Import from internal SCM.

siftech · Sep 26, 2023 · ea7972d · ea7972d
1 parent a6a00c1
commit ea7972d
Show file tree

Hide file tree

Showing 8 changed files with 285 additions and 0 deletions.
diff --git a/.github/workflows/build-and-publish-image.yml b/.github/workflows/build-and-publish-image.yml
@@ -0,0 +1,12 @@
+name: Build and Publish Image
+on:
+  push:
+    branches: ["trunk"]
+  pull_request:
+    branches: ["trunk"]
+jobs:
+  builds:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+    - run: ./bootstrap.sh
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1,4 @@
+base-image.tar.gz
+Dockerfile-stage2
+result
+result-*
diff --git a/README.md b/README.md
@@ -0,0 +1,9 @@
+# nix-base-image
+
+A base image used to bootstrap Nix-based projects.
+
+If you're developing or using one of SIFT's Nix-based projects, you probably don't need to check this repo out.
+
+Instead, the image can just be pulled with `docker pull ghcr.io/siftech/nix-base-image:latest`
+
+(The project will also probably pull the image by itself.)
diff --git a/bootstrap.nix b/bootstrap.nix
@@ -0,0 +1,14 @@
+let
+  lock = builtins.fromJSON (builtins.readFile ./flake.lock);
+  flake-compat = fetchTarball {
+    url =
+      "https://github.com/edolstra/flake-compat/archive/${lock.nodes.flake-compat.locked.rev}.tar.gz";
+    sha256 = lock.nodes.flake-compat.locked.narHash;
+  };
+  flake = (import flake-compat { src = ./.; }).defaultNix;
+in { date }:
+
+flake.outputs.legacyPackages.x86_64-linux.mkContainer {
+  inherit (flake.outputs.nixosConfigurations.default) config;
+  inherit date;
+}
diff --git a/bootstrap.sh b/bootstrap.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+set -eux
+
+
+
+# The tag of the nixos/nix image we use for building the base image.
+alpine_nix_tag=2.13.1
+
+# Today's date, used as a tag.
+date="$(date +"%Y-%m-%d")"
+
+# The name of the image to create.
+image="ghcr.io/siftech/nix-base-image:$date"
+
+
+
+build_script="
+nix-build /code/bootstrap.nix --argstr date $date -o /tmp/result
+cp -L /tmp/result/stage1.tar.gz /code/stage1.tar.gz
+cp -L /tmp/result/Dockerfile-stage2 /code/Dockerfile-stage2
+chmod 644 /code/stage1.tar.gz /code/Dockerfile-stage2
+"
+
+docker pull "nixos/nix:$alpine_nix_tag"
+docker run --rm -v "$(pwd):/code" "nixos/nix:$alpine_nix_tag" bash -c "$build_script"
+docker load <stage1.tar.gz
+rm stage1.tar.gz
+docker build -t "$image" -f Dockerfile-stage2 .
+rm Dockerfile-stage2
+
+docker push "$image"
+
+docker tag "$image" ghcr.io/siftech/nix-base-image:latest
+docker push ghcr.io/siftech/nix-base-image:latest
diff --git a/default.nix b/default.nix
@@ -0,0 +1,94 @@
+{ buildEnv, config, date, dockerTools, lib, linkFarm, stdenvNoCC, writeText,
+
+# Basic system packages
+bashInteractive, cacert, coreutils, git, nix, pathsFromGraph, perl, shadow
+, stdenv }:
+
+let
+  passwd = writeText "passwd" ''
+    root:x:0:0::/root:/run/current-system/sw/bin/bash
+    ${builtins.concatStringsSep "\n" (lib.genList (i:
+      "nixbld${toString (i + 1)}:x:${
+        toString (i + 30001)
+      }:30000::/var/empty:/run/current-system/sw/bin/nologin") 32)}
+  '';
+
+  group = writeText "group" ''
+    root:x:0:
+    nixbld:x:30000:${
+      builtins.concatStringsSep ","
+      (lib.genList (i: "nixbld${toString (i + 1)}") 32)
+    }
+    nogroup:x:65534:
+  '';
+
+  system = stdenvNoCC.mkDerivation {
+    name = "bootstrap-base-image-system";
+    phases = [ "installPhase" "fixupPhase" ];
+
+    exportReferencesGraph = map (drv: [ ("closure-" + baseNameOf drv) drv ]) [
+      cacert
+      config.system.build.etc
+      config.system.path
+    ];
+
+    installPhase = ''
+      mkdir -p $out/bin $out/usr/bin
+      ln -s ${stdenv.shell} $out/bin/sh
+      ln -s ${coreutils}/bin/env $out/usr/bin/env
+
+      cp -r ${config.system.build.etc}/etc/ $out/etc/
+      chmod 755 $out/etc
+
+      # Podman writes over these.
+      rm $out/etc/{hostname,hosts}
+
+      cp ${passwd} $out/etc/passwd
+      cp ${group} $out/etc/group
+
+      mkdir -p $out/var/empty
+
+      printRegistration=1 ${perl}/bin/perl ${pathsFromGraph} closure-* > $out/.reginfo
+    '';
+  };
+
+  stage1 = dockerTools.buildImage {
+    name = "bootstrap-base-image-stage1";
+    tag = date;
+    created = "now";
+    copyToRoot = system;
+    config = {
+      Cmd = [ "${bashInteractive}/bin/bash" ];
+      Env = [
+        "MANPATH=/run/current-system/sw/share/man"
+        "NIX_SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
+        "PATH=/run/current-system/sw/bin"
+      ];
+    };
+  };
+
+  dockerfile = writeText "Dockerfile-stage2" ''
+    FROM bootstrap-base-image-stage1:${date}
+
+    RUN ${coreutils}/bin/mkdir -p /run/current-system /var \
+     && ${coreutils}/bin/ln -s ${config.system.path} /run/current-system/sw
+    RUN nix-store --init \
+     && nix-store --load-db < .reginfo \
+     && mkdir /root \
+     && mkdir -m 1777 /tmp \
+     && ln -s /run /var/run \
+     && ln -s ${config.system.path} /nix/var/nix/gcroots/booted-system \
+     && ln -s ${config.system.build.etc} /nix/var/nix/gcroots/etc \
+     && nix-store --gc
+  '';
+
+in linkFarm "bootstrap-files" [
+  {
+    name = "stage1.tar.gz";
+    path = stage1;
+  }
+  {
+    name = "Dockerfile-stage2";
+    path = dockerfile;
+  }
+]
diff --git a/flake.lock b/flake.lock
diff --git a/flake.nix b/flake.nix
@@ -0,0 +1,74 @@
+{
+  inputs = {
+    flake-compat = {
+      url = "github:edolstra/flake-compat";
+      flake = false;
+    };
+    nixpkgs.url = "github:NixOS/nixpkgs/22.11";
+  };
+  outputs = { self, flake-compat, nixpkgs }: {
+    legacyPackages.x86_64-linux.mkContainer = { config, date }:
+      nixpkgs.legacyPackages.x86_64-linux.callPackage ./. {
+        inherit config date;
+      };
+
+    nixosConfigurations.default = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ({ pkgs, ... }: {
+          boot.isContainer = true;
+
+          environment.systemPackages = [
+            pkgs.bat
+            pkgs.crate2nix
+            pkgs.fd
+            pkgs.file
+            pkgs.gdb
+            pkgs.htop
+            pkgs.jq
+            pkgs.llvmPackages_12.clangUseLLVM
+            pkgs.llvmPackages_12.llvm
+            pkgs.man-pages
+            pkgs.nixfmt
+            (pkgs.python39.withPackages
+              (pypkgs: [ pypkgs.black pypkgs.ipython pypkgs.mypy ]))
+            pkgs.ripgrep
+            pkgs.shellcheck
+            pkgs.strace
+            pkgs.watchexec
+            pkgs.yj
+          ];
+
+          nix = {
+            extraOptions = ''
+              # Enable Flakes and nix(1)
+              experimental-features = flakes nix-command
+
+              # Prevent direnv/nix-shell/nix develop environments from getting GC'd.
+              keep-derivations = true
+              keep-outputs = true
+            '';
+
+            nixPath = [ "nixpkgs=${nixpkgs}" ];
+
+            registry.nixpkgs.flake = nixpkgs;
+
+            settings = {
+              auto-optimise-store = true;
+
+              # TODO: Currently broken... fix me on Docker *and* Podman!
+              sandbox = false;
+            };
+          };
+
+          programs.git = {
+            enable = true;
+            package = pkgs.gitFull;
+          };
+
+          system.stateVersion = "22.11";
+        })
+      ];
+    };
+  };
+}