{
description = "Nix-based oci images for actions";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
};
outputs =
{
self,
nixpkgs,
nixpkgs-unstable,
flake-utils,
}:
flake-utils.lib.eachDefaultSystem (
system:
let
inherit (nixpkgs) lib;
imagePackages =
pkgs: with pkgs; [
bashInteractive
cacert
coreutils
curl
podman
findutils
gawk
gitFull
gnugrep
gnused
gnutar
gzip
jq
nodejs
openssl
openssh
rsync
sudo
wget
xz
makeWrapper
bats
shellcheck
reuse
lix
sops
nvd
];
containerLambda =
name: tag: pkgs':
let
pkgs = import pkgs' { inherit system; };
in
pkgs.dockerTools.buildImageWithNixDb {
name = "git.flyinggecko.org/oci-images/nixos-runner/${name}";
tag = tag;
copyToRoot =
with pkgs;
(imagePackages pkgs)
++ [
(writeTextFile {
name = "containerPolicy";
destination = "/etc/containers/policy.json";
text = ''
{
"default": [
{
"type": "insecureAcceptAnything"
}
],
"transports":
{
"docker-daemon":
{
"": [{"type":"insecureAcceptAnything"}]
}
}
}
'';
})
(writeTextFile {
name = "containerRegistries";
destination = "/etc/containers/registries.conf";
text = ''
[registries.block]
registries = []
[registries.insecure]
registries = []
[registries.search]
registries = ["docker.io", "quay.io"]
'';
})
(writeTextFile {
name = "passwd";
destination = "/etc/passwd";
text = builtins.concatStringsSep "\n" [
"root:x:0:0:System administrator:/root:/bin/bash"
"nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin"
"nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin"
"nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin"
];
})
(writeTextFile {
name = "group";
destination = "/etc/group";
text = builtins.concatStringsSep "\n" [
"root:x:0:"
"wheel:x:1:"
"kmem:x:2:"
"tty:x:3:"
"messagebus:x:4:"
"disk:x:6:"
"audio:x:17:"
"floppy:x:18:"
"uucp:x:19:"
"lp:x:20:"
"cdrom:x:24:"
"tape:x:25:"
"video:x:26:"
"dialout:x:27:"
"utmp:x:29:"
"adm:x:55:"
"keys:x:96:"
"users:x:100:"
"input:x:174:"
"nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9"
"nogroup:x:65534:"
];
})
(writeTextFile {
name = "nsswitch.conf";
destination = "/etc/nsswitch.conf";
text = builtins.concatStringsSep "\n" [
"passwd: files mymachines systemd"
"group: files mymachines systemd"
"shadow: files"
"hosts: files mymachines dns myhostname"
"networks: files"
"ethers: files"
"services: files"
"protocols: files"
"rpc: files"
];
})
(writeTextFile {
name = "nix.conf";
destination = "/etc/nix/nix.conf";
text = builtins.concatStringsSep "\n" [
"accept-flake-config = true"
"experimental-features = nix-command flakes"
"substituters = https://cache.nixos.org"
"trusted-public-keys = cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
];
})
];
extraCommands = builtins.concatStringsSep "\n" [
# /usr/bin/env
"mkdir usr"
"ln -s ../bin usr/bin"
# create /tmp
"mkdir -m 1777 tmp"
"mkdir -m 0755 var"
"ln -s ../tmp var/tmp"
# root needs a home
"mkdir -vp root"
];
config = {
Cmd = [ "/bin/bash" ];
Env = [
"LANG=en_GB.UTF-8"
"ENV=/etc/profile.d/nix.sh"
"BASH_ENV=/etc/profile.d/nix.sh"
"NIX_BUILD_SHELL=/bin/bash"
"NIX_PATH=nixpkgs=${./fake_nixpkgs}"
"PAGER=cat"
"PATH=/usr/bin:/bin"
"SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
"USER=root"
];
};
};
in
{
packages = {
nixos-2411 = containerLambda "nixos" "24.11" nixpkgs;
nixos-unstable = containerLambda "nixos" "unstable" nixpkgs-unstable;
};
}
);
}