +63,11 @@ let
# Add user home folder # Add user home folder
mkdir home mkdir home
# Create an unpriveleged user that we can use also without the run-as-user.sh script
chmod +w $PWD/etc/group $PWD/etc/passwd
${buildPackages.shadow}/bin/groupadd --prefix $PWD -g 9000 nixuser
${buildPackages.shadow}/bin/useradd --prefix $PWD -m -d /tmp -u 9000 -g 9000 -G nixuser nixuser
# Add SSL CA certs # Add SSL CA certs
cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
@@ -117,7 +121,8 @@ let
Env = [ Env = [
"NIX_BUILD_SHELL=/bin/bash" "NIX_BUILD_SHELL=/bin/bash"
"PAGER=cat" "PAGER=cat"
"PATH=/bin" # /host/bin can be used to extend the image with additional binaries
"PATH=/bin:/host/bin"
"SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt" "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
]; ];
}; };

2
push-all
View File

@@ -3,7 +3,7 @@
# Usage: ./push-all <registry> <image-prefix> <image-tag> # Usage: ./push-all <registry> <image-prefix> <image-tag>
set -euo pipefail set -euo pipefail
registry=${1:-ghcr.io} registry=${1:-docker.io}
image_prefix=${2:-nixpkgs} image_prefix=${2:-nixpkgs}
image_tag=${3:-latest} image_tag=${3:-latest}