diff --git a/fake_nixpkgs/default.nix b/fake_nixpkgs/default.nix new file mode 100644 index 0000000..3001f60 --- /dev/null +++ b/fake_nixpkgs/default.nix @@ -0,0 +1,10 @@ +_: +throw '' + This container doesn't include nixpkgs. + + The best way to work around that is to pin your dependencies. See + https://nix.dev/tutorials/towards-reproducibility-pinning-nixpkgs.html + + Or if you must, override the NIX_PATH environment variable with eg: + "NIX_PATH=nixpkgs=channel:nixos-unstable" +'' diff --git a/flake.lock b/flake.lock new file mode 100644 index 0000000..3c5952f --- /dev/null +++ b/flake.lock @@ -0,0 +1,78 @@ +{ + "nodes": { + "flake-utils": { + "inputs": { + "systems": "systems" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1738702386, + "narHash": "sha256-nJj8f78AYAxl/zqLiFGXn5Im1qjFKU8yBPKoWEeZN5M=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "030ba1976b7c0e1a67d9716b17308ccdab5b381e", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-24.11", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "flake-utils": "flake-utils", + "nixpkgs": "nixpkgs", + "nixpkgs-unstable": "nixpkgs-unstable" + } + }, + "systems": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/flake.nix b/flake.nix new file mode 100644 index 0000000..b24d933 --- /dev/null +++ b/flake.nix @@ -0,0 +1,187 @@ +{ + description = "Nix-based oci images for actions"; + + inputs = { + nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11"; + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + flake-utils.url = "github:numtide/flake-utils"; + }; + + outputs = + { + self, + nixpkgs, + nixpkgs-unstable, + flake-utils, + }: + flake-utils.lib.eachDefaultSystem ( + system: + let + inherit (nixpkgs) lib; + imagePackages = + pkgs: with pkgs; [ + bashInteractive + cacert + coreutils + curl + docker + findutils + gawk + gitFull + gnugrep + gnutar + gzip + jq + nodejs + openssl + openssh + rsync + sudo + wget + xz + makeWrapper + bats + shellcheck + reuse + lix + sops + nvd + ]; + containerLambda = + name: tag: pkgs': + let + pkgs = import pkgs' { inherit system; }; + in + pkgs.dockerTools.buildImageWithNixDb { + name = "git.flyinggecko.org/oci-images/nixos-runner/${name}"; + tag = tag; + copyToRoot = + with pkgs; + (imagePackages pkgs) + ++ [ + (pkgs.writeTextFile { + name = "passwd"; + destination = "/etc/passwd"; + text = builtins.concatStringsSep "\n" [ + "root:x:0:0:System administrator:/root:/bin/bash" + "nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin" + "nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin" + "nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin" + ]; + }) + (pkgs.writeTextFile { + name = "group"; + destination = "/etc/group"; + text = builtins.concatStringsSep "\n" [ + "root:x:0:" + "wheel:x:1:" + "kmem:x:2:" + "tty:x:3:" + "messagebus:x:4:" + "disk:x:6:" + "audio:x:17:" + "floppy:x:18:" + "uucp:x:19:" + "lp:x:20:" + "cdrom:x:24:" + "tape:x:25:" + "video:x:26:" + "dialout:x:27:" + "utmp:x:29:" + "adm:x:55:" + "keys:x:96:" + "users:x:100:" + "input:x:174:" + "nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9" + "nogroup:x:65534:" + ]; + }) + (pkgs.writeTextFile { + name = "nsswitch.conf"; + destination = "/etc/nsswitch.conf"; + text = builtins.concatStringsSep "\n" [ + "passwd: files mymachines systemd" + "group: files mymachines systemd" + "shadow: files" + "hosts: files mymachines dns myhostname" + "networks: files" + "ethers: files" + "services: files" + "protocols: files" + "rpc: files" + ]; + }) + (pkgs.writeTextFile { + name = "nix.conf"; + destination = "/etc/nix/nix.conf"; + text = builtins.concatStringsSep "\n" [ + "accept-flake-config = true" + "experimental-features = nix-command flakes" + "substituters = https://cache.nixos.org" + "trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" + ]; + }) + ]; + extraCommands = builtins.concatStringsSep "\n" [ + # /usr/bin/env + "mkdir usr" + "ln -s ../bin usr/bin" + # create /tmp + "mkdir -m 1777 tmp" + # root needs a home + "mkdir -vp root" + ]; + config = { + Cmd = [ "/bin/bash" ]; + Env = [ + "LANG=en_GB.UTF-8" + "ENV=/etc/profile.d/nix.sh" + "BASH_ENV=/etc/profile.d/nix.sh" + "NIX_BUILD_SHELL=/bin/bash" + "NIX_PATH=nixpkgs=${./fake_nixpkgs}" + "PAGER=cat" + "PATH=/usr/bin:/bin" + "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt" + "USER=root" + ]; + }; + }; + in + { + packages = { + nixos-2411 = containerLambda "nixos" "24.11" nixpkgs; + nixos-unstable = containerLambda "nixos" "unstable" nixpkgs-unstable; + }; + } + ); +}