Move to complete nixos docker image instead of just nixpkg

nixos/programs/shell.nix

@@ -35,7 +35,7 @@
       installPhase = ''
         fisher install catppuccin/fish
         fish_config theme save "Catppuccin Mocha"
-      '';
+      ''
     })
   ];
 }

vendor/docker-nixos/.gitignore

@@ -0,0 +1 @@
+.aider*

vendor/docker-nixos/Dockerfile

@@ -1,13 +1,55 @@
-FROM nixos/nix:2.24.11
+# FROM quay.io/skiffos/ubuntu:focal as builder
+FROM archlinux:base-devel as builder
 
-# Enable flakes
+RUN pacman --noconfirm -Syu
-RUN echo -e "experimental-features = nix-command flakes\n\
+RUN pacman --noconfirm -S shadow wget pkg-config autoconf-archive jq boost boost \
-builders-use-substitutes = true\n" >> /etc/nix/nix.conf
+  editline libsodium libcpuid gtest rapidcheck nlohmann-json libgit2
-# Enable remote builders substitutes
+RUN pacman --noconfirm -Scc 
-# https://nix.dev/manual/nix/2.18/command-ref/conf-file.html?highlight=builders-use-substitutes#conf-builders-use-substitutes
-RUN echo "builders-use-substitutes = true" >> /etc/nix/nix.conf
-# Trust all directory to run flake commands as root on different volumes
-RUN git config --global --add safe.directory '*'
 
-# Copy the setup script
+# nyx nyx nyx nyx nyx!
-COPY --chown=root:root --chmod=700 ./setup-remote.sh /setup-remote.sh
+RUN \
+  groupadd nixbld && \
+  useradd --home /home/builder --shell /bin/bash builder && \
+  usermod -a -G nixbld builder && \
+  echo "builder ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/builder && \
+  chmod 600 /etc/sudoers.d/builder && \
+  mkdir -p /home/builder/sys-config /home/builder/scripts
+
+ADD ./nix-setup.sh ./editline-setup.sh ./lowdown-setup.sh /home/builder/scripts/
+RUN \
+  chmod +x /home/builder/scripts/* && \
+  chown -R builder /home/builder && \
+  sudo -u builder bash -c "cd /home/builder && bash ./scripts/editline-setup.sh"
+RUN sudo -u builder bash -c "cd /home/builder && bash ./scripts/lowdown-setup.sh"
+RUN sudo -u builder bash -c "cd /home/builder && bash ./scripts/nix-setup.sh"
+
+ADD nixpkgs-setup.sh /home/builder/scripts/
+RUN sudo -u builder bash -c "cd /home/builder && bash ./scripts/nixpkgs-setup.sh"
+
+ADD nixos-setup.sh *.nix /home/builder/sys-config/
+RUN \
+  mkdir -p /sys-root && \
+  cd /home/builder/sys-config && bash ./nixos-setup.sh && \
+  rm /sys-root/etc && \
+  mkdir -m 0755 -p /sys-root/etc/nixos && \
+  touch /sys-root/etc/NIXOS && \
+  cp /home/builder/sys-config/*.nix \
+     /sys-root/etc/nixos/ 
+  
+
+# create the final Docker image using the output of the build.
+FROM scratch
+
+STOPSIGNAL SIGRTMIN+3
+
+WORKDIR /
+ENV container docker
+
+COPY --from=builder /nix /nix
+COPY --from=builder /sys-root/ /
+COPY options.nix /options.nix
+COPY container-base-config-flake.nix /baseconfig/flake.nix
+COPY configuration.nix /baseconfig/container.nix
+COPY config /config
+
+ENTRYPOINT ["/init"]

vendor/docker-nixos/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020-2024 Christian Stewart <christian@aperture.us>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/docker-nixos/README.txt

@@ -1 +1 @@
-Slightly modified from [joshuachp/containers](https://github.com/joshuachp/containers/tree/e55ba5e5b8a3a39438e34f18459e358210742724/nixos).
+Slightly modified from https://github.com/TRPB/docker-nixos.

vendor/docker-nixos/config/configuration.nix

@@ -0,0 +1,4 @@
+{ ... }:
+{
+	system.stateVersion = "24.05";
+}

vendor/docker-nixos/config/flake.nix

@@ -0,0 +1,17 @@
+{
+  description = "Container test";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.05";
+   };
+
+  outputs = { self, nixpkgs, ... }@inputs: 
+   {
+    nixosConfigurations.default = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      modules = [
+        ./configuration.nix
+      ];
+    };
+  };
+}

vendor/docker-nixos/configuration.nix

@@ -0,0 +1,126 @@
+{ config, pkgs, lib, ... }:
+let
+  options = import ./options.nix;
+  flake = ''
+    {
+      description = "Container";
+
+      inputs = {
+        nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+        container-base-config.url = "path:/baseconfig";
+        user-config.url = "${options.flakeUrl}";
+      };
+
+      outputs = { nixpkgs, user-config, container-base-config, ... }@inputs: {
+          nixosConfigurations.container = user-config.nixosConfigurations.${options.nixosConfiguration}.extendModules { 
+            modules = [container-base-config.nixosModules.containerConfig];
+          };
+      };
+    }
+    '';
+in {
+  system.stateVersion = "24.05";
+
+  boot.initrd.availableKernelModules = [ ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+  boot.isContainer = true;
+
+  fileSystems."/" =
+    { device = "overlay";
+      fsType = "overlay";
+      noCheck = true;
+    };
+
+  fileSystems."/run" =
+    { device = "none";
+      fsType = "tmpfs";
+      options = [ "defaults" "size=2G" "mode=777" ];
+    };
+
+  swapDevices = [ ];
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+
+  environment.noXlibs = lib.mkForce true;
+  nix.settings.sandbox = false;
+  networking.firewall.enable = lib.mkDefault false;
+  networking.hostName = lib.mkForce "";
+  networking.interfaces.eth0.useDHCP = false;
+  networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
+  networking.networkmanager.enable = lib.mkForce false;
+  #networking.resolvconf.dnsExtensionMechanism = false;
+  networking.useDHCP = false;
+  networking.wireless.enable = false;
+  nix.distributedBuilds = true;
+  security.audit.enable = false;
+  security.sudo.enable = true;
+  systemd.enableEmergencyMode = false;
+  systemd.services.console-getty.enable = lib.mkForce false;
+  systemd.services.rescue.enable = false;
+  systemd.services.systemd-firstboot.enable = lib.mkForce false;
+  systemd.services.systemd-hostnamed.enable = lib.mkForce false;
+
+  # minimal.nix
+  documentation.enable = lib.mkDefault false;
+  documentation.doc.enable = lib.mkDefault false;
+  documentation.info.enable = lib.mkDefault false;
+  documentation.man.enable = lib.mkDefault false;
+  documentation.nixos.enable = lib.mkDefault false;
+
+  # Perl is a default package.
+  environment.defaultPackages = lib.mkDefault [ ];
+
+  environment.stub-ld.enable = false;
+
+  # The lessopen package pulls in Perl.
+  programs.less.lessopen = lib.mkDefault null;
+
+  # This pulls in nixos-containers which depends on Perl.
+  boot.enableContainers = lib.mkDefault false;
+
+  programs.command-not-found.enable = lib.mkDefault false;
+
+  services.logrotate.enable = lib.mkDefault false;
+
+  services.udisks2.enable = lib.mkDefault false;
+
+  xdg.autostart.enable = lib.mkDefault false;
+  xdg.icons.enable = lib.mkDefault false;
+  xdg.mime.enable = lib.mkDefault false;
+  xdg.sounds.enable = lib.mkDefault false;
+
+  systemd.mounts = [{
+    where = "/sys/kernel/debug";
+    enable = false;
+  }];
+
+  #boot.isContainer = true;
+  boot.loader = {
+    systemd-boot.enable = false;
+    efi.canTouchEfiVariables = false;
+  };
+
+  boot.postBootCommands = lib.mkForce "";
+  system.activationScripts.specialfs = lib.mkForce "";
+
+  # don't set sycstl values in a container
+  #systemd.services.systemd-sysctl.restartTriggers = lib.mkDefault [ ];
+  environment.etc."sysctl.d/60-nixos.conf" = lib.mkForce { text = "# disabled\n"; };
+  environment.etc."sysctl.d/50-default.conf" = lib.mkForce { text = "# diasbled\n"; };
+  environment.etc."sysctl.d/50-coredump.conf" = lib.mkForce { text = "# disabled\n"; };
+  # Docker makes this read only
+  environment.etc."hosts".enable = false;
+  boot.kernel.sysctl = lib.mkForce { "kernel.dmesg_restrict" = 0; };
+
+  systemd.services.create-switch-script = {
+    enable = true;
+    script = ''
+      mkdir -p /build
+      echo '${flake}' > /build/flake.nix
+      cp /options.nix /baseconfig/options.nix
+      /run/current-system/sw/bin/nixos-rebuild switch --flake /build#container
+    '';
+    wantedBy = [ "multi-user.target" ];
+  };
+}

vendor/docker-nixos/container-base-config-flake.nix

@@ -0,0 +1,6 @@
+{
+  outputs = { self }: {
+    nixosModules.containerConfig = import ./container.nix;
+    nixosModule = self.nixosModules.containerConfig;
+  };
+}

vendor/docker-nixos/editline-setup.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -eo pipefail
+
+EDITLINE_VERSION=1.17.1
+EDITLINE_HASH=df223b3333a545fddbc67b49ded3d242c66fadf7a04beb3ada20957fcd1ffc0e
+# EDITLINE_SOURCE=https://github.com/troglobit/editline/archive/${EDITLINE_VERSION}/editline-${EDITLINE_VERSION}.tar.gz
+EDITLINE_SOURCE=http://gentoo.osuosl.org/distfiles/88/editline-${EDITLINE_VERSION}.tar.xz
+
+echo "Downloading editline version ${EDITLINE_VERSION}..."
+wget -O editline.tar.xz ${EDITLINE_SOURCE}
+DL_SUM=$(sha256sum editline.tar.xz | cut -d" " -f1)
+if [ $DL_SUM != $EDITLINE_HASH ]; then
+    echo "Downloaded file hash mismatch!"
+    echo "URL: $EDITLINE_SOURCE"
+    echo "Got: $DL_SUM"
+    echo "Expected: $EDITLINE_HASH"
+    exit 1
+fi
+
+mkdir -p editline
+tar --strip-components=1 -C editline -xf ./editline.tar.xz
+rm editline.tar.xz
+cd editline
+# ./autogen.sh
+./configure --prefix=/usr/local --disable-seccomp-sandboxing --disable-manual
+make -j4
+sudo make install
+cd ..
+rm -rf editline

vendor/docker-nixos/lowdown-setup.sh

@@ -0,0 +1,31 @@
+#!/bin/bash
+set -eo pipefail
+
+LOWDOWN_VERSION=1200b9f4ceceb5795ccc0a02a2105310f0819222
+LOWDOWN_SOURCE=https://github.com/kristapsdz/lowdown/archive/${LOWDOWN_VERSION}.tar.gz
+
+# wget -q -O- https://github.com/kristapsdz/lowdown/archive/${LOWDOWN_VERSION}.tar.gz | \
+#     tee >(sha256sum | cut -d' ' -f1 | \
+#     xargs -I {} sed -i 's/LOWDOWN_HASH=.*/LOWDOWN_HASH={}/' lowdown-setup.sh) >/dev/null
+LOWDOWN_HASH=ace39b836bff0acedae9f0acdcbe33f18322145b2faa22b4d4a74b75b8e69637
+
+echo "Downloading lowdown version ${LOWDOWN_VERSION}..."
+wget -q -O lowdown.tar.gz ${LOWDOWN_SOURCE}
+DL_SUM=$(sha256sum lowdown.tar.gz | cut -d" " -f1)
+if [ $DL_SUM != $LOWDOWN_HASH ]; then
+    echo "Downloaded file hash mismatch!"
+    echo "URL: $LOWDOWN_SOURCE"
+    echo "Got: $DL_SUM"
+    echo "Expected: $LOWDOWN_HASH"
+    exit 1
+fi
+
+mkdir -p lowdown
+tar -C lowdown -xf ./lowdown.tar.gz --strip-components=1
+rm lowdown.tar.gz
+cd lowdown
+CFLAGS="-fPIC" ./configure PREFIX=/usr/local
+make -j$(nproc)
+sudo make install
+cd ../
+rm -rf lowdown

vendor/docker-nixos/nix-setup.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+set -eo pipefail
+
+NIX_VERSION=2.23.1
+NIX_HASH=c7cf1492f642fdfdc3f1ca8ebaad03274282720565b55f5144aba4850a44a3da
+NIX_SOURCE=https://github.com/NixOS/nix/archive/${NIX_VERSION}/nix-${NIX_VERSION}.tar.gz
+
+echo "Downloading nix version ${NIX_VERSION}..."
+wget -q -O nix.tar.gz ${NIX_SOURCE}
+DL_SUM=$(sha256sum nix.tar.gz | cut -d" " -f1)
+if [ $DL_SUM != $NIX_HASH ]; then
+    echo "Downloaded file hash mismatch!"
+    echo "URL: $NIX_SOURCE"
+    echo "Got: $DL_SUM"
+    echo "Expected: $NIX_HASH"
+    exit 1
+fi
+
+mkdir -p nix
+tar --strip-components=1 -C nix -xf ./nix.tar.gz
+rm nix.tar.gz
+cd nix
+autoreconf -vfi
+bash ./configure --prefix=/usr/local --disable-doc-gen CFLAGS="-fPIC"
+make -j32
+sudo make install
+sudo nix-store --realise
+cd ../
+rm -rf ./nix
+

vendor/docker-nixos/nixos-setup.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+set -eo pipefail
+
+source /usr/local/etc/profile.d/nix.sh
+
+# install nixos
+export NIX_PATH=/home/builder/nix-path
+cd /home/builder/sys-config
+nix-build \
+    --option sandbox false \
+    -I nixos-config=$(pwd)/configuration.nix \
+    -A system \
+    '<nixpkgs/nixos>'
+# target_system=$(readlink -f ./result)
+# nix-env -p /nix/var/nix/profiles/system --set $target_system
+
+touch ./result/etc/NIXOS
+mkdir -p ./result/etc/nixos/
+cp configuration.nix ./result/etc/nixos/
+
+cp -r $(pwd)/result/* /sys-root/
+mkdir -p /sys-root/run/systemd/
+mkdir -p /sys-root/root
+rm result

vendor/docker-nixos/nixpkgs-setup.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+set -eo pipefail
+
+# previous working version:
+# NIXPKGS_VERSION=v208
+# NIXPKGS_HASH=b49b7aa90e89fe1016036d2f770975f3322b8724401b534b4a356046cba424ee
+
+NIXPKGS_VERSION=24.05
+NIXPKGS_HASH=911314b81780f26fdaf87e17174210bdbd40c86bac1795212f257cdc236a1e78
+
+NIXPKGS_SOURCE=https://github.com/NixOS/nixpkgs/archive/${NIXPKGS_VERSION}/nixos-${NIXPKGS_VERSION}.tar.gz
+
+echo "Downloading nixpkgs version ${NIXPKGS_VERSION}..."
+cd ~
+wget -q -O nixpkgs.tar.gz ${NIXPKGS_SOURCE}
+DL_SUM=$(sha256sum nixpkgs.tar.gz | cut -d" " -f1)
+if [ $DL_SUM != $NIXPKGS_HASH ]; then
+    echo "Downloaded file hash mismatch!"
+    echo "URL: $NIXPKGS_SOURCE"
+    echo "Got: $DL_SUM"
+    echo "Expected: $NIXPKGS_HASH"
+    exit 1
+fi
+
+mkdir -p nix-path/nixpkgs
+tar --strip-components=1 -C nix-path/nixpkgs -xf ./nixpkgs.tar.gz
+rm nixpkgs.tar.gz
+#cd nix-path/nixpkgs
+#cd ../../

vendor/docker-nixos/options.nix

@@ -0,0 +1,4 @@
+{
+    flakeUrl = "git+https://git.devcomp.xyz/coder-devenv";
+    nixosConfiguration = "default";
+}

vendor/docker-nixos/setup-remote.sh

@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-
-set -exEuo pipefail
-
-mkdir -p ~/.ssh
-echo "$BUILDER_KEY" >>~/.ssh/id_ed25519
-echo "$BUILDER_HOST_KEYS" >>~/.ssh/known_hosts
-chmod -R 600 ~/.ssh
-
-# Check the remote builder
-nix store info --store "$BUILDERS"
-
-echo "$BUILDERS" >>/etc/nix/machines

vendor/docker-nixos/update-versions.py

@@ -0,0 +1,94 @@
+import re
+import requests
+import hashlib
+from packaging import version
+
+def get_latest_version(repo):
+    url = f"https://api.github.com/repos/{repo}/tags"
+    try:
+        response = requests.get(url, timeout=10)
+        response.raise_for_status()
+        tags = response.json()
+        if repo == 'NixOS/nixpkgs':
+            # For nixpkgs, find the latest release tag (e.g., 23.05)
+            release_tags = [tag['name'] for tag in tags if re.match(r'^\d+\.\d+$', tag['name'])]
+            if release_tags:
+                return max(release_tags, key=lambda x: version.parse(x))
+            else:
+                # Fallback: return the latest tag
+                print(f"No release tags found for {repo}, using latest tag instead.")
+                return tags[0]['name']
+        else:
+            # For other repos, return the latest tag
+            return tags[0]['name'].lstrip('v')
+    except requests.RequestException as e:
+        print(f"Error fetching latest version for {repo}: {e}")
+        return None
+
+def calculate_hash(url):
+    try:
+        response = requests.get(url, stream=True, timeout=30)
+        response.raise_for_status()
+        sha256_hash = hashlib.sha256()
+        for chunk in response.iter_content(chunk_size=8192):
+            sha256_hash.update(chunk)
+        return sha256_hash.hexdigest()
+    except requests.RequestException as e:
+        print(f"Error calculating hash for {url}: {e}")
+        return None
+
+def update_file(filename, package, new_version, new_hash):
+    try:
+        with open(filename, 'r') as file:
+            content = file.read()
+
+        version_pattern = rf'{package.upper()}_VERSION=([^\n]+)'
+        hash_pattern = rf'{package.upper()}_HASH=([^\n]+)'
+
+        version_match = re.search(version_pattern, content)
+        hash_match = re.search(hash_pattern, content)
+
+        if not version_match or not hash_match:
+            print(f"Version or hash pattern not found for {package} in {filename}")
+            return
+
+        current_version = version_match.group(1)
+        current_hash = hash_match.group(1)
+
+        if current_version == new_version and current_hash == new_hash:
+            print(f"No update needed for {package} in {filename} (current version: {current_version}, current hash: {current_hash})")
+            return
+
+        updated_content = re.sub(version_pattern, f'{package.upper()}_VERSION={new_version}', content)
+        updated_content = re.sub(hash_pattern, f'{package.upper()}_HASH={new_hash}', updated_content)
+
+        with open(filename, 'w') as file:
+            file.write(updated_content)
+        print(f"Updated {package} version from {current_version} to {new_version} and hash from {current_hash} to {new_hash} in {filename}")
+    except IOError as e:
+        print(f"Error updating {filename}: {e}")
+
+def main():
+    packages = {
+        'nix': 'NixOS/nix',
+        'nixpkgs': 'NixOS/nixpkgs'
+    }
+
+    for package, repo in packages.items():
+        latest_version = get_latest_version(repo)
+        if latest_version:
+            filename = f'{package}-setup.sh'
+            if package == 'nix':
+                url = f"https://github.com/{repo}/archive/{latest_version}/nix-{latest_version}.tar.gz"
+            else:
+                url = f"https://github.com/{repo}/archive/{latest_version}/nixos-{latest_version}.tar.gz"
+            new_hash = calculate_hash(url)
+            if new_hash:
+                update_file(filename, package, latest_version, new_hash)
+            else:
+                print(f"Skipping update for {package} due to hash calculation failure")
+        else:
+            print(f"Skipping update for {package} due to version fetch failure")
+
+if __name__ == "__main__":
+    main()