├── .gitignore ├── ssh ├── machines ├── remote-build-env ├── insecure_rsa.pub ├── Dockerfile └── insecure_rsa ├── latest └── Dockerfile ├── srcs ├── 2019-03-01.nix ├── 2019-05-04.nix ├── 2020-03-07.nix ├── 2020-06-07.nix ├── 2020-09-11.nix ├── 2017-01-21.nix ├── 2017-06-09.nix ├── 2017-06-17.nix ├── 2017-06-20.nix ├── 2017-10-07.nix ├── 2018-01-13.nix ├── 2018-04-17.nix ├── 2018-07-17.nix ├── 2018-09-21.nix ├── 2018-03-13.nix └── docker-tools.patch ├── Dockerfile ├── LICENSE ├── start-docker-nix-build-slave ├── README.md └── default.nix /.gitignore: -------------------------------------------------------------------------------- 1 | -------------------------------------------------------------------------------- /ssh/machines: -------------------------------------------------------------------------------- 1 | nix-docker x86_64-linux /etc/nix/docker_rsa 4 2 | -------------------------------------------------------------------------------- /ssh/remote-build-env: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | mkdir -p /tmp/nix/current-load 4 | chmod a+rwX /tmp/nix/current-load 5 | 6 | export NIX_BUILD_HOOK="${HOME}/.nix-profile/libexec/nix/build-remote.pl" 7 | export NIX_REMOTE_SYSTEMS="/etc/nix/remote-systems.conf" 8 | export NIX_CURRENT_LOAD="/tmp/nix/current-load" 9 | -------------------------------------------------------------------------------- /latest/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lnl7/nix:2020-09-11 2 | 3 | RUN nix-env -f '' -iA \ 4 | curl \ 5 | findutils \ 6 | git \ 7 | glibc \ 8 | gnugrep \ 9 | gnused \ 10 | gnutar \ 11 | gzip \ 12 | jq \ 13 | procps \ 14 | vim \ 15 | which \ 16 | xz \ 17 | && nix-store --gc 18 | -------------------------------------------------------------------------------- /ssh/insecure_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDFiwKsqtlnuDyF+c9AJO+krQQmvWRtdvEM3d2FMwYOU0sVU1gGHXHpdb/QtvZyZV+bvSro+UfedJW+FaLMd+twun4llp/mlOEzKX6mz1xY6OtGIVc1a5wb2MY2Eb6aptlJUNzW469HqdvJKGlEOEcOt1b74WBERry5vNzGlS8MWX1qdjKlsnuQg6Xeb0XLLM7gi6S8x+H4ZuFtkjdaTC6Je+Gi61O1n845L767tOTHJZUDhCLPbwdg1zpwD+lMI10QgkPkgc9uatXkjvCcX8O51WxB2UTp4w4NwP/Lp5BZV/SgcbMUjhKNVtRDqH1CdRgQMg5Bo5WIyYatx/nAdb4P insecure docker key 2 | -------------------------------------------------------------------------------- /srcs/2019-03-01.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-19.09pre170896.6e5caa3f8ac"; 5 | version = "2019-03-01"; 6 | 7 | src = fetchurl { 8 | url = "https://releases.nixos.org/nixpkgs/${name}/nixexprs.tar.xz"; 9 | sha256 = "0r0v329x13rc996ysjq9xg5qb17vn301vpv8ikmhgcf9471i30lq"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2019-05-04.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-19.09pre178484.8bc70c937b3"; 5 | version = "2019-05-04"; 6 | 7 | src = fetchurl { 8 | url = "https://releases.nixos.org/nixpkgs/${name}/nixexprs.tar.xz"; 9 | sha256 = "0r0v329x13rc996ysjq9xg5qb17vn301vpv8ikmhgcf9471i30lq"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2020-03-07.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-20.09pre216190.6b6f9d769a5"; 5 | version = "2020-03-07"; 6 | 7 | src = fetchurl { 8 | url = "https://releases.nixos.org/nixpkgs/${name}/nixexprs.tar.xz"; 9 | sha256 = "06gcnkww9g8b63r1jmzyziw7axbl3lqnrl3ddfbl3bz7sfq9r4s4"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2020-06-07.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-20.09pre228453.dcb64ea42e6"; 5 | version = "2020-06-07"; 6 | 7 | src = fetchurl { 8 | url = "https://releases.nixos.org/nixpkgs/${name}/nixexprs.tar.xz"; 9 | sha256 = "0ily7j9cb24fa6m779vwdn1l5w0v2fy031dhmjg0hh494y4y8zl5"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2020-09-11.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-21.03pre243353.6d4b93323e7"; 5 | version = "2020-09-11"; 6 | 7 | src = fetchurl { 8 | url = "https://releases.nixos.org/nixpkgs/${name}/nixexprs.tar.xz"; 9 | sha256 = "1ri1mqvihviz80765p3p59i2irhnbn7vbvah0aacpkks60m9m0id"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2017-01-21.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2017-01-21"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/dc6413399c0f18d5ae6cfa514ea2582f4d9388de.tar.gz; 9 | sha256 = "0wll89yaq2w25d0pmillyx48z573qr4d0izx5ik4gam2rbbm5671"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2017-06-09.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2017-06-09"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/57091a19e2aa1a0e11fd91d95cefa7d42fbf95e0.tar.gz; 9 | sha256 = "0ir9fvmjbvjr9gnyn6j7kbsp88icwnpfri8zxvjlcgaj9y4vddqj"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2017-06-17.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2017-06-17"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/fd92d817a33c24041feba3df3c11dbc987b4f331.tar.gz; 9 | sha256 = "04gb7lzcjjznd4rsgwwmldlll7b0k98jjzgcz6g7hrhrha6ycbh8"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2017-06-20.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2017-06-20"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/03d1e8a14ec29388f6a50c2900c7d4f48c491214.tar.gz; 9 | sha256 = "1xiybn07xi6shb3am9scasll106l3z3p83vy6rk3yq5vniblxjgg"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2017-10-07.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2017-10-07"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/66f8512e4f280108222d9a0bf64951a392fd16bd.tar.gz; 9 | sha256 = "0c4rsg1w99riqxlm14qlqf91wq7dr7rxg3vndjdbfazb9hn9ssx6"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2018-01-13.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2018-01-13"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/9420e076f4184fe08fafcc716db26f1d51ac73db.tar.gz; 9 | sha256 = "0vlq242jmjwvcz94dky5lyjg8yzj6fs8bdr955qk1kw3ghrg24jj"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2018-04-17.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2018-04-17"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/d91caac6c3e58b8a5f4721c0a6cc8f0dc3b93fd3.tar.gz; 9 | sha256 = "1i684pkn3bgf734p53yxvllv0gl092z757qlh6hfw4zajawyh6ns"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2018-07-17.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2018-07-17"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/d7d31fea7e7eef8ff4495e75be5dcbb37fb215d0.tar.gz; 9 | sha256 = "013na1m4g8c3rcfw0dwmv2zmia6byg5c2xdx3z5dk90i27s449kx"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2018-09-21.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2018-09-21"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/7df10f388dabe9af3320fe91dd715fc84f4c7e8a.tar.gz; 9 | sha256 = "0qycshcvfhrkv4yals02q3i1s4c0mvwl59bxmqblys0lrndpprxs"; 10 | }; 11 | 12 | dontBuild = true; 13 | preferLocalBuild = true; 14 | 15 | installPhase = '' 16 | cp -a . $out 17 | ''; 18 | } 19 | -------------------------------------------------------------------------------- /srcs/2018-03-13.nix: -------------------------------------------------------------------------------- 1 | { stdenv, fetchurl }: 2 | 3 | stdenv.mkDerivation rec { 4 | name = "nixpkgs-unstable-${version}"; 5 | version = "2018-03-13"; 6 | 7 | src = fetchurl { 8 | url = https://github.com/NixOS/nixpkgs/archive/a682ba23d49cd13c92922af3d5dc44efd60ae9e7.tar.gz; 9 | sha256 = "010a165ni23g09xwdm003qv7nn2lmnhg2d4avhwjh1b3lrn0wxl0"; 10 | }; 11 | 12 | patches = [ ./docker-tools.patch ]; 13 | 14 | dontBuild = true; 15 | preferLocalBuild = true; 16 | 17 | installPhase = '' 18 | cp -a . $out 19 | ''; 20 | } 21 | -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM nix-base:2020-09-11 2 | RUN nix-store --init && nix-store --load-db < .reginfo 3 | 4 | RUN mkdir -m 1777 -p /tmp \ 5 | && mkdir -p /nix/var/nix/gcroots /nix/var/nix/profiles/per-user/root /root/.nix-defexpr /var/empty \ 6 | && ln -s /nix/store/7w80v91gd7lv23diick7waws1n3szgr3-system-path /nix/var/nix/gcroots/booted-system \ 7 | && ln -s /nix/var/nix/profiles/per-user/root/profile /root/.nix-profile \ 8 | && ln -s /nix/store/id92xjzzpkv5flzm4451ll6c1iwa87cm-nixpkgs-21.03pre243353.6d4b93323e7 /root/.nix-defexpr/nixos \ 9 | && ln -s /nix/store/id92xjzzpkv5flzm4451ll6c1iwa87cm-nixpkgs-21.03pre243353.6d4b93323e7 /root/.nix-defexpr/nixpkgs 10 | -------------------------------------------------------------------------------- /ssh/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM lnl7/nix:2020-09-11 2 | 3 | RUN nix-env -f '' -iA \ 4 | gnused \ 5 | openssh \ 6 | && nix-store --gc 7 | 8 | RUN mkdir -p /etc/ssh \ 9 | && echo "sshd:x:498:65534::/var/empty:/run/current-system/sw/bin/nologin" >> /etc/passwd \ 10 | && cp /root/.nix-profile/etc/ssh/sshd_config /etc/ssh \ 11 | && sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config \ 12 | && echo "PermitRootLogin yes" >> /etc/ssh/sshd_config \ 13 | && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N "" -t rsa \ 14 | && ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N "" -t dsa \ 15 | && echo "export NIX_PATH=$NIX_PATH" >> /etc/bashrc \ 16 | && echo "export NIX_SSL_CERT_FILE=$NIX_SSL_CERT_FILE" >> /etc/bashrc \ 17 | && echo "export PATH=$PATH" >> /etc/bashrc \ 18 | && echo "source /etc/bashrc" >> /etc/profile 19 | 20 | ADD insecure_rsa /root/.ssh/id_rsa 21 | ADD insecure_rsa.pub /root/.ssh/authorized_keys 22 | 23 | EXPOSE 22 24 | CMD ["/nix/store/f772niv2vajba3fr7xhh3infynyxr7c7-openssh-8.3p1/bin/sshd", "-D", "-e"] 25 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | The MIT License (MIT) 2 | 3 | Copyright (c) 2016 Daiderd Jordan 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /srcs/docker-tools.patch: -------------------------------------------------------------------------------- 1 | commit 9751771c73209b58c89829bf3889473a801a013f 2 | Author: Jean-Philippe Braun 3 | Date: Thu Apr 12 13:03:56 2018 +0200 4 | 5 | dockerTools.buildImage: add /nix/store with correct permissions 6 | 7 | Fixes #38835. 8 | 9 | diff --git a/pkgs/build-support/docker/default.nix b/pkgs/build-support/docker/default.nix 10 | index b8eda3d0967..75e279afdc3 100644 11 | --- a/pkgs/build-support/docker/default.nix 12 | +++ b/pkgs/build-support/docker/default.nix 13 | @@ -497,6 +497,16 @@ rec { 14 | # Record the contents of the tarball with ls_tar. 15 | ls_tar temp/layer.tar >> baseFiles 16 | 17 | + # Append nix/store directory to the layer so that when the layer is loaded in the 18 | + # image /nix/store has read permissions for non-root users. 19 | + # nix/store is added only if the layer has /nix/store paths in it. 20 | + if [ $(wc -l < $layerClosure) -gt 1 ] && [ $(grep -c -e "^/nix/store$" baseFiles) -eq 0 ]; then 21 | + mkdir -p nix/store 22 | + chmod -R 555 nix 23 | + echo "./nix" >> layerFiles 24 | + echo "./nix/store" >> layerFiles 25 | + fi 26 | + 27 | # Get the files in the new layer which were *not* present in 28 | # the old layer, and record them as newFiles. 29 | comm <(sort -n baseFiles|uniq) \ 30 | -------------------------------------------------------------------------------- /ssh/insecure_rsa: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIEowIBAAKCAQEAxYsCrKrZZ7g8hfnPQCTvpK0EJr1kbXbxDN3dhTMGDlNLFVNY 3 | Bh1x6XW/0Lb2cmVfm70q6PlH3nSVvhWizHfrcLp+JZaf5pThMyl+ps9cWOjrRiFX 4 | NWucG9jGNhG+mqbZSVDc1uOvR6nbyShpRDhHDrdW++FgREa8ubzcxpUvDFl9anYy 5 | pbJ7kIOl3m9FyyzO4IukvMfh+GbhbZI3WkwuiXvhoutTtZ/OOS++u7TkxyWVA4Qi 6 | z28HYNc6cA/pTCNdEIJD5IHPbmrV5I7wnF/DudVsQdlE6eMODcD/y6eQWVf0oHGz 7 | FI4SjVbUQ6h9QnUYEDIOQaOViMmGrcf5wHW+DwIDAQABAoIBAQCzwxo98oNAZWF+ 8 | MaOtpW8GFgPvFO3sxw34PXW2HoZmRtnOoDc76VOdtW9GCRkfZKyqVmxT8XS7NLCH 9 | d7zcAEyaGrtsjTMZa2W7XwlH1u8cYWioOvLXRAOdO5iz31Xp+edFVnaAflUlC6db 10 | 2JBiaiwPcjuPnroxp4VaKEln1J4pxzQVN3w9Me+CMGejuIrUzsoAfs62UZ6oHCBN 11 | NhEgeduKUYri3yVf2qNcJkOjsRi+YuLzU86jqXswHoal1jH5Dl/O+eYB8VYAgsXi 12 | XgCz9YDnoiakOq4aR1Tebl2tusMD3GXAgOTO8OIZDAFVyzEriOhOoubq3K9qADTx 13 | jfJl1SzxAoGBAOxeMFzIlpgZaIj8OK/Tyuj6UQimd72V5WpbP5g31M07VvgeJesY 14 | du18fOKnSrze6huZUmi7bGwY6i5HmCtu0GQVth+yy694vQdWNXni184hjzK0oeU+ 15 | em7WV5yEcnefgCOfvvdWmtp/J8VITMEvqSuuIfIH2LQ5jEaQHjrcviJTAoGBANXz 16 | TO3WzFGLE0Z8lOiD4TQWUcI1ecRpq8MlsqLiTjBGWlLdcC7ZTpq0bsw0vjyd4Mra 17 | Ohj2mwgq+mcU5gtSo2/yVXBsF9dN7BK3k2RCHp/rPrzGEegienCTD6w3jgkL/PLi 18 | ZgLRqbEC+KCNXQbhkbDspcJzuga83UpXf00NODXVAoGAPyx9aI8EEOrZkaM302ab 19 | 2ODuP42ee0FQ67gvqxNhAOlXOUF1iPwk7RxUlI953jkGARJdgDh3pfySuoPQG+um 20 | LtnOr3IuFlwCya8047rJSwKVL0wv6QFl37HSALc1kNtEeED93UV8ZeGOU6AbQ5bl 21 | dBM6Z2HJfYHUCBgEvF67QpkCgYBVauaayjgWkjTm3lRBJG3j8sk/hUQRM7McnU9d 22 | koZu5ZeoH7prKd0lDMZzhtcwskOOGWQ6lTI+J5KDVyek+6A+0Hxl/vHhxr1ql5oj 23 | 2/YIGM6aZWW+zQ0fJseKFUACwqOBgPwDQhvCjRIgX2/1kFcvULu5D6UEjaC3zokH 24 | hTCc5QKBgEfwW+fUNv/+p4lJcmf8+gBx+0eda7zUnUS0N5DyLKSLoOBoWkiHoDcN 25 | 91KDFGxAbIWNnQ7k8gOhnVMtHELpu3U3kBQG+Q/EWTNXsEq/8C5uMnzIzar6NrDn 26 | UE5XM5vZex7NQTH+cus4zckdNwHUv0rGx0diYWFRfEe/uR7fm8rs 27 | -----END RSA PRIVATE KEY----- 28 | -------------------------------------------------------------------------------- /start-docker-nix-build-slave: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | # Requires: curl, docker, grep 4 | 5 | working_dir_name=".nix-docker-build-slave" 6 | working_dir="$HOME/$working_dir_name" 7 | mkdir -p "$working_dir" 8 | 9 | ssh_id_file="$working_dir/insecure_rsa" 10 | remote_sys_conf="$working_dir/remote-systems.conf" 11 | 12 | ssh_config="$HOME/.ssh/config" 13 | 14 | docker_machine_name="nix-docker-build-slave" 15 | 16 | # -- Display info and troubleshooting tips -- 17 | echo "## Use Docker Container as Nix Build Slave" 18 | echo "##" 19 | echo "## Usage: source $0" 20 | echo "##" 21 | echo "## Note: if you experience issues, you can clean up the build slave artifacts and start over by:" 22 | echo "## 1. rm -r ~/$working_dir_name" 23 | echo "## 2. Delete entry in ~/.ssh/config for" 24 | echo "## Host \"$docker_machine_name\"" 25 | echo "## 3. Delete the docker container named" 26 | echo "## $docker_machine_name" 27 | echo 28 | 29 | # -- Download SSH credentials for docker container -- 30 | echo ">>> Downloading SSH credentials for the docker container" 31 | rm -f "$ssh_id_file" "$ssh_id_file.pub" 32 | curl -fsSL https://raw.githubusercontent.com/LnL7/nix-docker/master/ssh/insecure_rsa -o "$ssh_id_file" 33 | curl -fsSL https://raw.githubusercontent.com/LnL7/nix-docker/master/ssh/insecure_rsa.pub -o "$ssh_id_file.pub" 34 | chmod 600 "$ssh_id_file" 35 | 36 | # -- Set up SSH configuration -- 37 | [ -f "$ssh_config" ] || touch "$ssh_config" 38 | if ! grep "$docker_machine_name" "$HOME/.ssh/config" > /dev/null; then 39 | echo ">>> Adding an entry to $ssh_config for $docker_machine_name" 40 | cat >> "$ssh_config" <>> SSH configuration already contains an entry for $docker_machine_name in $ssh_config" 50 | fi 51 | 52 | # -- Start docker container -- 53 | echo ">>> Starting docker container: $docker_machine_name" 54 | echo " (This may fail if the container was already created.)" 55 | docker run --restart always --name "$docker_machine_name" -d -p 3022:22 lnl7/nix:ssh 56 | 57 | # -- Write remote systems configuration -- 58 | echo ">>> Writing remote systems configuration to $remote_sys_conf" 59 | rm -f "$remote_sys_conf" 60 | cat > "$remote_sys_conf" <>> Running SSH test" 66 | ssh "$docker_machine_name" echo "SSH connection is working." || echo "SSH connection failed." 67 | 68 | # -- Export environment -- 69 | echo ">>> Setting \$NIX_REMOTE_SYSTEMS to use $remote_sys_conf" 70 | export NIX_REMOTE_SYSTEMS="$remote_sys_conf" 71 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # [nix-docker](https://github.com/lnl7/nix-docker) 2 | 3 | Docker images for the Nix package manager 4 | 5 | This repository contains nix expressions to build a minimal docker image for the [nix](https://nixos.org/nix) package manager. 6 | The current [official docker image for nix](https://hub.docker.com/r/nixos/nix/) is based on alpine, this image that is build from scratch and looks a lot more like [nixos](https://nixos.org/nixos). 7 | 8 | - nix, bash and coreutils are installed in a system profile that is linked to `/run/current-system/sw`, 9 | the only global paths are `/bin/sh` and `/usr/bin/env` 10 | 11 | - it's easy to build a new custom baseimage using a specific version of nixpkgs, 12 | this makes it a lot easier to create an image with a custom version of nix or nixpkgs. 13 | 14 | - the lnl7/nix:ssh image can be used to setup an image that can be used as a remote builder, 15 | this allows you to build expressions for `x86_64-linux` on other platforms (ex. building a new baseimage on a darwin machine) 16 | 17 | 18 | ## Base Images 19 | 20 | All the images are based on the latest baseimage, previous versions are available in my repository [https://hub.docker.com/r/lnl7/nix/tags](https://hub.docker.com/r/lnl7/nix/tags). 21 | 22 | - `lnl7/nix:2020-09-11` (2.3.7) 23 | - `lnl7/nix:2020-06-07` (2.3.6) 24 | - `lnl7/nix:2020-03-07` (2.3.3) 25 | - `lnl7/nix:2019-03-01` (2.2) 26 | - `lnl7/nix:2018-09-21` (2.1.2) 27 | - `lnl7/nix:2018-07-17` (2.0.4) 28 | - `lnl7/nix:2018-04-17` (2.0) 29 | - `lnl7/nix:2018-03-13-patch1` 30 | - `lnl7/nix:2018-01-13` (1.11.16) 31 | - `lnl7/nix:2017-10-07` (1.11.15) 32 | - `lnl7/nix:2017-06-17` (1.11.10) 33 | - `lnl7/nix:2017-06-09` (1.11.9) 34 | - `lnl7/nix:2017-01-21` (1.11.6) 35 | - `lnl7/nix:124f25b` (1.11.4) 36 | - `lnl7/nix:ea9d390` (1.11.2) 37 | - `lnl7/nix:272cf5c` 38 | 39 | 40 | ## Default Image 41 | 42 | 43 | The default image is intended for interactive use and includes some common and useful packages: 44 | ```sh 45 | docker run --rm -it lnl7/nix nix repl '' 46 | nix-repl> 47 | ``` 48 | 49 | ## Building an Image 50 | 51 | ```Dockerfile 52 | FROM lnl7/nix:2.3.7 53 | 54 | RUN nix-env -iA \ 55 | nixpkgs.curl \ 56 | nixpkgs.jq 57 | ``` 58 | 59 | ## Building a new Base Image 60 | 61 | ```sh 62 | nix-shell -A env --run './result/bin/run-docker-build' 63 | ``` 64 | 65 | The `src` can also can be overridden to use a custom [nixpkgs](https://github.com/NixOS/nixpkgs) for the image. 66 | 67 | ```sh 68 | nix-shell -A env --argstr src ./srcs/2018-03-13.nix 69 | ``` 70 | 71 | ## Running as a [remote builder](https://nixos.wiki/wiki/Distributed_build) 72 | 73 | ```sh 74 | docker run --restart always --name nix-docker -d -p 3022:22 lnl7/nix:ssh 75 | ``` 76 | 77 | If you have not setup a remote builder before you can follow these steps. 78 | 79 | #### Configure SSH 80 | An insecure rsa key is provided in the repo, the following assumes you are using 81 | it. Optional instructions for generating a fresh key are provided at the end. 82 | 83 | ##### Single User Mode 84 | 85 | Copy the rsa key to your ssh folder 86 | ```sh 87 | chmod 600 ssh/insecure_rsa 88 | cp ssh/insecure_rsa ~/.ssh/docker_rsa 89 | ``` 90 | 91 | Add an entry for the container in your ~/.ssh/config 92 | ```sh 93 | Host nix-docker 94 | User root 95 | HostName 127.0.0.1 96 | Port 3022 97 | IdentityFile ~/.ssh/docker_rsa 98 | ``` 99 | 100 | ##### Multi User Mode (Nix Daemon) 101 | 102 | Copy the insecure rsa key to /etc/nix 103 | ```sh 104 | sudo mkdir -p /etc/nix 105 | chmod 600 ssh/insecure_rsa 106 | sudo cp ssh/insecure_rsa /etc/nix/docker_rsa 107 | ``` 108 | 109 | Add an ssh entry to /var/root/.ssh/config if you are using nix daemon 110 | ```sh 111 | Host nix-docker 112 | User root 113 | HostName 127.0.0.1 114 | Port 3022 115 | IdentityFile /etc/nix/docker_rsa 116 | ``` 117 | 118 | #### Optional: setup your own ssh key, instead of using the insecure key. 119 | ```sh 120 | ssh-keygen -t rsa -b 2048 -N "" -f docker_rsa 121 | docker cp docker_rsa.pub nix-docker:/root/.ssh/authorized_keys 122 | ``` 123 | Then copy the key to either `/etc/nix` or `~/.ssh` depending on if you are running nix in single or multi user mode. 124 | 125 | #### Create a signing keypair 126 | ```sh 127 | openssl genrsa -out /etc/nix/signing-key.sec 2048 128 | openssl rsa -in /etc/nix/signing-key.sec -pubout > /etc/nix/signing-key.pub 129 | chmod 600 /etc/nix/signing-key.sec 130 | ssh nix-docker mkdir -p /etc/nix 131 | docker cp /etc/nix/signing-key.sec nix-docker:/etc/nix/signing-key.sec 132 | ``` 133 | 134 | ### Setup the container as a remote builder 135 | ```sh 136 | sudo cp ssh/remote-build-env /etc/nix/ 137 | sudo cp ssh/machines /etc/nix/ 138 | ``` 139 | 140 | ### Build a linux derivation 141 | ```sh 142 | nix-build -E 'with import { system = "x86_64-linux"; }; hello.overrideAttrs (drv: { REBUILD = builtins.currentTime; })' 143 | ``` 144 | -------------------------------------------------------------------------------- /default.nix: -------------------------------------------------------------------------------- 1 | { src ? ./srcs/2020-09-11.nix, nixpkgs ? , system ? builtins.currentSystem }: 2 | 3 | let 4 | inherit (pkgs) dockerTools stdenv buildEnv writeText; 5 | inherit (pkgs) bashInteractive coreutils cacert nix openssh; 6 | 7 | inherit (native.lib) concatStringsSep genList; 8 | 9 | pkgs = import unstable { system = "x86_64-linux"; }; 10 | 11 | native = import nixpkgs { inherit system; }; 12 | unstable = native.callPackage src { stdenv = native.stdenvNoCC; }; 13 | 14 | shadow = pkgs.shadow.override { pam = null; }; 15 | 16 | path = buildEnv { 17 | name = "system-path"; 18 | paths = [ bashInteractive coreutils nix shadow ]; 19 | }; 20 | 21 | nixconf = '' 22 | build-users-group = nixbld 23 | sandbox = false 24 | ''; 25 | 26 | passwd = '' 27 | root:x:0:0::/root:/run/current-system/sw/bin/bash 28 | ${concatStringsSep "\n" (genList (i: "nixbld${toString (i+1)}:x:${toString (i+30001)}:30000::/var/empty:/run/current-system/sw/bin/nologin") 32)} 29 | ''; 30 | 31 | group = '' 32 | root:x:0: 33 | nogroup:x:65534: 34 | nixbld:x:30000:${concatStringsSep "," (genList (i: "nixbld${toString (i+1)}") 32)} 35 | ''; 36 | 37 | nsswitch = '' 38 | hosts: files dns myhostname mymachines 39 | ''; 40 | 41 | contents = stdenv.mkDerivation { 42 | name = "user-environment"; 43 | phases = [ "installPhase" "fixupPhase" ]; 44 | 45 | exportReferencesGraph = 46 | map (drv: [("closure-" + baseNameOf drv) drv]) [ path cacert unstable ]; 47 | 48 | installPhase = '' 49 | mkdir -p $out/run/current-system $out/var 50 | ln -s /run $out/var/run 51 | ln -s ${path} $out/run/current-system/sw 52 | 53 | mkdir -p $out/bin $out/usr/bin $out/sbin 54 | ln -s ${stdenv.shell} $out/bin/sh 55 | ln -s ${coreutils}/bin/env $out/usr/bin/env 56 | 57 | mkdir -p $out/etc/nix 58 | echo '${nixconf}' > $out/etc/nix/nix.conf 59 | echo '${passwd}' > $out/etc/passwd 60 | echo '${group}' > $out/etc/group 61 | echo '${nsswitch}' > $out/etc/nsswitch.conf 62 | 63 | printRegistration=1 ${pkgs.perl}/bin/perl ${pkgs.pathsFromGraph} closure-* > $out/.reginfo 64 | ''; 65 | }; 66 | 67 | image = dockerTools.buildImage rec { 68 | name = "nix-base"; 69 | tag = "${unstable.version}"; 70 | inherit contents; 71 | 72 | config.Cmd = [ "${bashInteractive}/bin/bash" ]; 73 | config.Env = 74 | [ "PATH=/root/.nix-profile/bin:/run/current-system/sw/bin" 75 | "MANPATH=/root/.nix-profile/share/man:/run/current-system/sw/share/man" 76 | "NIX_PAGER=cat" 77 | "NIX_PATH=nixpkgs=${unstable}" 78 | "NIX_SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt" 79 | ]; 80 | }; 81 | 82 | baseDocker = writeText "Dockerfile" '' 83 | FROM nix-base:${unstable.version} 84 | RUN nix-store --init && nix-store --load-db < .reginfo 85 | 86 | RUN mkdir -m 1777 -p /tmp \ 87 | && mkdir -p /nix/var/nix/gcroots /nix/var/nix/profiles/per-user/root /root/.nix-defexpr /var/empty \ 88 | && ln -s ${path} /nix/var/nix/gcroots/booted-system \ 89 | && ln -s /nix/var/nix/profiles/per-user/root/profile /root/.nix-profile \ 90 | && ln -s ${unstable} /root/.nix-defexpr/nixos \ 91 | && ln -s ${unstable} /root/.nix-defexpr/nixpkgs 92 | ''; 93 | 94 | latestDocker = writeText "Dockerfile" '' 95 | FROM lnl7/nix:${unstable.version} 96 | 97 | RUN nix-env -f '' -iA \ 98 | curl \ 99 | findutils \ 100 | git \ 101 | glibc \ 102 | gnugrep \ 103 | gnused \ 104 | gnutar \ 105 | gzip \ 106 | jq \ 107 | procps \ 108 | vim \ 109 | which \ 110 | xz \ 111 | && nix-store --gc 112 | ''; 113 | 114 | sshDocker = writeText "Dockerfile" '' 115 | FROM lnl7/nix:${unstable.version} 116 | 117 | RUN nix-env -f '' -iA \ 118 | gnused \ 119 | openssh \ 120 | && nix-store --gc 121 | 122 | RUN mkdir -p /etc/ssh \ 123 | && echo "sshd:x:498:65534::/var/empty:/run/current-system/sw/bin/nologin" >> /etc/passwd \ 124 | && cp /root/.nix-profile/etc/ssh/sshd_config /etc/ssh \ 125 | && sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config \ 126 | && echo "PermitRootLogin yes" >> /etc/ssh/sshd_config \ 127 | && ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N "" -t rsa \ 128 | && ssh-keygen -f /etc/ssh/ssh_host_dsa_key -N "" -t dsa \ 129 | && echo "export NIX_PATH=$NIX_PATH" >> /etc/bashrc \ 130 | && echo "export NIX_SSL_CERT_FILE=$NIX_SSL_CERT_FILE" >> /etc/bashrc \ 131 | && echo "export PATH=$PATH" >> /etc/bashrc \ 132 | && echo "source /etc/bashrc" >> /etc/profile 133 | 134 | ADD insecure_rsa /root/.ssh/id_rsa 135 | ADD insecure_rsa.pub /root/.ssh/authorized_keys 136 | 137 | EXPOSE 22 138 | CMD ["${openssh}/bin/sshd", "-D", "-e"] 139 | ''; 140 | 141 | run = native.writeScriptBin "run-docker-build" '' 142 | #! ${native.stdenv.shell} 143 | set -e 144 | 145 | echo "building root image..." >&2 146 | imageOut=$(nix-build -A image --no-out-link) 147 | echo "importing root image..." >&2 148 | docker load < $imageOut 149 | echo "building ${unstable.version}..." >&2 150 | cp -f ${baseDocker} Dockerfile 151 | docker build -t lnl7/nix:${unstable.version} . 152 | docker rmi nix-base:${unstable.version} 153 | ''; 154 | 155 | env = native.stdenv.mkDerivation { 156 | name = "build-environment"; 157 | shellHooks = '' 158 | nix-build -A run 159 | 160 | cp -f ${baseDocker} Dockerfile 161 | cp -f ${latestDocker} latest/Dockerfile 162 | cp -f ${sshDocker} ssh/Dockerfile 163 | ''; 164 | }; 165 | 166 | in 167 | 168 | { 169 | inherit baseDocker latestDocker sshDocker; 170 | inherit env run image contents path unstable; 171 | } 172 | --------------------------------------------------------------------------------