new: packages: nix-minimal and nix-runner docker images

2024-05-03 23:11:30 +05:00 · 2024-05-03 23:11:30 +05:00 · 188d29adf4
commit 188d29adf4
parent 307fabb7ec
3 changed files with 176 additions and 2 deletions
--- a/packages/default.nix
+++ b/packages/default.nix
@ -10,8 +10,8 @@ in forAllSystems(system:
        pkgs = nixpkgsFor.${system}; 

        bonfire = self;
-        bonfire-lib = self.lib;
-        bonfire-pkgs = self.packages.${system};
+        bonlib = self.lib;
+        bonpkgs = self.packages.${system};

        crane = self.inputs.crane;
        crane-lib = self.inputs.crane.lib.${system};
@ -32,4 +32,8 @@ in forAllSystems(system:
    ultimmc = pkgs.libsForQt5.callPackage ./ultimmc { inherit bonfire; };

    cargo-shuttle = pkgs.callPackage ./cargo-shuttle { inherit bonfire crane-lib; };
+
+    nix-minimal = pkgs.callPackage ./nix-minimal { inherit bonpkgs bonlib; };
+
+    nix-runner = pkgs.callPackage ./nix-runner { inherit bonpkgs bonlib; };
 })
--- a/packages/nix-minimal/default.nix
+++ b/packages/nix-minimal/default.nix
@ -0,0 +1,136 @@
+{ 
+    pkgs, 
+    lib,
+    bonlib,
+    extraPaths ? [],
+    ...
+}:
+let 
+    nixPath = pkgs.writeText "nixpkgsError" ''_: throw '''
+        This container doesn't include nixpkgs. 
+        Hint: override the NIX_PATH environment variable with eg: 
+            "NIX_PATH=nixpkgs=channel:nixos-unstable"
+    ''' '';
+
+    builderIds = let forEach = n: if n == 1 then [n] else [n] ++ forEach (n - 1); in forEach 32;
+
+    withFakeNss = with pkgs; [
+        (writeTextDir "etc/passwd" (
+            builtins.concatStringsSep "\n" (
+                map (n: "nixbld${toString n}:x:${toString (30000 + n)}:30000:Nix build user ${toString n}:/var/empty:/bin/false") builderIds)
+        + "\n" + ''
+            root:x:0:0:System administrator:/root:${bashInteractive}/bin/bash
+            nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:${shadow}/bin/nologin
+        ''))
+
+        (writeTextDir "etc/group" ''
+            root:x:0:
+            wheel:x:1:
+            kmem:x:2:
+            tty:x:3:
+            messagebus:x:4:
+            disk:x:6:
+            audio:x:17:
+            floppy:x:18:
+            uucp:x:19:
+            lp:x:20:
+            cdrom:x:24:
+            tape:x:25:
+            video:x:26:
+            dialout:x:27:
+            utmp:x:29:
+            adm:x:55:
+            keys:x:96:
+            users:x:100:
+            input:x:174:
+            nixbld:x:30000:${builtins.concatStringsSep "," (map (n: "nixbld${toString n}") builderIds)}
+            nogroup:x:65534:
+        '')
+
+        (writeTextDir "etc/nsswitch.conf" ''
+            passwd:    files mymachines systemd
+            group:     files mymachines systemd
+            shadow:    files
+
+            hosts:     files mymachines dns myhostname
+            networks:  files
+
+            ethers:    files
+            services:  files
+            protocols: files
+            rpc:       files
+        '')
+    ];
+
+    withNixConf = with pkgs; [
+        (writeTextDir "etc/nix/nix.conf" ''
+            accept-flake-config = true
+            experimental-features = nix-command flakes
+            show-trace = true 
+            max-jobs = auto
+            trusted-users = root
+        '')
+    ];
+
+in pkgs.dockerTools.buildImageWithNixDb {
+    name = "nix-minimal";
+    tag = "latest";
+
+    copyToRoot = pkgs.buildEnv {
+        name = "image-root";
+        pathsToLink = [ "/bin" "/etc" ];
+        paths = with pkgs; [
+            dockerTools.usrBinEnv
+
+            coreutils
+            bashInteractive
+            nix 
+
+            cacert
+            gnutar
+            gzip
+            xz
+            openssh
+            ((git.override {
+                perlSupport = false;
+                pythonSupport = false;
+                withpcre2 = false;
+                withManual = false;
+            }).overrideAttrs (_: { doInstallCheck = false; }))
+
+            iana-etc
+        ] ++ withFakeNss ++ withNixConf ++ extraPaths;
+    };
+
+    runAsRoot = with pkgs; ''
+        #!${runtimeShell}
+        ${dockerTools.shadowSetup}
+    '';
+
+    config = {
+        Cmd = [ "/bin/bash" ];
+        Env = [
+            "USER=root"
+            "PATH=/bin:/usr/bin:/nix/var/nix/profiles/default/bin"
+            "PAGER=cat"
+            "ENV=/etc/profile.d/nix.sh"
+            "BASH_ENV=/etc/profile.d/nix.sh"
+            "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+            "NIX_BUILD_SHELL=/bin/bash"
+            "NIX_PATH=nixpkgs=${nixPath}"
+        ];
+    };
+} // {
+    meta = with lib; {
+        homepage = "https://vcs.elnafo.ru/L-Nafaryus/bonfire";
+        description = "Minimal image with a Nix package manager";
+        longDescription = ''
+            Minimal docker image with Nix package manager (https://nixos.org/).
+            Enabled features: nix-command, flakes.
+            Versions: latest
+        '';
+        platforms = platforms.linux;
+        license = licenses.lgpl21Plus;
+        maintainers = with bonlib.maintainers; [ L-Nafaryus ];
+    };
+}
--- a/packages/nix-runner/default.nix
+++ b/packages/nix-runner/default.nix
@ -0,0 +1,34 @@
+{
+    pkgs,
+    lib,
+    bonpkgs,
+    bonlib,
+    extraPaths ? [],
+    ...
+}:
+pkgs.dockerTools.buildImage {
+    name = "nix-runner";
+    tag = "latest";
+    fromImage = bonpkgs.nix-minimal;
+
+    copyToRoot = pkgs.buildEnv {
+        name = "image-root";
+        pathsToLink = [ "/bin" ];
+        paths = with pkgs; [
+            nodejs 
+            jq
+            cachix
+        ] ++ extraPaths;
+    };
+
+    config.Cmd = [ "/bin/bash" ];
+} // {
+    meta = bonpkgs.nix-minimal.meta //  {
+        description = "Image for action runners with a Nix package manager";
+        longDescription = ''
+            Docker image for action runners with Nix package manager (https://nixos.org/).
+            Enabled features: nix-command, flakes.
+            Versions: latest
+        '';
+    };
+}