From aa3927f0f19a654a80166aa007b7f830fc3536b8 Mon Sep 17 00:00:00 2001
From: Jairo Llopis <Yajo@users.noreply.github.com>
Date: Thu, 14 Apr 2022 13:49:47 +0100
Subject: feat: include openssh in docker image

When leveraging remote builders or cache in CI workloads, sometimes you need to configure nix to connect via SSH to a remote server.

It is the case for example when using nixbuild.net.

By including `openssh` package, CI should be able to reach remote builders when configured i.e. with environment variables.
---
 docker.nix | 1 +
 1 file changed, 1 insertion(+)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index 251bd2f46..0cd64856f 100644
--- a/docker.nix
+++ b/docker.nix
@@ -22,6 +22,7 @@ let
     findutils
     iana-etc
     git
+    openssh
   ];
 
   users = {
-- 
cgit v1.2.3


From 07416a6005fe035baa8646c6827904afb5226f95 Mon Sep 17 00:00:00 2001
From: Alex Wied <centromere@users.noreply.github.com>
Date: Tue, 28 Jun 2022 16:38:19 -0400
Subject: Allow specification of extra packages, maxLayers in Docker image

---
 docker.nix | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index 0cd64856f..ddf6feff5 100644
--- a/docker.nix
+++ b/docker.nix
@@ -4,6 +4,8 @@
 , tag ? "latest"
 , channelName ? "nixpkgs"
 , channelURL ? "https://nixos.org/channels/nixpkgs-unstable"
+, extraPkgs ? []
+, maxLayers ? 100
 }:
 let
   defaultPkgs = with pkgs; [
@@ -23,7 +25,7 @@ let
     iana-etc
     git
     openssh
-  ];
+  ] ++ extraPkgs;
 
   users = {
 
@@ -229,7 +231,7 @@ let
 in
 pkgs.dockerTools.buildLayeredImageWithNixDb {
 
-  inherit name tag;
+  inherit name tag maxLayers;
 
   contents = [ baseSystem ];
 
-- 
cgit v1.2.3


From 228028fc1aaad20a217387fbe9d4aa2d8698a048 Mon Sep 17 00:00:00 2001
From: Alex Wied <centromere@users.noreply.github.com>
Date: Thu, 28 Jul 2022 03:36:39 -0400
Subject: docker.nix: Allow Nix configuration to be customized

---
 docker.nix | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index ddf6feff5..8e6aa227f 100644
--- a/docker.nix
+++ b/docker.nix
@@ -6,6 +6,7 @@
 , channelURL ? "https://nixos.org/channels/nixpkgs-unstable"
 , extraPkgs ? []
 , maxLayers ? 100
+, nixConf ? {}
 }:
 let
   defaultPkgs = with pkgs; [
@@ -123,12 +124,17 @@ let
       (lib.attrValues (lib.mapAttrs groupToGroup groups))
   );
 
-  nixConf = {
+  defaultNixConf = {
     sandbox = "false";
     build-users-group = "nixbld";
-    trusted-public-keys = "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=";
+    trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" ];
   };
-  nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: "${n} = ${v}") nixConf)) + "\n";
+
+  nixConfContents = (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v:
+    let
+      vStr = if builtins.isList v then lib.concatStringsSep " " v else v;
+    in
+      "${n} = ${vStr}") (defaultNixConf // nixConf))) + "\n";
 
   baseSystem =
     let
-- 
cgit v1.2.3


From 0eb9946e1d3621cfc2fcffc9378dba334b25fb26 Mon Sep 17 00:00:00 2001
From: Alex Wied <centromere@users.noreply.github.com>
Date: Tue, 9 Aug 2022 23:21:09 -0400
Subject: docker.nix: Provide boolean for whether to bundle nixpkgs

---
 docker.nix | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index 8e6aa227f..e95caf274 100644
--- a/docker.nix
+++ b/docker.nix
@@ -2,6 +2,7 @@
 , lib ? pkgs.lib
 , name ? "nix"
 , tag ? "latest"
+, bundleNixpkgs ? true
 , channelName ? "nixpkgs"
 , channelURL ? "https://nixos.org/channels/nixpkgs-unstable"
 , extraPkgs ? []
@@ -139,10 +140,12 @@ let
   baseSystem =
     let
       nixpkgs = pkgs.path;
-      channel = pkgs.runCommand "channel-nixos" { } ''
+      channel = pkgs.runCommand "channel-nixos" { inherit bundleNixpkgs; } ''
         mkdir $out
-        ln -s ${nixpkgs} $out/nixpkgs
-        echo "[]" > $out/manifest.nix
+        if [ "$bundleNixpkgs" ]; then
+          ln -s ${nixpkgs} $out/nixpkgs
+          echo "[]" > $out/manifest.nix
+        fi
       '';
       rootEnv = pkgs.buildPackages.buildEnv {
         name = "root-profile-env";
-- 
cgit v1.2.3


From 02af02854d41b390957300bac778139bc1c6b5c2 Mon Sep 17 00:00:00 2001
From: Matthew Kenigsberg <matthewkenigsberg@gmail.com>
Date: Wed, 14 Sep 2022 15:35:56 -0600
Subject: dockerImage: fix root shell

Currently root's shell is set to a path that does not exist; this change
sets it to the correct path to bash
---
 docker.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index e95caf274..bb2b4e7ff 100644
--- a/docker.nix
+++ b/docker.nix
@@ -33,7 +33,7 @@ let
 
     root = {
       uid = 0;
-      shell = "/bin/bash";
+      shell = "${pkgs.bashInteractive}/bin/bash";
       home = "/root";
       gid = 0;
     };
-- 
cgit v1.2.3


From 46a6be28bef45640de5344a09d56add7068a9aa4 Mon Sep 17 00:00:00 2001
From: Rok Garbas <rok@garbas.si>
Date: Tue, 29 Nov 2022 10:01:46 +0000
Subject: Add nobody user/group to Nix docker image

---
 docker.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index bb2b4e7ff..203a06b53 100644
--- a/docker.nix
+++ b/docker.nix
@@ -36,6 +36,17 @@ let
       shell = "${pkgs.bashInteractive}/bin/bash";
       home = "/root";
       gid = 0;
+      groups = [ "root" ];
+      description = "System administrator";
+    };
+
+    nobody = {
+      uid = 65534;
+      shell = "${pkgs.shadow}/bin/nologin";
+      home = "/var/empty";
+      gid = 65534;
+      groups = [ "nobody" ];
+      description = "Unprivileged account (don't use!)";
     };
 
   } // lib.listToAttrs (
@@ -57,6 +68,7 @@ let
   groups = {
     root.gid = 0;
     nixbld.gid = 30000;
+    nobody.gid = 65534;
   };
 
   userToPasswd = (
-- 
cgit v1.2.3


From 6dbce3215fa2e30e1daafcc70d6926cd97987612 Mon Sep 17 00:00:00 2001
From: Alex Wied <543423+centromere@users.noreply.github.com>
Date: Wed, 22 Mar 2023 15:55:02 -0400
Subject: docker.nix: add an option to include flake-registry inside docker
 image (#6750)

Co-authored-by: Alex Wied <centromere@users.noreply.github.com>
Co-authored-by: Rok Garbas <rok@floxdev.com>
---
 docker.nix | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

(limited to 'docker.nix')

diff --git a/docker.nix b/docker.nix
index 203a06b53..52199af66 100644
--- a/docker.nix
+++ b/docker.nix
@@ -8,6 +8,7 @@
 , extraPkgs ? []
 , maxLayers ? 100
 , nixConf ? {}
+, flake-registry ? null
 }:
 let
   defaultPkgs = with pkgs; [
@@ -247,7 +248,16 @@ let
       mkdir -p $out/bin $out/usr/bin
       ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
       ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
-    '';
+
+    '' + (lib.optionalString (flake-registry != null) ''
+      nixCacheDir="/root/.cache/nix"
+      mkdir -p $out$nixCacheDir
+      globalFlakeRegistryPath="$nixCacheDir/flake-registry.json"
+      ln -s ${flake-registry}/flake-registry.json $out$globalFlakeRegistryPath
+      mkdir -p $out/nix/var/nix/gcroots/auto
+      rootName=$(${pkgs.nix}/bin/nix --extra-experimental-features nix-command hash file --type sha1 --base32 <(echo -n $globalFlakeRegistryPath))
+      ln -s $globalFlakeRegistryPath $out/nix/var/nix/gcroots/auto/$rootName
+    '');
 
 in
 pkgs.dockerTools.buildLayeredImageWithNixDb {
-- 
cgit v1.2.3