From 16fb0b41472f05de87f08a6ceccea338460ca491 Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Mon, 27 Jun 2022 16:54:16 +0200
Subject: [PATCH 1/3] nix-shell: add dive to inspect images

---
 shell.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/shell.nix b/shell.nix
index 9687749..c27ec24 100644
--- a/shell.nix
+++ b/shell.nix
@@ -5,6 +5,7 @@ in
 with pkgs;
 mkShell {
   buildInputs = [
+    dive
     jq
     skopeo
   ] ++ lib.optional (pkgs ? mdsh) pkgs.mdsh;

From cb688a90e36d720fc70d77bd1e207bafefcbc449 Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Mon, 27 Jun 2022 16:54:29 +0200
Subject: [PATCH 2/3] nix-shell: set the NIX_PATH

Use the same version of nixpkgs as the shell itself
---
 shell.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/shell.nix b/shell.nix
index c27ec24..9c27da4 100644
--- a/shell.nix
+++ b/shell.nix
@@ -13,5 +13,7 @@ mkShell {
   shellHook = ''
     # try to work aroud build issues
     unset TMPDIR
+
+    export NIX_PATH=nixpkgs=${toString nixpkgs}
   '';
 }

From 272875d0af7127902d0997004a15985af1ecc227 Mon Sep 17 00:00:00 2001
From: zimbatm <zimbatm@zimbatm.com>
Date: Mon, 27 Jun 2022 16:53:48 +0200
Subject: [PATCH 3/3] feat: add nix-unstable-static docker image

This is a special docker images that contains no /nix/store. And only
static binaries in /bin.

The main use-case is to be able to bind-mount /nix from the host
into the container.
---
 images/nix-unstable-static/README.md   |   8 ++
 images/nix-unstable-static/default.nix | 116 +++++++++++++++++++++++++
 2 files changed, 124 insertions(+)
 create mode 100644 images/nix-unstable-static/README.md
 create mode 100644 images/nix-unstable-static/default.nix

diff --git a/images/nix-unstable-static/README.md b/images/nix-unstable-static/README.md
new file mode 100644
index 0000000..0fdb44e
--- /dev/null
+++ b/images/nix-unstable-static/README.md
@@ -0,0 +1,8 @@
+# nix-unstable-static
+
+This is a special variant of the nix image that contains no `/nix/store`.
+Instead, nix and all the supporting binaries are statically built and copied
+into /bin.
+
+The main use-case is to be able to run nix in the container, but share the
+`/nix/store` with the host.
diff --git a/images/nix-unstable-static/default.nix b/images/nix-unstable-static/default.nix
new file mode 100644
index 0000000..e8d2a62
--- /dev/null
+++ b/images/nix-unstable-static/default.nix
@@ -0,0 +1,116 @@
+{ dockerTools
+, lib
+, fetchurl
+, findutils
+, pkgsStatic
+, python3
+, removeReferencesTo
+, runCommand
+}:
+let
+  inherit (pkgsStatic)
+    bash
+    busybox
+    cacert
+    openssl
+    ;
+
+  # Get nix from Hydra because the nixpkgs one is not fully static
+  nixStaticBin = fetchurl {
+    url = "https://hydra.nixos.org/build/181573550/download/1/nix";
+    hash = "sha256-zO2xJhQIrLtL/ReTlcorjwsaTO1W5Rnr+sXwcLcujok=";
+  };
+
+  nixSymlinks = [
+    "nix-build"
+    "nix-channel"
+    "nix-collect-garbage"
+    "nix-copy-closure"
+    "nix-daemon"
+    "nix-env"
+    "nix-hash"
+    "nix-instantiate"
+    "nix-prefetch-url"
+    "nix-shell"
+    "nix-store"
+  ];
+
+  dirs = [
+    "bin"
+    "etc/ssl/certs"
+    "root"
+    "tmp"
+    "usr"
+  ];
+
+  extraCommands = ''
+    rm_ref() {
+      ${removeReferencesTo}/bin/remove-references-to "$@"
+    }
+
+    # Create a FHS-like file structure
+    cp -r ${../nix/root}/* .
+    chmod +w etc
+    mkdir -p ${toString dirs}
+
+    # For /usr/bin/env
+    ln -s ../bin usr/bin
+
+    # Make sure /tmp has the right permissions
+    chmod 1777 tmp
+
+    # Add SSL CA certs
+    cp -a "${cacert}/etc/ssl/certs/ca-bundle.crt" etc/ssl/certs/ca-bundle.crt
+
+    # Install base binaries
+    cp -a ${busybox}/bin/* bin/
+    rm_ref -t ${busybox} bin/busybox
+
+    # Install shell
+    cp -a ${bash}/bin/bash bin/
+    rm_ref -t ${bash} bin/bash
+
+    # Install nix
+    cp -a ${nixStaticBin} bin/nix
+    chmod +x bin/nix
+    for sym in ${toString nixSymlinks}; do
+      ln -sv /bin/nix bin/$sym
+    done
+    mkdir -p libexec/nix
+    ln -s /bin/nix libexec/nix/build-remote
+  '';
+
+  # To debug
+  unpacked = runCommand
+    "unpacked"
+    { buildInputs = [ python3 ]; }
+    ''
+      mkdir layer
+      pushd layer
+      ${extraCommands}
+      popd
+      mv layer $out
+    '';
+
+  image = dockerTools.buildImage {
+    name = "nix-static";
+
+    inherit extraCommands;
+
+    config = {
+      Cmd = [ "/bin/bash" ];
+      Env = [
+        "NIX_BUILD_SHELL=/bin/bash"
+        "PAGER=cat"
+        "PATH=/bin"
+        "SSL_CERT_FILE=/etc/ssl/certs/ca-bundle.crt"
+      ];
+    };
+  };
+in
+image // {
+  passthru = image.passthru // { inherit unpacked; };
+  meta = image.meta // {
+    description = "Nix but statically built";
+  };
+}