From 0d2ac5cb2c61674647d34bd388f1c00f714bca92 Mon Sep 17 00:00:00 2001
From: technofab <admin@technofab.de>
Date: Thu, 3 Oct 2024 19:09:58 +0000
Subject: [PATCH] feat: rewrite image to work like in nixos/nix/docker.nix
 allows nix store gc without breaking the image itself

---
 image.nix | 166 +++++++++++++++++++++++++++++++++++++++++-------------
 1 file changed, 126 insertions(+), 40 deletions(-)

diff --git a/image.nix b/image.nix
index 884cf0b..4c7de69 100644
--- a/image.nix
+++ b/image.nix
@@ -2,56 +2,142 @@
   lib,
   pkgs,
   ...
-}:
-pkgs.dockerTools.buildLayeredImage {
-  name = "nix-coder";
-  tag = "latest";
-
-  contents = pkgs.buildEnv {
-    name = "image-root";
-    paths = with pkgs; [
-      bash
-      bashInteractive
+}: let
+  baseSystem = let
+    packages = with pkgs; [
       nix
+      bashInteractive
       coreutils-full
+      procps
       gnugrep
       openssh
       gitMinimal
       curl
       ncurses
-      dockerTools.usrBinEnv
+
+      cacert.out
+
       (writeShellScriptBin "reload-dotfiles" ''
         ${home-manager}/bin/home-manager switch --flake ''${DOTFILES_REPO:-$1} --option tarball-ttl 0
       '')
-      (writeTextDir "etc/nix/nix.conf" ''
-        experimental-features = nix-command flakes
-      '')
-      (writeTextDir "etc/os-release" ''
-        ID=nixos
-      '')
-      (writeTextDir "etc/passwd" "coder:x:1000:1000::/home/coder:/bin/bash")
-      (writeTextDir "etc/shadow" "coder:!:::::::")
-      (writeTextDir "etc/group" "coder:x:1000:")
-      (writeTextDir "etc/gshadow" "coder:x::")
     ];
-    pathsToLink = ["/bin" "/etc" "/usr"];
-  };
-  maxLayers = 5;
+    rootEnv = pkgs.buildPackages.buildEnv {
+      name = "root-profile-env";
+      paths = packages;
+    };
 
-  uid = 1000;
-  gid = 1000;
-  fakeRootCommands = ''
-    mkdir -p ./home/coder ./tmp ./nix/var/nix
-    chown -R 1000:1000 ./
-  '';
+    nixConf = {
+      sandbox = "false";
+      experimental-features = "nix-command flakes";
+      min-free = toString (100 * 1024 * 1024);
+      max-free = toString (1024 * 1024 * 1024);
+    };
 
-  config = {
-    Cmd = ["/bin/bash"];
-    User = "1000:1000";
-    Env = [
-      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
-      "HOME=/home/coder"
-      "USER=coder"
-    ];
-  };
-}
+    nixConfContents =
+      (lib.concatStringsSep "\n" (lib.mapAttrsFlatten (n: v: let
+        vStr =
+          if builtins.isList v
+          then lib.concatStringsSep " " v
+          else v;
+      in "${n} = ${vStr}")
+      nixConf))
+      + "\n";
+
+    manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
+      cat > $out <<EOF
+      [
+      ${lib.concatStringsSep "\n" (builtins.map (drv: let
+          outputs = drv.outputsToInstall or ["out"];
+        in ''
+          {
+            ${lib.concatStringsSep "\n" (builtins.map (output: ''
+              ${output} = { outPath = "${lib.getOutput output drv}"; };
+            '')
+            outputs)}
+            outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
+            name = "${drv.name}";
+            outPath = "${drv}";
+            system = "${drv.system}";
+            type = "derivation";
+            meta = { };
+          }
+        '')
+        packages)}
+      ]
+      EOF
+    '';
+    profile = pkgs.buildPackages.runCommand "user-environment" {} ''
+      mkdir $out
+      cp -a ${rootEnv}/* $out/
+      ln -s ${manifest} $out/manifest.nix
+    '';
+
+    dirsToCreate = ["/etc/ssl/certs" "/etc/nix" "/usr" "/nix/var/nix/gcroots" "/bin" "/usr/bin" "/tmp" "/var/tmp" "/home/coder/.nix-defexpr" "/nix/var/nix/profiles/per-user/coder"];
+  in
+    pkgs.runCommand "base-system" {
+      allowSubstitutes = false;
+      preferLocalBuild = true;
+    } ''
+      env
+      set -x
+      mkdir -p ${lib.concatMapStringsSep " " (x: "$out${x}") dirsToCreate}
+
+      ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
+      ln -s /nix/var/nix/profiles/share $out/usr/
+
+      echo "${nixConfContents}" > $out/etc/nix/nix.conf
+      echo "ID=nixos" > $out/etc/os-release
+
+      echo "coder:x:1000:1000::/home/coder:/bin/bash" > $out/etc/passwd
+      echo "coder:!:::::::" > $out/etc/shadow
+      echo "coder:x:1000:" > $out/etc/group
+      echo "coder:x::" > $out/etc/gshadow
+      echo "coder:100000:65536" > $out/etc/subuid
+      echo "coder:100000:65536" > $out/etc/subgid
+
+      ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
+      ln -s $out/nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
+      ln -s /nix/var/nix/profiles/default $out/home/coder/.nix-profile
+
+      ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
+      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
+    '';
+in
+  pkgs.dockerTools.buildLayeredImageWithNixDb {
+    name = "nix-coder";
+    tag = "latest";
+
+    contents = [baseSystem];
+    maxLayers = 10;
+
+    uid = 1000;
+    gid = 1000;
+    extraCommands = ''
+      ln -s /nix/var/nix/profiles nix/var/nix/gcroots/profiles
+    '';
+    fakeRootCommands = ''
+      chown -R 1000:1000 ./
+      chmod 1777 tmp
+      chmod 1777 var/tmp
+    '';
+
+    config = {
+      Cmd = ["/home/coder/.nix-profile/bin/bash"];
+      User = "1000:1000";
+      Env = [
+        "USER=coder"
+        "HOME=/home/coder"
+        "TMPDIR=/tmp"
+        "XDG_RUNTIME_DIR=/tmp"
+        "PATH=${lib.concatStringsSep ":" [
+          "/home/coder/.nix-profile/bin"
+          "/nix/var/nix/profiles/default/bin"
+          "/nix/var/nix/profiles/default/sbin"
+        ]}"
+        "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "NIX_PATH=/nix/var/nix/profiles/per-user/coder/channels:/home/coder/.nix-defexpr/channels"
+      ];
+    };
+  }