hi

.gitignore

@@ -0,0 +1,3 @@
+# Nix
+result
+result-*

.gitlab-ci.yml

@@ -0,0 +1,30 @@
+image: nixos/nix:latest
+
+stages:
+  - build
+  - publish
+
+before_script:
+  - nix-shell --run .gitlab/docker-login
+
+nixos-unstable:
+  extends: .build
+  variables:
+    NIXPKGS_CHANNEL: nixos-unstable
+
+nixos-18.09:
+  extends: .build
+  variables:
+    NIXPKGS_CHANNEL: nixos-18.09
+
+# ---- templates ---
+
+.build:
+  stage: build
+  script:
+    - nix-shell --run ./build
+    - nix-shell --run .gitlab/push-master
+  variables:
+    NIX_PATH: "nixpkgs=channel:${NIXPKGS_CHANNEL}"
+    REGISTRY_URL: "${CI_REGISTRY_IMAGE}/${NIXPKGS_CHANNEL}"
+

.gitlab/docker-login

@@ -0,0 +1,13 @@
+#!/bin/sh -eu
+
+mkdir ~/.docker
+
+cat <<DOCKER_CONF > ~/.docker/config.json
+{
+  "auths": {
+    "$CI_REGISTRY": {
+      "auth": "$(printf "%s:%s" "$CI_REGISTRY_USER" "$CI_REGISTRY_PASSWORD" | base64)"
+    }
+  }
+}
+DOCKER_CONF

.gitlab/push-master

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+if [ "$CI_COMMIT_REF_NAME" = master ]; then
+  exec ./push-all
+else
+  echo "=== not pushing on non-master ==="
+fi

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 zimbatm and contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -0,0 +1,50 @@
+# docker-nixpkgs: docker images from nixpkgs
+
+This project is a collection of docker images automatically produced with Nix
+and the latest nixpkgs package set. It even refreshes every morning a 4:00 UTC
+thanks to the [Gitlab CI schedules][gitlab-schedules].
+
+It's also a good demonstration on how to build and publish Docker images with
+Nix.
+
+Always keep your docker images fresh!
+
+## Why use Nix to build docker images?
+
+Nix has a number of advantages over Dockerfile when producing docker images:
+
+* builds are actually reproducible
+* Nix will only rebuild the minimum set of changes
+* Nix can produce automatic optimised layers for you
+
+## Example usage
+
+Here is an example of using one of the docker images. Usage will change from
+image to image.
+
+```
+# the user must have an account at gitlab
+$ docker login registry.gitlab.com
+# run the curl image which has curl as an entry-point
+$ docker run -ti --rm registry.gitlab.com/zimbatm/docker-nixpkgs/nixos-unstable/curl http://ifconfig.co
+180.52.248.114
+```
+
+## List of images
+
+| Image        | Description                |
+| ---          | ---                        |
+| curl         | just curl as an entrypoint |
+| nix          | nix with deps              |
+| nix-unstable | nixUnstable with deps      |
+
+## Channels
+
+| Name           |
+| ---            |
+| nixos-unstable |
+| nixos-18.09    |
+
+
+[gitlab-schedules]: https://gitlab.com/zimbatm/docker-nixpkgs/pipeline_schedules
+

build

@@ -0,0 +1,6 @@
+#!/bin/sh -eu
+
+# build *all* the docker images
+nix-build release.nix \
+  --no-out-link \
+  "$@"

curl/default.nix

@@ -0,0 +1,20 @@
+{ dockerTools
+, cacert
+, curl
+}:
+dockerTools.buildImage {
+  inherit (curl) name;
+
+  contents = [
+    cacert
+    curl
+  ];
+
+  config = {
+    Entrypoint = [ "/bin/curl" ];
+    Env = [
+      "PATH=/bin"
+      "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
+    ];
+  };
+}

default.nix

@@ -0,0 +1,7 @@
+{ nixpkgs ? <nixpkgs> }:
+import nixpkgs {
+  config = {};
+  overlays = [
+    (import ./overlay.nix)
+  ];
+}

nix/default.nix

@@ -0,0 +1,53 @@
+{ dockerTools
+, bash
+, cacert
+, coreutils
+, curl
+, gitMinimal
+, gnutar
+, gzip
+, iana-etc
+, nix
+, xz
+}:
+dockerTools.buildImageWithNixDb {
+  inherit (nix) name;
+
+  contents = [
+    ./root
+    coreutils
+    # add /bin/sh
+    bash
+    nix
+
+    # runtime dependencies of nix
+    cacert
+    gitMinimal
+    gnutar
+    gzip
+    xz
+
+    # for haskell binaries
+    iana-etc
+  ];
+
+  extraCommands = ''
+    # for /usr/bin/env
+    mkdir usr
+    ln -s ../bin usr/bin
+
+    # make sure /tmp exists
+    mkdir -m 0777 tmp
+  '';
+
+  config = {
+    Cmd = [ "/bin/bash" ];
+    Env = [
+      "ENV=/etc/profile.d/nix.sh"
+      "NIX_PATH=nixpkgs=channel:nixpkgs-unstable"
+      "PAGER=cat"
+      "PATH=/usr/bin:/bin"
+      "SSL_CERT_FILE=${cacert}/etc/ssl/certs/ca-bundle.crt"
+    ];
+  };
+}

nix/root/etc/group

@@ -0,0 +1,21 @@
+root:x:0:
+wheel:x:1:
+kmem:x:2:
+tty:x:3:
+messagebus:x:4:
+disk:x:6:
+audio:x:17:
+floppy:x:18:
+uucp:x:19:
+lp:x:20:
+cdrom:x:24:
+tape:x:25:
+video:x:26:
+dialout:x:27:
+utmp:x:29:
+adm:x:55:
+keys:x:96:
+users:x:100:
+input:x:174:
+nixbld:x:30000:nixbld1,nixbld10,nixbld11,nixbld12,nixbld13,nixbld14,nixbld15,nixbld16,nixbld17,nixbld18,nixbld19,nixbld2,nixbld20,nixbld21,nixbld22,nixbld23,nixbld24,nixbld25,nixbld26,nixbld27,nixbld28,nixbld29,nixbld3,nixbld30,nixbld31,nixbld32,nixbld4,nixbld5,nixbld6,nixbld7,nixbld8,nixbld9
+nogroup:x:65534:

nix/root/etc/passwd

@@ -0,0 +1,34 @@
+root:x:0:0:System administrator:/root:/bin/bash
+nixbld1:x:30001:30000:Nix build user 1:/var/empty:/run/current-system/sw/bin/nologin
+nixbld2:x:30002:30000:Nix build user 2:/var/empty:/run/current-system/sw/bin/nologin
+nixbld3:x:30003:30000:Nix build user 3:/var/empty:/run/current-system/sw/bin/nologin
+nixbld4:x:30004:30000:Nix build user 4:/var/empty:/run/current-system/sw/bin/nologin
+nixbld5:x:30005:30000:Nix build user 5:/var/empty:/run/current-system/sw/bin/nologin
+nixbld6:x:30006:30000:Nix build user 6:/var/empty:/run/current-system/sw/bin/nologin
+nixbld7:x:30007:30000:Nix build user 7:/var/empty:/run/current-system/sw/bin/nologin
+nixbld8:x:30008:30000:Nix build user 8:/var/empty:/run/current-system/sw/bin/nologin
+nixbld9:x:30009:30000:Nix build user 9:/var/empty:/run/current-system/sw/bin/nologin
+nixbld10:x:30010:30000:Nix build user 10:/var/empty:/run/current-system/sw/bin/nologin
+nixbld11:x:30011:30000:Nix build user 11:/var/empty:/run/current-system/sw/bin/nologin
+nixbld12:x:30012:30000:Nix build user 12:/var/empty:/run/current-system/sw/bin/nologin
+nixbld13:x:30013:30000:Nix build user 13:/var/empty:/run/current-system/sw/bin/nologin
+nixbld14:x:30014:30000:Nix build user 14:/var/empty:/run/current-system/sw/bin/nologin
+nixbld15:x:30015:30000:Nix build user 15:/var/empty:/run/current-system/sw/bin/nologin
+nixbld16:x:30016:30000:Nix build user 16:/var/empty:/run/current-system/sw/bin/nologin
+nixbld17:x:30017:30000:Nix build user 17:/var/empty:/run/current-system/sw/bin/nologin
+nixbld18:x:30018:30000:Nix build user 18:/var/empty:/run/current-system/sw/bin/nologin
+nixbld19:x:30019:30000:Nix build user 19:/var/empty:/run/current-system/sw/bin/nologin
+nixbld20:x:30020:30000:Nix build user 20:/var/empty:/run/current-system/sw/bin/nologin
+nixbld21:x:30021:30000:Nix build user 21:/var/empty:/run/current-system/sw/bin/nologin
+nixbld22:x:30022:30000:Nix build user 22:/var/empty:/run/current-system/sw/bin/nologin
+nixbld23:x:30023:30000:Nix build user 23:/var/empty:/run/current-system/sw/bin/nologin
+nixbld24:x:30024:30000:Nix build user 24:/var/empty:/run/current-system/sw/bin/nologin
+nixbld25:x:30025:30000:Nix build user 25:/var/empty:/run/current-system/sw/bin/nologin
+nixbld26:x:30026:30000:Nix build user 26:/var/empty:/run/current-system/sw/bin/nologin
+nixbld27:x:30027:30000:Nix build user 27:/var/empty:/run/current-system/sw/bin/nologin
+nixbld28:x:30028:30000:Nix build user 28:/var/empty:/run/current-system/sw/bin/nologin
+nixbld29:x:30029:30000:Nix build user 29:/var/empty:/run/current-system/sw/bin/nologin
+nixbld30:x:30030:30000:Nix build user 30:/var/empty:/run/current-system/sw/bin/nologin
+nixbld31:x:30031:30000:Nix build user 31:/var/empty:/run/current-system/sw/bin/nologin
+nixbld32:x:30032:30000:Nix build user 32:/var/empty:/run/current-system/sw/bin/nologin
+nobody:x:65534:65534:Unprivileged account (don't use!):/var/empty:/run/current-system/sw/bin/nologin

overlay.nix

@@ -0,0 +1,14 @@
+_: pkgs: {
+  docker-nixpkgs = rec {
+
+    curl = pkgs.callPackage ./curl {};
+
+    nix = pkgs.callPackage ./nix {};
+
+    # docker images must be lower-cased
+    nix-unstable = nix.overrideAttrs (self: { 
+      nix = pkgs.nixUnstable;
+    });
+
+  };
+}

push-all

@@ -0,0 +1,12 @@
+#!/bin/sh -eu
+
+: "${CI_REGISTRY_IMAGE:=registry.gitlab.com/zimbatm/docker-nixpkgs}"
+: "${REGISTRY_URL:=$CI_REGISTRY_IMAGE/undefined}"
+
+releases_json=$(nix-instantiate ./release.nix --strict --eval --json)
+
+for attr in $(echo "$releases_json" | jq -r "keys[]") ; do
+  file=$(echo "$releases_json" | jq -r ".\"$attr\"")
+  echo "--- $attr -> $file"
+  skopeo copy "docker-archive://$file" "docker://$REGISTRY_URL/$attr:latest"
+done

release.nix

@@ -0,0 +1,4 @@
+let
+  pkgs = import ./. {};
+in
+  pkgs.docker-nixpkgs

shell.nix

@@ -0,0 +1,8 @@
+{ channel ? "nixos-unstable" }@args:
+with import ./. args;
+mkShell {
+  buildInputs = [
+    jq
+    skopeo
+  ];
+}