chore: initial commit

nix/packages/flake.lock

@@ -0,0 +1,28 @@
+{
+  "nodes": {
+    "root": {
+      "inputs": {
+        "tofunix-lib": "tofunix-lib"
+      }
+    },
+    "tofunix-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1763036122,
+        "narHash": "sha256-AFsuSeZ6MjJk5kxfL09rmhKh+AxUICfQhactWAMzVmo=",
+        "owner": "TECHNOFAB",
+        "repo": "tofunix",
+        "rev": "69bffa53c525d6128b6a23743149e37c72d3d5ba",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "TECHNOFAB",
+        "repo": "tofunix",
+        "type": "gitlab"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/packages/flake.nix

@@ -0,0 +1,10 @@
+{
+  inputs = {
+    tofunix-lib.url = "gitlab:TECHNOFAB/tofunix?dir=lib";
+  };
+  outputs = i:
+    i
+    // {
+      tofulib = i.tofunix-lib.lib {inherit (i.parent) pkgs;};
+    };
+}

nix/packages/image.nix

@@ -0,0 +1,150 @@
+{
+  lib,
+  pkgs,
+  ...
+}: let
+  baseSystem = let
+    packages = with pkgs; [
+      nix
+      bashInteractive
+      coreutils-full
+      procps
+      gnugrep
+      openssh
+      gitMinimal
+      curl
+      ncurses
+      less
+
+      cacert.out
+
+      (writeShellScriptBin "reload-dotfiles" ''
+        ${home-manager}/bin/home-manager switch --flake ''${DOTFILES_REPO:-$1} --option tarball-ttl 0
+      '')
+    ];
+    rootEnv = pkgs.buildPackages.buildEnv {
+      name = "root-profile-env";
+      paths = packages;
+    };
+
+    nixConf = {
+      sandbox = "false";
+      experimental-features = "nix-command flakes";
+      min-free = toString (100 * 1024 * 1024);
+      max-free = toString (1024 * 1024 * 1024);
+    };
+
+    nixConfContents =
+      (lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: let
+        vStr =
+          if builtins.isList v
+          then lib.concatStringsSep " " v
+          else v;
+      in "${n} = ${vStr}")
+      nixConf))
+      + "\n";
+
+    manifest = pkgs.buildPackages.runCommand "manifest.nix" {} ''
+      cat > $out <<EOF
+      [
+      ${lib.concatStringsSep "\n" (builtins.map (drv: let
+          outputs = drv.outputsToInstall or ["out"];
+        in ''
+          {
+            ${lib.concatStringsSep "\n" (builtins.map (output: ''
+              ${output} = { outPath = "${lib.getOutput output drv}"; };
+            '')
+            outputs)}
+            outputs = [ ${lib.concatStringsSep " " (builtins.map (x: "\"${x}\"") outputs)} ];
+            name = "${drv.name}";
+            outPath = "${drv}";
+            system = "${drv.system}";
+            type = "derivation";
+            meta = { };
+          }
+        '')
+        packages)}
+      ]
+      EOF
+    '';
+    profile = pkgs.buildPackages.runCommand "user-environment" {} ''
+      mkdir $out
+      cp -a ${rootEnv}/* $out/
+      ln -s ${manifest} $out/manifest.nix
+    '';
+
+    dirsToCreate = ["/etc/ssl/certs" "/etc/nix" "/usr" "/nix/var/nix/gcroots" "/bin" "/usr/bin" "/tmp" "/var/tmp" "/home/coder/.nix-defexpr" "/nix/var/nix/profiles/per-user/coder"];
+  in
+    pkgs.runCommand "base-system" {
+      allowSubstitutes = false;
+      preferLocalBuild = true;
+    } ''
+      env
+      set -x
+      mkdir -p ${lib.concatMapStringsSep " " (x: "$out${x}") dirsToCreate}
+
+      ln -s /nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt $out/etc/ssl/certs
+      ln -s /nix/var/nix/profiles/share $out/usr/
+
+      echo "${nixConfContents}" > $out/etc/nix/nix.conf
+      echo "ID=nixos" > $out/etc/os-release
+
+      echo "coder:x:1000:1000::/home/coder:/bin/bash" > $out/etc/passwd
+      echo "coder:!:::::::" > $out/etc/shadow
+      echo "coder:x:1000:" > $out/etc/group
+      echo "coder:x::" > $out/etc/gshadow
+      echo "coder:100000:65536" > $out/etc/subuid
+      echo "coder:100000:65536" > $out/etc/subgid
+
+      # support timezones
+      ln -s ${pkgs.tzdata}/share/zoneinfo $out/etc/zoneinfo
+
+      ln -s ${profile} $out/nix/var/nix/profiles/default-1-link
+      ln -s /nix/var/nix/profiles/default-1-link $out/nix/var/nix/profiles/default
+
+      # prevents the profiles from being cleaned up by the GC
+      ln -s /nix/var/nix/profiles $out/nix/var/nix/gcroots/profiles
+
+      ln -s ${pkgs.coreutils}/bin/env $out/usr/bin/env
+      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/sh
+      ln -s ${pkgs.bashInteractive}/bin/bash $out/bin/bash
+    '';
+in
+  pkgs.dockerTools.buildLayeredImageWithNixDb {
+    name = "nix-coder";
+    tag = "latest";
+
+    contents = [baseSystem];
+    maxLayers = 10;
+
+    uid = 1000;
+    gid = 1000;
+    fakeRootCommands = ''
+      chown -R 1000:1000 ./
+      chmod 1777 tmp
+      chmod 1777 var/tmp
+    '';
+
+    config = {
+      Cmd = ["/bin/bash"];
+      User = "1000:1000";
+      Env = [
+        "USER=coder"
+        "HOME=/home/coder"
+        "TMPDIR=/tmp"
+        "XDG_RUNTIME_DIR=/tmp"
+        "TZDIR=/etc/zoneinfo"
+        "PATH=${lib.concatStringsSep ":" [
+          "/home/coder/.nix-profile/bin"
+          # this makes all the packages defined at the top available
+          # in the workspace
+          "/nix/var/nix/profiles/default/bin"
+          "/nix/var/nix/profiles/default/sbin"
+        ]}"
+        "SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "GIT_SSL_CAINFO=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "NIX_SSL_CERT_FILE=/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt"
+        "NIX_PATH=/nix/var/nix/profiles/per-user/coder/channels:/home/coder/.nix-defexpr/channels"
+      ];
+    };
+  }

nix/packages/packages.nix

@@ -0,0 +1,23 @@
+{inputs, ...}: let
+  inherit (inputs) self pkgs tofulib;
+in rec {
+  nix-coder-image = pkgs.callPackage ./image.nix {};
+  nix-kubernetes = nix-kubernetes-cli.tfjson;
+  nix-kubernetes-cli = tofulib.mkCliAio {
+    plugins = [
+      (tofulib.mkOpentofuProvider {
+        owner = "coder";
+        repo = "coder";
+        version = "2.8.0";
+        hash = "sha256-wnjgnD1c6U42ceizqfBG6SE4YXm7rZ7kyYkAdtE8t0k=";
+      })
+      (tofulib.mkOpentofuProvider {
+        owner = "hashicorp";
+        repo = "kubernetes";
+        version = "2.29.0";
+        hash = "sha256-r8DomSe+gUAbHuc8ciiuVl/6IeeIjJK6HFVaqAsnze8=";
+      })
+    ];
+    moduleConfig = "${self}/nix-kubernetes";
+  };
+}

nix/repo/ci.nix

@@ -0,0 +1,71 @@
+{inputs, ...}: let
+  inherit (inputs) pkgs cilib;
+  inherit (pkgs.lib) concatStringsSep;
+in
+  cilib.mkCI {
+    pipelines."default" = {
+      stages = ["build" "upload"];
+      jobs = let
+        SYSTEMS = ["aarch64-linux" "x86_64-linux"];
+        TEMPLATES = ["nix-kubernetes"];
+      in {
+        "build" = {
+          stage = "build";
+          parallel.matrix = [
+            {TEMPLATE = TEMPLATES;}
+          ];
+          nix.deps = [pkgs.gnutar];
+          script = [
+            # sh
+            ''
+              nix build .#''${TEMPLATE}
+              install -D result templates/''${TEMPLATE}.tf.json
+              tar -cf templates/''${TEMPLATE}.tar -C templates ''${TEMPLATE}.tf.json
+            ''
+          ];
+          artifacts.paths = ["templates/"];
+        };
+        "build:image" = {
+          stage = "build";
+          parallel.matrix = [
+            {SYSTEM = SYSTEMS;}
+          ];
+          script = [
+            # sh
+            ''
+              nix build .#nix-coder-image --system $SYSTEM
+              install -D result dist/nix-coder-image_''${SYSTEM}.tar.gz
+            ''
+          ];
+          artifacts.paths = ["dist/"];
+        };
+        "upload" = {
+          stage = "upload";
+          nix.deps = [pkgs.buildah];
+          needs = ["build:image"];
+          before_script = [
+            # sh
+            ''
+              export REGISTRY_AUTH_FILE=''${HOME}/auth.json
+              echo "$CI_REGISTRY_PASSWORD" | buildah login -u "$CI_REGISTRY_USER" --password-stdin $CI_REGISTRY
+              mkdir -p /etc/containers
+              echo '{"default":[{"type":"insecureAcceptAnything"}]}' > /etc/containers/policy.json
+              mkdir -p /var/tmp
+            ''
+          ];
+          script = [
+            # sh
+            ''
+              buildah manifest create localhost/nix-coder-image
+              ${concatStringsSep "\n" (map (
+                  sys: "buildah manifest add localhost/nix-coder-image docker-archive:dist/nix-coder-image_${sys}.tar.gz"
+                )
+                SYSTEMS)}
+              buildah manifest push --all localhost/nix-coder-image \
+                docker://''${CI_REGISTRY_IMAGE}/nix-coder-image:$CI_COMMIT_SHORT_SHA
+            ''
+          ];
+        };
+      };
+    };
+  }

nix/repo/devShells.nix

@@ -0,0 +1,23 @@
+{
+  inputs,
+  cell,
+  ...
+}: let
+  inherit (inputs) pkgs devshell treefmt soonix;
+  inherit (cell) ci;
+in {
+  default = devshell.mkShell {
+    imports = [
+      soonix.devshellModule
+    ];
+    packages = [
+      (treefmt.mkWrapper pkgs {
+        programs = {
+          alejandra.enable = true;
+          mdformat.enable = true;
+        };
+      })
+    ];
+    soonix.hooks.ci = ci.soonix;
+  };
+}

nix/repo/flake.lock

@@ -0,0 +1,82 @@
+{
+  "nodes": {
+    "devshell-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1758204313,
+        "narHash": "sha256-ainbY0Oajb1HMdvy+A8QxF/P5qwcbEzJGEY5pzKdDdc=",
+        "owner": "rensa-nix",
+        "repo": "devshell",
+        "rev": "7d0c4bc78d9f017a739b0c7eb2f4e563118353e6",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "rensa-nix",
+        "repo": "devshell",
+        "type": "gitlab"
+      }
+    },
+    "nix-gitlab-ci-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1763066668,
+        "narHash": "sha256-mcNiuWf5R0qS7Be4EFAxPStl3SSYPhg4PSPAXgjKJj0=",
+        "owner": "TECHNOFAB",
+        "repo": "nix-gitlab-ci",
+        "rev": "524bdf9cdcfb8008c08d7e54a95992ebf05331d5",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "TECHNOFAB",
+        "ref": "3.0.1",
+        "repo": "nix-gitlab-ci",
+        "type": "gitlab"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devshell-lib": "devshell-lib",
+        "nix-gitlab-ci-lib": "nix-gitlab-ci-lib",
+        "soonix-lib": "soonix-lib",
+        "treefmt-nix": "treefmt-nix"
+      }
+    },
+    "soonix-lib": {
+      "locked": {
+        "dir": "lib",
+        "lastModified": 1758615778,
+        "narHash": "sha256-tggru+siXlLcLUjHtMojkJJWTS/8I3gm8nhnlz+qrTo=",
+        "owner": "TECHNOFAB",
+        "repo": "soonix",
+        "rev": "e04b71c07413251dcb52036b4a51c6c7c0dca2ad",
+        "type": "gitlab"
+      },
+      "original": {
+        "dir": "lib",
+        "owner": "TECHNOFAB",
+        "repo": "soonix",
+        "type": "gitlab"
+      }
+    },
+    "treefmt-nix": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1762410071,
+        "narHash": "sha256-aF5fvoZeoXNPxT0bejFUBXeUjXfHLSL7g+mjR/p5TEg=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "97a30861b13c3731a84e09405414398fbf3e109f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

nix/repo/flake.nix

@@ -0,0 +1,19 @@
+{
+  inputs = {
+    devshell-lib.url = "gitlab:rensa-nix/devshell?dir=lib";
+    soonix-lib.url = "gitlab:TECHNOFAB/soonix?dir=lib";
+    nix-gitlab-ci-lib.url = "gitlab:TECHNOFAB/nix-gitlab-ci/3.0.1?dir=lib";
+    treefmt-nix = {
+      url = "github:numtide/treefmt-nix";
+      flake = false;
+    };
+  };
+  outputs = i:
+    i
+    // {
+      devshell = i.devshell-lib.lib {inherit (i.parent) pkgs;};
+      soonix = i.soonix-lib.lib {inherit (i.parent) pkgs;};
+      cilib = i.nix-gitlab-ci-lib.lib {inherit (i.parent) pkgs;};
+      treefmt = import i.treefmt-nix;
+    };
+}