|
| 1 | +## |
| 2 | +## Copyright 2023 Joel Holdsworth |
| 3 | +## |
| 4 | +## Redistribution and use in source and binary forms, with or without |
| 5 | +## modification, are permitted provided that the following conditions are met: |
| 6 | +## |
| 7 | +## 1. Redistributions of source code must retain the above copyright notice, this |
| 8 | +## list of conditions and the following disclaimer. |
| 9 | +## |
| 10 | +## 2. Redistributions in binary form must reproduce the above copyright notice, |
| 11 | +## this list of conditions and the following disclaimer in the documentation |
| 12 | +## and/or other materials provided with the distribution. |
| 13 | +## |
| 14 | +## 3. Neither the name of the copyright holder nor the names of its contributors |
| 15 | +## may be used to endorse or promote products derived from this software without |
| 16 | +## specific prior written permission. |
| 17 | +## |
| 18 | +## THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND |
| 19 | +## ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED |
| 20 | +## WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE |
| 21 | +## DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE |
| 22 | +## FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 23 | +## DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR |
| 24 | +## SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER |
| 25 | +## CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, |
| 26 | +## OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE |
| 27 | +## OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 28 | +## |
| 29 | + |
| 30 | +{ |
| 31 | + inputs = { |
| 32 | + nixpkgs.url = "nixpkgs/nixos-24.05"; |
| 33 | + flake-utils.url = "github:numtide/flake-utils"; |
| 34 | + }; |
| 35 | + |
| 36 | + outputs = { self, nixpkgs, flake-utils }: |
| 37 | + flake-utils.lib.eachDefaultSystem (system: |
| 38 | + let |
| 39 | + pkgs = import nixpkgs { inherit system; }; |
| 40 | + in { |
| 41 | + packages = rec { |
| 42 | + default = pkgs.dockerTools.buildLayeredImage { |
| 43 | + name = "docker-nix-bootstrap"; |
| 44 | + tag = "latest"; |
| 45 | + |
| 46 | + copyToRoot = pkgs.buildEnv { |
| 47 | + name = "image-root"; |
| 48 | + pathsToLink = [ "/bin" "/etc" "/tmp" "/var" ]; |
| 49 | + paths = with pkgs; [ |
| 50 | + bashInteractive |
| 51 | + cacert |
| 52 | + coreutils |
| 53 | + git |
| 54 | + nix |
| 55 | + skopeo |
| 56 | + (pkgs.fakeNss.override { |
| 57 | + extraPasswdLines = [ |
| 58 | + "nixbld1:x:997:996:Nix build user 1:/var/empty:/usr/sbin/nologin" |
| 59 | + "nobody:x:65534:65524:nobody:/var/empty:/bin/sh" |
| 60 | + ]; |
| 61 | + extraGroupLines = [ |
| 62 | + "nixbld:x:996:nixbld1" |
| 63 | + "nobody:x:65534:" |
| 64 | + ]; |
| 65 | + }) |
| 66 | + (writeTextDir "etc/nix/nix.conf" '' |
| 67 | + sandbox = false |
| 68 | + experimental-features = nix-command flakes |
| 69 | + '') |
| 70 | + (writeTextDir "etc/containers/policy.json" '' |
| 71 | + { "default" : [ { "type": "insecureAcceptAnything" } ] } |
| 72 | + '') |
| 73 | + (runCommand "tmp" { } "mkdir -p $out/tmp $out/var/tmp") |
| 74 | + dockerTools.caCertificates |
| 75 | + ]; |
| 76 | + }; |
| 77 | + |
| 78 | + config = { |
| 79 | + Cmd = [ "${pkgs.bashInteractive}/bin/bash" ]; |
| 80 | + Env = [ |
| 81 | + "NIX_PAGER=cat" |
| 82 | + "USER=nobody" |
| 83 | + ]; |
| 84 | + }; |
| 85 | + }; |
| 86 | + }; |
| 87 | + |
| 88 | + devShells = { |
| 89 | + default = pkgs.mkShell { |
| 90 | + buildInputs = with pkgs; [ |
| 91 | + skopeo |
| 92 | + ]; |
| 93 | + }; |
| 94 | + }; |
| 95 | + }); |
| 96 | +} |
| 97 | + |
0 commit comments