diff options
| author | John Ericson <John.Ericson@Obsidian.Systems> | 2023-01-06 10:56:22 -0500 |
|---|---|---|
| committer | John Ericson <John.Ericson@Obsidian.Systems> | 2023-01-06 10:56:22 -0500 |
| commit | 989b8065b45e52a8df2a803b1a72e0d0a7c35536 (patch) | |
| tree | ffd7d779cf35dc13396aef3b1871a7bc954af350 /docker.nix | |
| parent | 08b8657978de0d56064aad9c3e925b64d91b28a2 (diff) | |
| parent | e9fc1e4fdb0ab5adb6b163c3db361b86a4f5c69b (diff) | |
Merge branch 'path-info' into ca-drv-exotic
Diffstat (limited to 'docker.nix')
| -rw-r--r-- | docker.nix | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/docker.nix b/docker.nix index 251bd2f46..203a06b53 100644 --- a/docker.nix +++ b/docker.nix @@ -2,8 +2,12 @@ , lib ? pkgs.lib , name ? "nix" , tag ? "latest" +, bundleNixpkgs ? true , channelName ? "nixpkgs" , channelURL ? "https://nixos.org/channels/nixpkgs-unstable" +, extraPkgs ? [] +, maxLayers ? 100 +, nixConf ? {} }: let defaultPkgs = with pkgs; [ @@ -22,15 +26,27 @@ let findutils iana-etc git - ]; + openssh + ] ++ extraPkgs; users = { root = { uid = 0; - shell = "/bin/bash"; + shell = "${pkgs.bashInteractive}/bin/bash"; home = "/root"; gid = 0; + groups = [ "root" ]; + description = "System administrator"; + }; + + nobody = { + uid = 65534; + shell = "${pkgs.shadow}/bin/nologin"; + home = "/var/empty"; + gid = 65534; + groups = [ "nobody" ]; + description = "Unprivileged account (don't use!)"; }; } // lib.listToAttrs ( @@ -52,6 +68,7 @@ let groups = { root.gid = 0; nixbld.gid = 30000; + nobody.gid = 65534; }; userToPasswd = ( @@ -120,20 +137,27 @@ let (lib.attrValues (lib.mapAttrs groupToGroup groups)) ); - nixConf = { + defaultNixConf = { sandbox = "false"; build-users-group = "nixbld"; - trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="; + trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ]; }; - nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${n} = ${v}") nixConf)) + "\n"; + + nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: + let + vStr = if builtins.isList v then lib.concatStringsSep " " v else v; + in + "${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n"; baseSystem = let nixpkgs = pkgs.path; - channel = pkgs.runCommand "channel-nixos" { } '' + channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } '' mkdir $out - ln -s ${nixpkgs} $out/nixpkgs - echo "[]" > $out/manifest.nix + if [ "$bundleNixpkgs" ]; then + ln -s ${nixpkgs} $out/nixpkgs + echo "[]" > $out/manifest.nix + fi ''; rootEnv = pkgs.buildPackages.buildEnv { name = "root-profile-env"; @@ -228,7 +252,7 @@ let in pkgs.dockerTools.buildLayeredImageWithNixDb { - inherit name tag; + inherit name tag maxLayers; contents = [ baseSystem ]; |